Re: Tomcat question

[Craig R. McClanahan]

On Thu, 22 Mar 2001, Johan Compagner wrote:

 Hi,
 
 One tomcat question for this list (i know there are some tomcat developers here)
 Why can't i find changes.html or something like that for the tomcat versions?
 

The short answer is that most folks don't take the time to do detailed
release notes.  I try to buck that trend (both on Struts and on Tomcat
4.0), but it's a lot of work.

 You got now a 
 3.1.x branch (doesn't seem to be in development anymore)

It's not.  Superceded by 3.2 series.  (3.1 also had tons of bugs,
including bugs that adversely affect Struts-based apps).

 3.2.x branch (still development 3.2.2 beta 1 as latest mile stonde)

3.2.1 is the current production quality release of Tomcat, 3.2.2 is
imminent with fixes primarily in the web connectors area.

 3.3.x branch (the latest in 3.x)
 

WARNING - I'm not an unbiased observer of this branch :-)

Last September, the TOMCAT-DEV mailing list decided on using the Catalina
code base (of which I am the primary author ... it's lineage dates back to
the days before Tomcat was released to Apache) as the code that would
become the next major version of Tomcat -- version 4.0 -- and implement
the new servlet 2.3 and JSP 1.2 specs.  The idea was that 3.2 would go
into maintenance mode, and heavy development of new features would happen
in the 4.0 area.

That was not satisfactory to some folks -- including Costin Manolache, who
did the yeoman's work in getting Tomcat to 3.1, and a lot of the work on
3.2.  He does not like the technical architecture of Catalina, so lobbied
to "finish what he started" and continued refactoring the 3.2 code.

Essentially, what has happened since is a fork of the Tomcat development
community.  Time will tell whether the fork becomes permanent (i.e. one or
the other codebase stays "Tomcat" and the other goes and lives somewhere
else) or whether the 3.3 branch is just a dead end that people lose
interest in once 4.0 is released.

 And you got 4.0
 

4.0 is where I personally put my time -- it's my "day job".

 I know the differences between 3.x (servlet 2.2 / jsp 1.1) and 4.x (servlet 2.3 / 
jsp 1.2)
 

The spec documents themselves have a pretty good summary of the changes
from the previous versions.  You can download the current drafts from:
http://java.sun.com/products/jsp/download.html
http://java.sun.com/products/servlet/download.html

In terms of user features, I'm doing a talk at ApacheCon about Tomcat 4.0,
and spend a couple of slides highlighting the new goodies.  I'll post the
presentation after ApacheCon is over.

 But why all those 3.x branches and why are there even 2 in development?
 

Basically, its because people want to work on what they want to work
on.  For their own reasons, some folks want a "better servlet 2.2/JSP 1.1
container", conveniently neglecting the fact that Tomcat 4.0 runs such
applications, including Struts-based apps, just fine ...

 Johan
 
 
 
 

Craig

RE: Tomcat question

[Niall Pemberton]

Johan,

I'm using Tomcat Version 3.2.1 and the readme document had the following
information
on Tomcat versions. There isn't info about 3.2.2  3.3 there but probably if
you
download those versions there will be a readme explaining the changes.

Besides the differences in functionality the other difference is the
quality/stability
of the versions - whether they are milestone, beta or release quality.

Tomcat Versions 3.1.1 and 3.2.1 are the only "release" builds.
Tomcat Versions 3.2.2 and 4.0 are beta versions.
Tomcat Version 3.3 is a milestone build.

From a Struts point of view the minimum requirement is Tomcat 3.1 but there
are lots of
messages from those in the know that version 3.1 is not recommended, you
need 3.2 at least.

e.g.
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg04662.html

Hope this helps.

Niall

README 1.  INTRODUCTION
README Tomcat Version 3.2.1 is a security related update!  See Section 7,
below,
README for details on the changes that have been made.  All other existing
issues with
README Tomcat 3.2 will remain in 3.2.1 -- they will be addressed in
subsequent
README maintenance updates (3.2.2, and so on).

README 4.  TOMCAT: PAST, PRESENT, AND FUTURE
README - Version 3.0 (released 12/1999) was the initial release of Tomcat.
In
README addition to implementing the Java Servlet and Server Pages
specification,
README this release featured a minimal Apache connector.

README - Tomcat 3.1 (released 4/2000) improved the Apache connection and
added
README connector support for Netscape and IIS web servers. It also added
WAR file
README support, automatic servlet reloading, and a command line tool (jspc)
to
README compile ahead of time the JSP pages that comprise your application.
Finally,
README version 3.1 also focused on reorganizing the code (modularization,
cleanup,
README refactoring, removal of dead code, and separation of J2EE-specific
code).

README - Tomcat 3.2 is the first performance tune-up, and also adds a few
new
README features (see next section).

README - Tomcat 4.0 is separate development from Tomcat 3.x.  It is based
on the
README Catalina architecture, which is very different from the architecture
of
README Tomcat 3.x.  In addition, Tomcat 4.0 is to be the reference
implementation
README for the Servlet 2.3 and JSP 1.2 specifications.

README 7.  SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1


README 7.1 Protection of Resources in /WEB-INF and /META-INF Directories

README The servlet specification prohibits servlet containers from serving
resources
README in the /WEB-INF and /META-INF directories of a web application
archive directly
README to clients.  In Tomcat 3.2, this means that URLs like:

READMEhttp://localhost:8080/examples/WEB-INF/web.xml

README will return an error message, rather than the contents of your
deployment
README descriptor.  However, there is a vulnerability in Tomcat 3.2 that
exposes
README this information if the client requests a URL like this instead:

README http://localhost:8080/examples//WEB-INF/web.xml

README (note the double slash before "WEB-INF").  This vulnerability has
been
README corrected in Tomcat 3.2.1.


README 7.2 Show Source Vulnerability

README The example application delivered with Tomcat 3.2 included a
mechanism to
README display the source code for the JSP page examples.  This mechanism
could
README be used to bypass the restrictions on displaying sensitive
information in
README the WEB-INF and META-INF directories.  This vulnerability has been
removed.


 -Original Message-
 From: Johan Compagner [mailto:[EMAIL PROTECTED]]
 Sent: 22 March 2001 00:00
 To: Struts
 Subject: Tomcat question


 Hi,

 One tomcat question for this list (i know there are some tomcat
 developers here)
 Why can't i find changes.html or something like that for the
 tomcat versions?

 You got now a
 3.1.x branch (doesn't seem to be in development anymore)
 3.2.x branch (still development 3.2.2 beta 1 as latest mile stonde)
 3.3.x branch (the latest in 3.x)

 And you got 4.0

 I know the differences between 3.x (servlet 2.2 / jsp 1.1) and
 4.x (servlet 2.3 / jsp 1.2)

 But why all those 3.x branches and why are there even 2 in development?

 Johan