Re: cvs commit: jakarta-tomcat/src/doc readme-3.3.2 index.html serverxml.html
Bill Barker wrote: - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 29, 2004 4:32 PM Subject: cvs commit: jakarta-tomcat/src/doc readme-3.3.2 index.html serverxml.html billbarker2004/02/29 16:32:18 Modified:src/doc index.html serverxml.html Added: src/doc readme-3.3.2 Log: Updating the documentation to reflect changes since 3.3.1. Any thoughts on including the j-t-c docs with 3.3.2? You should included then, TC 4/5 allready do the same - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/doc readme-3.3.2 index.html serverxml.html
billbarker2004/02/29 16:32:18 Modified:src/doc index.html serverxml.html Added: src/doc readme-3.3.2 Log: Updating the documentation to reflect changes since 3.3.1. Revision ChangesPath 1.13 +3 -2 jakarta-tomcat/src/doc/index.html Index: index.html === RCS file: /home/cvs/jakarta-tomcat/src/doc/index.html,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- index.html29 Feb 2004 22:42:50 - 1.12 +++ index.html1 Mar 2004 00:32:18 - 1.13 @@ -44,7 +44,8 @@ ul li a href=readmeTomcat 3.3 Release Notes/a/li -li a href=readme-3.3.1Tomcat 3.3.1 Release Notes/abrnbsp;/li +li a href=readme-3.3.1Tomcat 3.3.1 Release Notes/a/li +li a href=readme-3.3.2Tomcat 3.3.2 Release Notes/abrnbsp;/li li Using Tomcat ul 1.35 +215 -5jakarta-tomcat/src/doc/serverxml.html Index: serverxml.html === RCS file: /home/cvs/jakarta-tomcat/src/doc/serverxml.html,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- serverxml.html29 Feb 2004 22:42:50 - 1.34 +++ serverxml.html1 Mar 2004 00:32:18 - 1.35 @@ -276,6 +276,7 @@ /ul/li liServer ul + lia href=#CoyoteConnectorCoyoteConnector/a/li lia href=#Http10ConnectorHttp10Connector/a/li lia href=#JniConnectorJniConnector/a/li lia href=#Ajp12ConnectorAjp12Connector/a/li @@ -1187,6 +1188,206 @@ hr size=5 +h3a name=CoyoteConnectorCoyoteConnector/a/h3 + +pbType:/b Server/p + +h4Description/h4 + +pHandles incoming AJP13 and HTTP, or optionally HTTPS, requests. b[Tomcat 3.3.2]/b/p + +h4Attributes/h4 + +table border=1 cellpadding=2 cellspacing=0 + tr valign=top +thAttribute/th +thDescription/th +thDefault/th + /tr + tr valign=top +tdsocketCloseDelay/td +tdSpecifies the number of milliseconds to delay before closing the socket + after processing a request. If negative, the delay is disabled. Setting + a value greater or equal to zero is intended to help with diagnosing + client errors resulting from unread data in the body of the HTTP request. + If this unread data arrives just before or during the closing of the + socket, the client may see a quot;Connection aborted by peerquot; error./td +td-1/td + /tr + tr valign=top +tdprocessorClassName/td +tdThe Coyote processor class to use. The values are +codeorg.apache.coyote.http11.Http11Processor/code for the HTTP/1.1 +connector, and codeorg.apache.jk.server.JkCoyoteHandler/code for +the AJP13 connector./td +tdorg.apache.coyote.http11.Http11Processor/td + /tr + tr valign=top +tdbHTTP/1.1 Connection Properties/b/td +tdnbsp;/td +tdnbsp;/td + /tr + tr valign=top +tddisableUploadTimeout/td +tdIf codetrue/code then use the same timeout for uploads and for +keep-alives./td +tdtrue/td + /tr + tr +tdmaxKeepAliveRequests/td +tdThe maxiumum number of keep-alive requests to allow on the same +socket connection./td +td100/td + /tr + tr valign=top +tdsecure/td +tdEnables use of a SSL socket factory and act as an HTTPS server./td +tdfalse/td + /tr + tr valign=top +tdkeystoreFile/td +tdKeystore containing the Server certificate/td +tdPureTLS: server.pembr +JSSE: .keystore in directory specified by the user.home System property/td + /tr + tr valign=top +tdkeypass/td +tdPassword to the keystore./td +tdchangeit/td + /tr + tr valign=top +tdclientauth/td +tdEnables requirement for client authentication./td +tdfalse/td + /tr + tr valign=top +tdbSocket Properties/b/td +tdnbsp;/td +tdnbsp;/td + /tr + tr valign=top +tdaddress/td +tdAddress to which the server socket binds./td +tdinull, bind on all addresses/i/td + /tr + tr valign=top +tdbacklog/td +tdMaximum length of the backlog queue for the server socket./td +td100/td + /tr + tr valign=top +tdport/td +tdPort on which to receive requests./td +tdino default, must be specified/i/td + /tr + tr valign=top +tdSSLImplementation/td +tdClass which implements the +codeorg.apache.tomcat.util.net.SSLImplementation/code interface. +This setting controls which SSL support is used by secure connections. +Currently supported are:br +ol +liPureTLS - specify +codeorg.apache.tomcat.util.net.PureTLSImplementation/code/li +liJSSE - specify +
Re: cvs commit: jakarta-tomcat/src/doc readme-3.3.2 index.html serverxml.html
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 29, 2004 4:32 PM Subject: cvs commit: jakarta-tomcat/src/doc readme-3.3.2 index.html serverxml.html billbarker2004/02/29 16:32:18 Modified:src/doc index.html serverxml.html Added: src/doc readme-3.3.2 Log: Updating the documentation to reflect changes since 3.3.1. Any thoughts on including the j-t-c docs with 3.3.2? This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/doc readme-3.3.1
larryi 02/03/26 07:25:30 Modified:.RELEASE-NOTES-3.3.1.txt src/doc readme-3.3.1 Log: Update overlooked readme-3.3.1 and fix a typo and tabs. Revision ChangesPath 1.49 +5 -5 jakarta-tomcat/RELEASE-NOTES-3.3.1.txt Index: RELEASE-NOTES-3.3.1.txt === RCS file: /home/cvs/jakarta-tomcat/RELEASE-NOTES-3.3.1.txt,v retrieving revision 1.48 retrieving revision 1.49 diff -u -r1.48 -r1.49 --- RELEASE-NOTES-3.3.1.txt 22 Mar 2002 04:06:23 - 1.48 +++ RELEASE-NOTES-3.3.1.txt 26 Mar 2002 15:25:30 - 1.49 @@ -3,7 +3,7 @@ Release Notes = -$Id: RELEASE-NOTES-3.3.1.txt,v 1.48 2002/03/22 04:06:23 larryi Exp $ +$Id: RELEASE-NOTES-3.3.1.txt,v 1.49 2002/03/26 15:25:30 larryi Exp $ This document describes the changes that have been made since the @@ -172,7 +172,7 @@ [F] The facade classes in org.apache.tomcat.facade are now declared as public classes. This allows their methods to be called - using introspection from a web application. + using introspection from a web application. Server: @@ -219,10 +219,10 @@ Previously, calling getReader() on a recycled facade on which getReader() was called, you would get the old reader rather than a new reader for the current request. - + [F] Fixed a bug in TrustedLoader with respect to reloading trusted modules when more than one is present. - + [F] Modified PoolTcpConnector checkSocketFactory() method to set the module's socketFactory when obtaining an SSL socket factory, instead of using a local variable. This allows the PasswordPrompter @@ -335,7 +335,7 @@ it easier to add options. [F] conf/jk/uriworkermap.properties and conf/jk/obj.conf example files - wer updated to be more current. + were updated to be more current. 4313 Bug in property substitution for server.xml and apps.xml files was [b1] fixed. 1.3 +75 -1 jakarta-tomcat/src/doc/readme-3.3.1 Index: readme-3.3.1 === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme-3.3.1,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- readme-3.3.1 1 Mar 2002 01:32:06 - 1.2 +++ readme-3.3.1 26 Mar 2002 15:25:30 - 1.3 @@ -1,4 +1,4 @@ -$Id: readme-3.3.1,v 1.2 2002/03/01 01:32:06 larryi Exp $ +$Id: readme-3.3.1,v 1.3 2002/03/26 15:25:30 larryi Exp $ Release Notes for: === @@ -147,6 +147,33 @@ modules.xml or server.xml isn't present. Also, the port number is now shown when JVM_Bind exceptions occur. +[F] Ajp12Connector and Ajp13Connector now accepts ContextMananger + properties called ajpid12 and ajpid13, respectively. This property + overrides the ajpidFile attribute of these modules, allowing the + ajpid file to be specified via command line arguments. For + consistency, the same arguments are also accepted by the StopTomcat + task to specify the file and protocol to use for shutdown. + +[F] The Ajp13Connector now accepts shutdownEnable in addition to + shutDownEnable at attributes that control if shutdown is enabled + via the Ajp13 protocol. shutdownEnable was added since it uses + a more intuitive uppercase/lowercase spelling. + +[F] The PasswordPrompter add-on was refactored to use introspection + and accept customizable prompt specifications. It can now set + additional passwords, such as the keystore password added to + Http10Connector and the secret for Ajp12Connector and + Ajp13Connector modules. It can set other types of attributes + as well. + +[F] Refactored the PasswordPrompter add-on module to be configurable + and to be able to perform prompting for context local modules. + Added a readme file to document its use. + +[F] The facade classes in org.apache.tomcat.facade are now declared + as public classes. This allows their methods to be called + using introspection from a web application. + Server: @@ -193,6 +220,18 @@ getReader() was called, you would get the old reader rather than a new reader for the current request. +[F] Fixed a bug in TrustedLoader with respect to reloading trusted + modules when more than one is present. + +[F] Modified PoolTcpConnector
cvs commit: jakarta-tomcat/src/doc readme-3.3.1
larryi 02/02/28 17:32:07 Modified:src/doc readme-3.3.1 Log: Update for 3.3.1-rc1 Revision ChangesPath 1.2 +167 -111 jakarta-tomcat/src/doc/readme-3.3.1 Index: readme-3.3.1 === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme-3.3.1,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- readme-3.3.1 14 Feb 2002 14:25:53 - 1.1 +++ readme-3.3.1 1 Mar 2002 01:32:06 - 1.2 @@ -1,4 +1,4 @@ -$Id: readme-3.3.1,v 1.1 2002/02/14 14:25:53 larryi Exp $ +$Id: readme-3.3.1,v 1.2 2002/03/01 01:32:06 larryi Exp $ Release Notes for: === @@ -7,101 +7,103 @@ This document describes the changes that have been made since the -last release of Tomcat 3.3. +release of Tomcat 3.3 Final. = Bug Fixes = +The release in which the fix appears is indicated in brackets. + Feature Additions: Bug No. Description - Restored prefix attribute to InvokerInterceptor. It was available in +[b1] Restored prefix attribute to InvokerInterceptor. It was available in Tomcat 3.2.x. - Added SingleThreadModel pooling to ServletHandler. The default is to +[b1] Added SingleThreadModel pooling to ServletHandler. The default is to use pooling. - Added optional checking (configured on SessionId module) to ensure +[b1] Added optional checking (configured on SessionId module) to ensure that the SSL session IDs match for each request within a Tomcat session. This check is disabled by default. - Added org.apache.tomcat.util.net.URL class from Tomcat 4.0 so +[b1] Added org.apache.tomcat.util.net.URL class from Tomcat 4.0 so response.encodeURL() can work under SSL without JSSE. This can occur if you have Apache forwarding SSL requests to a Tomcat that doesn't have JSSE installed. - Fixed logic for response.encodeURL() so that it will work correctly - if the input URL includes an anchor tag. +[b1] Fixed logic for response.encodeURL() so that it will work correctly + if the input URL includes an anchor tag. - Improved the handling of invalid web.xml files. Now you get the same - error messages every time you parse the file. +[b1] Improved the handling of invalid web.xml files. Now you get the same + error messages every time you parse the file. - Moved the setting of the default *.jsp mapping so that it is now - possible to entirely disable support for jsp files. +[b1] Moved the setting of the default *.jsp mapping so that it is now + possible to entirely disable support for jsp files. - Fixed problem with jsp_precompile parameter to JSP files. +[b1] Fixed problem with jsp_precompile parameter to JSP files. - Context properties and ContextManager properties can now be set with +[b1] Context properties and ContextManager properties can now be set with Property ... / elements, i.e: Property name=propname value=thevalue / For backwards compatibility, the ContextManager lower-case-p property ... / version supported by Tomcat 3.3. is still supported. - Added variable substitution handling to ContextXmlReader, allowing +[b1] Added variable substitution handling to ContextXmlReader, allowing variable substitution to be used in Context .../Context declarations. - Added support for PureTLS as an SSL option. Also, any attribute +[b1] Added support for PureTLS as an SSL option. Also, any attribute used to create the socket factory, such as rootfile (or keystoreType for JSSE), is now settable on the Http10Connector element in server.xml. - The configuration files generated by ApacheConfig, IISConfig and +[b1] The configuration files generated by ApacheConfig, IISConfig and NSConfig were improved for the case when the forwardAll attribute is false. Primarily, a servlet mapping like /foo/* now generates a mod_jk mapping for /foo as well as /foo/* to better match the servlet spec. - The default log handler was updated to specify autoFlush=true for +[b1] The default log handler was updated to specify autoFlush=true for the PrintWriter so the output doesn't just go to a buffer. Since this logger is replaced a new logger set by the LogSetter module, its reduction in efficiency won't affect normal operation. - ServerXmlReader now logs a warning if the modules.xml file
cvs commit: jakarta-tomcat/src/doc readme-3.3.1 index.html readme
larryi 02/02/14 06:25:53 Modified:src/doc index.html readme Added: src/doc readme-3.3.1 Log: Keep readme file a 3.3 document. Add a readme-3.3.1 to cover changes since 3.3. Update index.html to reference both. Revision ChangesPath 1.10 +3 -4 jakarta-tomcat/src/doc/index.html Index: index.html === RCS file: /home/cvs/jakarta-tomcat/src/doc/index.html,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- index.html28 Nov 2001 11:15:06 - 1.9 +++ index.html14 Feb 2002 14:25:53 - 1.10 @@ -1,7 +1,7 @@ html head -!-- $Id: index.html,v 1.9 2001/11/28 11:15:06 larryi Exp $ -- +!-- $Id: index.html,v 1.10 2002/02/14 14:25:53 larryi Exp $ -- !-- Copyright 1999, Apache Software Foundation -- meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 link rel=stylesheet href=style.css @@ -29,9 +29,8 @@ h1Tomcat Documentation/h1 ul -li a href=readmeTomcat 3.3 Release Notes/abr - nbsp; -/li +li a href=readmeTomcat 3.3 Release Notes/a/li +li a href=readme-3.3.1Tomcat 3.3.1 Release Notes/abrnbsp;/li li Using Tomcat ul 1.24 +4 -4 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- readme8 Feb 2002 13:14:13 - 1.23 +++ readme14 Feb 2002 14:25:53 - 1.24 @@ -1,9 +1,9 @@ -$Id: readme,v 1.23 2002/02/08 13:14:13 larryi Exp $ +$Id: readme,v 1.24 2002/02/14 14:25:53 larryi Exp $ Release Notes for: - == - TOMCAT Version 3.3.1 Beta1 - == + = + Apache Tomcat Version 3.3 + = 0. TABLE OF CONTENTS: 1.1 jakarta-tomcat/src/doc/readme-3.3.1 Index: readme-3.3.1 === $Id: readme-3.3.1,v 1.1 2002/02/14 14:25:53 larryi Exp $ Release Notes for: === Apache Tomcat Version 3.3.1 === This document describes the changes that have been made since the last release of Tomcat 3.3. = Bug Fixes = Feature Additions: Bug No. Description Restored prefix attribute to InvokerInterceptor. It was available in Tomcat 3.2.x. Added SingleThreadModel pooling to ServletHandler. The default is to use pooling. Added optional checking (configured on SessionId module) to ensure that the SSL session IDs match for each request within a Tomcat session. This check is disabled by default. Added org.apache.tomcat.util.net.URL class from Tomcat 4.0 so response.encodeURL() can work under SSL without JSSE. This can occur if you have Apache forwarding SSL requests to a Tomcat that doesn't have JSSE installed. Fixed logic for response.encodeURL() so that it will work correctly if the input URL includes an anchor tag. Improved the handling of invalid web.xml files. Now you get the same error messages every time you parse the file. Moved the setting of the default *.jsp mapping so that it is now possible to entirely disable support for jsp files. Fixed problem with jsp_precompile parameter to JSP files. Context properties and ContextManager properties can now be set with Property ... / elements, i.e: Property name=propname value=thevalue / For backwards compatibility, the ContextManager lower-case-p property ... / version supported by Tomcat 3.3. is still supported. Added variable substitution handling to ContextXmlReader, allowing variable substitution to be used in Context .../Context declarations. Added support for PureTLS as an SSL option. Also, any attribute used to create the socket factory, such as rootfile (or keystoreType for JSSE), is now settable on the Http10Connector element in server.xml. The configuration files generated by ApacheConfig, IISConfig and NSConfig were improved for the case when the forwardAll attribute is false.
cvs commit: jakarta-tomcat/src/doc readme
larryi 02/02/08 05:14:14 Modified:src/doc readme Log: Update the version to 3.3.1 Beta 1. Content still needs some work. Revision ChangesPath 1.23 +4 -4 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- readme21 Oct 2001 17:40:17 - 1.22 +++ readme8 Feb 2002 13:14:13 - 1.23 @@ -1,9 +1,9 @@ -$Id: readme,v 1.22 2001/10/21 17:40:17 larryi Exp $ +$Id: readme,v 1.23 2002/02/08 13:14:13 larryi Exp $ Release Notes for: - == - TOMCAT Version 3.3 - == + == + TOMCAT Version 3.3.1 Beta1 + == 0. TABLE OF CONTENTS: -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/11/13 06:29:35 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Final update to release notes prior to release vote. Revision ChangesPath No revision No revision 1.1.2.12 +2 -1 jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.11 retrieving revision 1.1.2.12 diff -u -r1.1.2.11 -r1.1.2.12 --- RELEASE-NOTES 2001/10/26 16:07:49 1.1.2.11 +++ RELEASE-NOTES 2001/11/13 14:29:34 1.1.2.12 @@ -1,4 +1,4 @@ -$Id: RELEASE-NOTES,v 1.1.2.11 2001/10/26 16:07:49 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.12 2001/11/13 14:29:34 marcsaeg Exp $ Release Notes for: @@ -334,6 +334,7 @@ the older version of JAXP and there is no requirement for users to upgrade to JAXP 1.1 unless their applications require the new version. + - Fixed NullPointerException in HttpConnectionHandler. (#4577) 7.2 Security Vulnerabilities fixed in Tomcat 3.2.4 No revision No revision 1.8.2.24 +2 -1 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.23 retrieving revision 1.8.2.24 diff -u -r1.8.2.23 -r1.8.2.24 --- readme2001/10/26 16:07:49 1.8.2.23 +++ readme2001/11/13 14:29:34 1.8.2.24 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.23 2001/10/26 16:07:49 marcsaeg Exp $ +$Id: readme,v 1.8.2.24 2001/11/13 14:29:34 marcsaeg Exp $ Release Notes for: @@ -334,6 +334,7 @@ the older version of JAXP and there is no requirement for users to upgrade to JAXP 1.1 unless their applications require the new version. + - Fixed NullPointerException in HttpConnectionHandler. (#4577) 7.2 Security Vulnerabilities fixed in Tomcat 3.2.4 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/10/26 08:46:58 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Updates for 3.2.4 beta 1 Revision ChangesPath No revision No revision 1.1.2.10 +43 -32jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.9 retrieving revision 1.1.2.10 diff -u -r1.1.2.9 -r1.1.2.10 --- RELEASE-NOTES 2001/07/17 14:07:00 1.1.2.9 +++ RELEASE-NOTES 2001/10/26 15:46:57 1.1.2.10 @@ -1,8 +1,8 @@ -$Id: RELEASE-NOTES,v 1.1.2.9 2001/07/17 14:07:00 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.10 2001/10/26 15:46:57 marcsaeg Exp $ Release Notes for: - TOMCAT Version 3.2.3 + TOMCAT Version 3.2.4 @@ -83,11 +83,12 @@ - Tomcat 3.2.1 was a security update. See section 7.3 for details. -- Tomcat 3.2.2 was a bug fix release. Section 7.1 describes the issues -that have been fixed in the version. +- Tomcat 3.2.2 was a bug fix release. - Tomcat 3.2.3 is a security release. +- Tomcat 3.2.4 is a bug fix release. See section 7.1 for details. + - Tomcat 4.0 is separate development from Tomcat 3.x. It is based on the Catalina architecture, which is very different from the architecture of Tomcat 3.x. In addition, Tomcat 4.0 is to be the reference implementation @@ -96,16 +97,9 @@ = 5. NEW FEATURES IN THIS RELEASE - -5.1 Docbase and File Based Localization - -Tomcat 3.2.2 now supports a method mapping requests into localized resources -automatically based on the client's and the server's locale. Localized -content can be organized using one directory per locale (Docbase) or -into a single directory the locale specified in the file names (File based). -A detailed description of this feature can be found in -doc/tomcat-localization-how.html +Version 3.2.4 is strictly a bug fix release. No new features have been +added. = @@ -310,24 +304,41 @@ 7. FIXES AND ENHANCEMENTS IN UPDATES -7.1 Fixes and Enhancements in Release 3.2.3 +7.1 Fixes and Enhancements in Release 3.2.4 This section highlights the bugs fixed in this release. + + - Cookie name expires is a reserved token (#1114) + - Thread initialization problem in thread pool (#1745) + - AJP12 returned invalid HTTP headers when redirecting to very + long URLS (#2333) + - Fixed casting problem in JspFactoryImpl.getPageContext(). (#4260) + - Setting sesstion-timeout in web.xml did not prevent sessions from + timing out. (#4412) + - Fixed race condition in ServerSocketFactory.getDefault(). (#4418) + - Removed the restrictions on encoded spcecial characters in URLs + that was added as a security precaution in 3.2.3. The encoded + special characters are not decoded and remain the URL and + path info returned to servlets. + - Jk_nt_service now supports the ability to be restarted automatically + by the Windows 2000 service control manager if Tomcat terminates + abnormally. + - Fixed invalid servlet mapping in web.xml generated by JspC (#3474, #3499) + - Added findResource() and findResources() to AdaptiveClassLoader12 + - A Date: HTTP header is now sent in responses when running stand + alone. (#345) + - Simple held on to a reference to removed objects preventing + garbage collection. + + + +7.2 Security Vulnerabilities fixed in Tomcat 3.2.4 - - The show source links the examples web app didn't work. (#372) - - Thread synchronization problems with servlet reloading. (#1628) - - Recycling BufferedServletOutputStream didn't reset usingWriter. (#1802) - - ZIP files in tomcat/lib were not automatically added to the CLASSPATH - by tomcat.bat (#1935) - - A sign extension problem caused ServletInputStream to prematurely return - EOF. (#1673, #1993) - - Multistatus codes for RFC 2518 were missing. (#2069) - - Missing error pages caused Tomcat to enter an infinite loop. (#2327) - - JDBCRealm SQL statements not being closed. (#2149) - - Potential for message buffer overflow in AJP13. (#1528) +The randomness of generated session ids has been enhanced to prevent the +generation of guessable ids. -7.2 Security vulnerabilities fixed in Tomcat 3.2.3 +7.3 Security vulnerabilities fixed in Tomcat 3.2.3
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/10/26 09:07:49 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Added note about JAXP 1.1 Revision ChangesPath No revision No revision 1.1.2.11 +6 -2 jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.10 retrieving revision 1.1.2.11 diff -u -r1.1.2.10 -r1.1.2.11 --- RELEASE-NOTES 2001/10/26 15:46:57 1.1.2.10 +++ RELEASE-NOTES 2001/10/26 16:07:49 1.1.2.11 @@ -1,4 +1,4 @@ -$Id: RELEASE-NOTES,v 1.1.2.10 2001/10/26 15:46:57 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.11 2001/10/26 16:07:49 marcsaeg Exp $ Release Notes for: @@ -329,7 +329,11 @@ alone. (#345) - Simple held on to a reference to removed objects preventing garbage collection. - + - Tomcat 3.2.4 now ships with JAXP 1.1. Prior releases used + JAXP 1.0.1. Tomcat 3.2.4 remains completely compatible with + the older version of JAXP and there is no requirement for users + to upgrade to JAXP 1.1 unless their applications require the new + version. 7.2 Security Vulnerabilities fixed in Tomcat 3.2.4 No revision No revision 1.8.2.23 +6 -2 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.22 retrieving revision 1.8.2.23 diff -u -r1.8.2.22 -r1.8.2.23 --- readme2001/10/26 15:46:57 1.8.2.22 +++ readme2001/10/26 16:07:49 1.8.2.23 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.22 2001/10/26 15:46:57 marcsaeg Exp $ +$Id: readme,v 1.8.2.23 2001/10/26 16:07:49 marcsaeg Exp $ Release Notes for: @@ -329,7 +329,11 @@ alone. (#345) - Simple held on to a reference to removed objects preventing garbage collection. - + - Tomcat 3.2.4 now ships with JAXP 1.1. Prior releases used + JAXP 1.0.1. Tomcat 3.2.4 remains completely compatible with + the older version of JAXP and there is no requirement for users + to upgrade to JAXP 1.1 unless their applications require the new + version. 7.2 Security Vulnerabilities fixed in Tomcat 3.2.4
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/10/21 10:40:17 Modified:src/doc readme Log: Additional updates for Tomcat 3.3 Final. Revision ChangesPath 1.22 +57 -27jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- readme2001/10/09 17:49:14 1.21 +++ readme2001/10/21 17:40:17 1.22 @@ -1,9 +1,9 @@ -$Id: readme,v 1.21 2001/10/09 17:49:14 larryi Exp $ +$Id: readme,v 1.22 2001/10/21 17:40:17 larryi Exp $ Release Notes for: - = - TOMCAT Version 3.3rc2 - = + == + TOMCAT Version 3.3 + == 0. TABLE OF CONTENTS: @@ -89,14 +89,6 @@ conf/auto/tomcat-apache.conf file will be written each time Tomcat is started. - 6. The default auto-generated configuration files configure the external - web server to send all requests for a context to Tomcat. That is the - best way to insure that behavior specified in the web application's - web.xml functions properly. Also, by default, the configuration file - doesn't try to send any requests for the root context to Tomcat. The - external web server continues to serve its root context as they would - normally. - - Enhanced mod_jk Connector The mod_jk connector for Apache 1.3 now supports chunked input. @@ -112,10 +104,10 @@ The test web application along with the test-tomcat.xml and associated support files are not part of the binary Tomcat 3.3 distribution. The test web application is supplied separately as test.war. This file - may be downloaded from the v3.3-rc2/apps directory of the Tomcat 3.3rc2 + may be downloaded from the v3.3/apps directory of the Tomcat 3.3 release and placed in the webapps directory of your installation. Running the test has been integrated into the Admin web application that is part of - the Tomcat 3.3rc2 distribution. A preliminary step to running the test is to + the Tomcat 3.3 distribution. A preliminary step to running the test is to trust the Admin web application. It is set to untrusted by default. This change can be accomplished by executing the command from the TOMCAT_HOME directory with JAVA_HOME set: @@ -123,7 +115,7 @@ ./bin/tomcat.sh enableAdmin-- Unix bin\tomcat enableAdmin -- Windows - Start or restart Tomcat 3.3rc2 and invoke the following URL in your browser: + Start or restart Tomcat 3.3 and invoke the following URL in your browser: http://localhost:8080/admin/test/test.jsp @@ -197,8 +189,8 @@ Many new features have been added to Tomcat since the 3.2.x release. Among the most important are: -- The code has undergone a refactoring effort resulting in (we hope) improved - readability, ease of use, and performance. +- The code has undergone a major refactoring effort resulting in improved + performance, expanded configurability, and easier to maintain code. - Auto-generated connector configuration files for mod_jk based connectors defaults to being generated on demand only. This avoids the possibility @@ -220,7 +212,7 @@ - The Tomcat documentation directory (i.e. TOMCAT_HOME/doc) is now included in the ROOT webapp and is available from a link in the root's index.html. -- A modules directory has been added where add-on modules may be placed. +- A modules directory has been added where add-on modules may be placed. An add-on module is a special War file that deploys a module that participates in Tomcat's behavior, like the modules found in the server.xml file. @@ -232,11 +224,49 @@ - Many other improvements, too numerous to list. -In addition, numerous changes have occured since the 3.2.x release. Among the -primary changes are: +In addition to new features, numerous changes have occured from the +Tomcat 3.2.x releases. Among the more important behavior or usage +differences are: - Your CLASSPATH environment variable is ignored by the Tomcat shell scripts - and batch files found int TOMCAT_HOME/bin. + and batch files found in TOMCAT_HOME/bin. The classloader scheme in + Tomcat 3.3 is more flexible and you now have choices concerning how + classes are added. See the Configuring Classes section of the + Tomcat User's Guide (tomcat-ug.html) for details. + +- Context declarations are normally not put in the server.xml file in + Tomcat 3.3. Instead, these declarations are placed XML files separate + from server.xml.
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/09/19 21:39:03 Modified:src/doc readme Log: Update for Release Candidate 1 Revision ChangesPath 1.20 +36 -10jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- readme2001/09/03 02:13:44 1.19 +++ readme2001/09/20 04:39:03 1.20 @@ -1,9 +1,9 @@ -$Id: readme,v 1.19 2001/09/03 02:13:44 larryi Exp $ +$Id: readme,v 1.20 2001/09/20 04:39:03 larryi Exp $ Release Notes for: - - TOMCAT Version 3.3b2 - + = + TOMCAT Version 3.3rc1 + = 0. TABLE OF CONTENTS: @@ -95,23 +95,33 @@ external web server continues to serve its root context as they would normally. +- Enhanced mod_jk Connector + + The mod_jk connector for Apache 1.3 now supports chunked input. + + Important Note: The chunked input enhancement required a protocol change + that makes Tomcat 3.3 incompatible with mod_jk base + connectors from Tomcat 3.2.3 and earlier. Only use + connectors supplied with the Tomcat 3.3 release or the + jakarta-tomcat-connectors project with Tomcat 3.3. + - Tomcat Testing: The test web application along with the test-tomcat.xml and associated support files are not part of the binary Tomcat 3.3 distribution. The test web application is supplied separately as test.war. This file - may be downloaded from the v3.3-b2/apps directory of the Tomcat 3.3b2 + may be downloaded from the v3.3-rc1/apps directory of the Tomcat 3.3rc1 release and placed in the webapps directory of your installation. Running the test has been integrated into the Admin web application that is part of - the Tomcat 3.3b2 distribution. A preliminary step to running the test is to + the Tomcat 3.3rc1 distribution. A preliminary step to running the test is to trust the Admin web application. It is set to untrusted by default. This change can be accomplished by executing the command from the TOMCAT_HOME directory with JAVA_HOME set: - ./bin/tomcat.sh run -enableAdmin-- Unix - bin\tomcat run -enableAdmin -- Windows + ./bin/tomcat.sh enableAdmin-- Unix + bin\tomcat enableAdmin -- Windows - Start or restart Tomcat 3.3b2 and invoke the following URL in your browser: + Start or restart Tomcat 3.3rc1 and invoke the following URL in your browser: http://localhost:8080/admin/test/test.jsp @@ -119,6 +129,12 @@ script are then listed and the tests executed. After the tests are completed, the results will appear with FAILED Tests listed first, followed the PASSED Tests. + + If you use Jikes as the Java compiler for JSP, you will need version + 1.14-1 or later to run all the tests without error. Some tests will fail + due to Java compilation errors if an earlier Jikes compiler is used. + See http://oss.software.ibm.com/developerworks/opensource/jikes/ for + the latest version. For security reasons, after you are done with the test, you should either restore the Admin web application to the default untrusted state, or change @@ -169,7 +185,7 @@ - Tomcat 4.x is separate development from Tomcat 3.x. It is based on the Catalina architecture, which is very different from the architecture of -Tomcat 3.x. In addition, Tomcat 4.x is to be the reference implementation +Tomcat 3.x. In addition, Tomcat 4.x is the reference implementation for the Servlet 2.3 and JSP 1.2 specifications. @@ -182,6 +198,11 @@ - The code has undergone a refactoring effort resulting in (we hope) improved readability, ease of use, and performance. +- Auto-generated connector configuration files for mod_jk based connectors + defaults to being generated on demand only. This avoids the possibility + of Tomcat rewritting the config file while a web server, such as Apache, + tries to read it. + - Tag handler pooling has been added (but disabled by default). If your JSPs use a lot of custom tags then you might want to enable tag pooling to increase performance. To enable, add the TagPoolManagerInterceptor module @@ -205,6 +226,11 @@ - The Tomcat Users Guide (i.e. tomcat-ug.html) is now in the TOMCAT_HOME/doc directory instead of the TOMCAT_HOME/doc/uguide directory as it Tomcat 3.2.x. + +- A change in the Ajp13 protocol for chunked input makes mod_jk based
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/09/02 19:13:44 Modified:src/doc readme Log: Updates for beta 2. Revision ChangesPath 1.19 +54 -73jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- readme2001/08/02 17:15:47 1.18 +++ readme2001/09/03 02:13:44 1.19 @@ -1,8 +1,8 @@ -$Id: readme,v 1.18 2001/08/02 17:15:47 larryi Exp $ +$Id: readme,v 1.19 2001/09/03 02:13:44 larryi Exp $ Release Notes for: - TOMCAT Version 3.3b1 + TOMCAT Version 3.3b2 @@ -42,79 +42,68 @@ browser at the file tomcat_ug.html found in the same directory as this file. -IMPORTANT NOTE: Some important changes have been recently added to -Tomcat 3.3b1 which are not yet covered in the accompanying documentation. -These changes make Tomcat 3.3b1 quite different from Tomcat 3.2 in a number -of ways. These changes include the following: +IMPORTANT NOTE: Some major changes have occurred in Tomcat 3.3 which +make it quite different from Tomcat 3.2.x in a number of ways. Many of +these differences are covered in the Tomcat User's Guide (tomcat-ug.html) +found in Tomcat's docs directory. Some of the more important changes +include the following: - Class Loading: - Tomcat 3.3b1 now uses a new hierarchy of class loaders. It provides for the - separation of the classes used by the Tomcat container and the classes used - by web applications. This solves a major problem in Tomcat 3.2 where all - web applications had to share Tomcat's XML parser. Now each web applicaton - can have its own XML parser, or if desired all web applications can share - an XML parser different from the one used by Tomcat. As a side effect of - this change, web applications in Tomcat 3.3b1 are not provided an XML - parser by default. You must supply one if your web application requires - one. For details about where to place jar files, see the README files in the - lib/container, lib/common, and lib/apps directories of your Tomcat - installation. + Tomcat 3.3 shell and batch files ignore your CLASSPATH environment variable. + Also, Tomcat 3.3 uses a much different hierarchy of class loaders from + Tomcat 3.2.x. This allows Tomcat 3.3 to avoid imposing its XML parser + on all the web applications. In fact, web applications in Tomcat 3.3 don't + get an XML parser by default. You must provide one if needed. + + For information on configuring classes, refer to the Configuring Classes + section of the Tomcat User's guide (tomcat-ug.html) in Tomcat's doc directory. + - Tomcat Configuration: - The configuration of Tomcat has been reorganized into separate configuration - files. The conf/modules.xml file contains module definitions for the modules - (a.k.a Interceptors) available in Tomcat 3.3b1. The conf/server.xml file - specifies which modules and connectors the Tomcat container should use along - with their settings. - - Web application configuration can now be specified in a conf/apps.xml file or - in separate flies using the name conf/apps-[name].xml. For example, - conf/apps-examples.xml would be the configuration file for the examples web - application. - - The tomcat.policy file remains in the conf directory. However, other - configuration files have been moved to directories under conf. - - Another change related to Tomcat configuration is that auto-generated - web server configuration files, such as tomcat-apache.conf, are not generated - by default. To turn these on, add the following modules after the - AutoWebApp ... / module in the server.xml file. The locations for their - configuration files is also shown. - - Apache mod_jk config:ApacheConfig / - Def conf file:conf/auto/mod_jk.conf - Def workers file:conf/jk/workers.properties - - Apache mod_jserv config: JservConfig / - Def conf file:conf/jserv/tomcat-apache.conf - - IIS config: IISConfig / - Reg file:conf/jk/iis_redirect.reg-auto - Workers file:conf/jk/workers.properties - Workers map file:conf/jk/uriworkermap.properties - - Netscape config: NSConfig / - Conf file:conf/jk/obj.conf-auto - Workers file:conf/jk/workers.properties - - Note: The ApacheConfig, JservConfig, and IISConfig by default write a - config file that tries to send all requests for a context to Tomcat. That - is the best way to insure that behavior specified in the web
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/07/20 11:42:33 Modified:src/doc readme Log: Update some information on the connector interceptors. Revision ChangesPath 1.17 +7 -4 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- readme2001/07/19 20:20:10 1.16 +++ readme2001/07/20 18:42:33 1.17 @@ -1,4 +1,4 @@ -$Id: readme,v 1.16 2001/07/19 20:20:10 larryi Exp $ +$Id: readme,v 1.17 2001/07/20 18:42:33 larryi Exp $ Release Notes for: @@ -99,9 +99,12 @@ Conf file:conf/jk/obj.conf-auto Workers file:conf/jk/workers.properties - Note: The old organization used in Tomcat 3.2 where all the configuration is - placed in server.xml is still supported by Tomcat 3.3b1 for Apache. However, - you will need to set the appropriate parameters on the interceptor. + Note: The ApacheConfig, JservConfig, and IISConfig by default write a + config file that tries to send all requests for a context to Tomcat. That + is the best way to insure that behavior specified in the web application's + web.xml functions properly. If you desire, you can copy the auto generated + file and modify it to have the web server serve some of the web application's + resources. - Tomcat Testing:
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/07/19 13:20:10 Modified:src/doc readme Log: Some updates for beta-1 Revision ChangesPath 1.16 +35 -37jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- readme2001/06/21 22:35:32 1.15 +++ readme2001/07/19 20:20:10 1.16 @@ -1,8 +1,8 @@ -$Id: readme,v 1.15 2001/06/21 22:35:32 larryi Exp $ +$Id: readme,v 1.16 2001/07/19 20:20:10 larryi Exp $ Release Notes for: - TOMCAT Version 3.3m4 + TOMCAT Version 3.3b1 @@ -43,19 +43,19 @@ file. IMPORTANT NOTE: Some important changes have been recently added to -Tomcat 3.3m4 which are not yet covered in the accompanying documentation. -These changes make Tomcat 3.3m4 quite different from Tomcat 3.2 in a number +Tomcat 3.3b1 which are not yet covered in the accompanying documentation. +These changes make Tomcat 3.3b1 quite different from Tomcat 3.2 in a number of ways. These changes include the following: - Class Loading: - Tomcat 3.3m4 now uses a new hierarchy of class loaders. It provides for the + Tomcat 3.3b1 now uses a new hierarchy of class loaders. It provides for the separation of the classes used by the Tomcat container and the classes used by web applications. This solves a major problem in Tomcat 3.2 where all web applications had to share Tomcat's XML parser. Now each web applicaton can have its own XML parser, or if desired all web applications can share an XML parser different from the one used by Tomcat. As a side effect of - this change, web applications in Tomcat 3.3m4 are not provided an XML + this change, web applications in Tomcat 3.3b1 are not provided an XML parser by default. You must supply one if your web application requires one. For details about where to place jar files, see the README files in the lib/container, lib/common, and lib/apps directories of your Tomcat @@ -65,7 +65,7 @@ The configuration of Tomcat has been reorganized into separate configuration files. The conf/modules.xml file contains module definitions for the modules - (a.k.a Interceptors) available in Tomcat 3.3m4. The conf/server.xml file + (a.k.a Interceptors) available in Tomcat 3.3b1. The conf/server.xml file specifies which modules and connectors the Tomcat container should use along with their settings. @@ -80,24 +80,38 @@ Another change related to Tomcat configuration is that auto-generated web server configuration files, such as tomcat-apache.conf, are not generated by default. To turn these on, add the following modules after the - AutoWebApp ... / module in the server.xml file: + AutoWebApp ... / module in the server.xml file. The locations for their + configuration files is also shown. - Apache configs: ApacheConfig / - IIS config: IISConfig / - Netscape config: NSConfig / + Apache mod_jk config:ApacheConfig / + Def conf file:conf/auto/mod_jk.conf + Def workers file:conf/jk/workers.properties + + Apache mod_jserv config: JservConfig / + Def conf file:conf/jserv/tomcat-apache.conf + + IIS config: IISConfig / + Reg file:conf/jk/iis_redirect.reg-auto + Workers file:conf/jk/workers.properties + Workers map file:conf/jk/uriworkermap.properties + + Netscape config: NSConfig / + Conf file:conf/jk/obj.conf-auto + Workers file:conf/jk/workers.properties Note: The old organization used in Tomcat 3.2 where all the configuration is - placed in server.xml is still supported by Tomcat 3.3m4. + placed in server.xml is still supported by Tomcat 3.3b1 for Apache. However, + you will need to set the appropriate parameters on the interceptor. - Tomcat Testing: The test web application along with the test-tomcat.xml and - associated support files are not part of the binary Tomcat 3.3m4 distribution. + associated support files are not part of the binary Tomcat 3.3b1 distribution. The test web application is supplied separately as test.war. This file - may be downloaded from the v3.3-m4/apps directory of the Tomcat 3.3m4 + may be downloaded from the v3.3-b1/apps directory of the Tomcat 3.3b1 release and placed in the webapps directory of your installation. Running the test has been integrated into the Admin web application that is part of - the Tomcat 3.3m4 distribution. A preliminary step to running the test is to +
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/07/17 07:07:01 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Updated readme and RELEASE-NOTES for the 3.2.3 security release. Revision ChangesPath No revision No revision 1.1.2.9 +47 -78jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.8 retrieving revision 1.1.2.9 diff -u -r1.1.2.8 -r1.1.2.9 --- RELEASE-NOTES 2001/05/11 22:44:28 1.1.2.8 +++ RELEASE-NOTES 2001/07/17 14:07:00 1.1.2.9 @@ -1,8 +1,8 @@ -$Id: RELEASE-NOTES,v 1.1.2.8 2001/05/11 22:44:28 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.9 2001/07/17 14:07:00 marcsaeg Exp $ Release Notes for: - TOMCAT Version 3.2.2 + TOMCAT Version 3.2.3 @@ -30,10 +30,18 @@ You should read the License Agreement (in the LICENSE file of the top level directory), which applies to all software included in this release. -Tomcat Version 3.2.2 is a bug fix release. No new features have been -added in this release. The bugs known to be fixed in Version 3.2.2 -are described in section 7.1 below. +Tomcat version 3.2.3 is a security update release. This release closes a +hole that potentially allowed access to resource protected by a +security-constraint in web.xml. This release also includes fixes for +several other bugs discovered after the release of Tomcat version 3.2.2. +Section 7 lists the bugs fixed in this release. + +Users of previous version of Tomcat are strongly encouraged to upgrade to +this release. No changes to any configuration files are required. Existing +installations can be upgraded to version 3.2.3 by simply copying the JAR +files in this release into an existing 3.2.x tomcat/lib directory. + = 2. INSTALLING AND RUNNING TOMCAT @@ -75,9 +83,11 @@ - Tomcat 3.2.1 was a security update. See section 7.3 for details. -- Tomcat 3.2.2 is a bug fix release. Section 7.1 describes the issues +- Tomcat 3.2.2 was a bug fix release. Section 7.1 describes the issues that have been fixed in the version. +- Tomcat 3.2.3 is a security release. + - Tomcat 4.0 is separate development from Tomcat 3.x. It is based on the Catalina architecture, which is very different from the architecture of Tomcat 3.x. In addition, Tomcat 4.0 is to be the reference implementation @@ -299,82 +309,41 @@ === 7. FIXES AND ENHANCEMENTS IN UPDATES + +7.1 Fixes and Enhancements in Release 3.2.3 + +This section highlights the bugs fixed in this release. -7.1 Fixes and Enhancements in Release 3.2.2 + - The show source links the examples web app didn't work. (#372) + - Thread synchronization problems with servlet reloading. (#1628) + - Recycling BufferedServletOutputStream didn't reset usingWriter. (#1802) + - ZIP files in tomcat/lib were not automatically added to the CLASSPATH + by tomcat.bat (#1935) + - A sign extension problem caused ServletInputStream to prematurely return + EOF. (#1673, #1993) + - Multistatus codes for RFC 2518 were missing. (#2069) + - Missing error pages caused Tomcat to enter an infinite loop. (#2327) + - JDBCRealm SQL statements not being closed. (#2149) + - Potential for message buffer overflow in AJP13. (#1528) -This section highlights the bugs fixed in this release. In addition to -these, there have been many other minor bug fixes through the product. -Documentation - - Several updates to how-to documents and users guide. +7.2 Security vulnerabilities fixed in Tomcat 3.2.3 -Servlet - - Fix infinite loop if no prefix matches the request URI. Now returns - a 404 error. - - Handle UnavailableException in included servlets. - - User principle was incorrectly maintained. (#757) - - Use access control for forward() and include() when security manager - is being used. - - Properly interpret url-patterns inside security-contraints. (#567) - - Fix authentication with Sybase ASE 11.9.2 and Interbase. - - reqeust.getPort() now returns the correct port when using SSL. (#743) - - Fix JSP source disclosure problem. (#619) - - ServletRequest.getProtocol() could contain a CRLF. (#620) - - Better initialization of psuedo-random number generator improves - response time for first request that generates a session. - - Fix
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/06/21 15:35:33 Modified:src/doc readme Log: Mention that Jasper34 is available in the build Revision ChangesPath 1.15 +9 -1 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- readme2001/06/21 04:52:45 1.14 +++ readme2001/06/21 22:35:32 1.15 @@ -1,4 +1,4 @@ -$Id: readme,v 1.14 2001/06/21 04:52:45 larryi Exp $ +$Id: readme,v 1.15 2001/06/21 22:35:32 larryi Exp $ Release Notes for: @@ -190,6 +190,14 @@ /Context See conf/server.xml for more information. + +- The jakarta-tomcat-jasper project has been created to support refactoring + and other improvements for Jasper, called as Jasper34. As a separate + project, this development can occur independent of Tomcat 3.x and 4.x. + Some preliminary work has been completed and the result is included in the + Tomcat 3.3 build and binary distributions. If you wish to give Jasper34 + a try, change JspInterceptor ... to JspInterceptor34 ... in your + server.xml file. - (more to be added)
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/06/20 21:52:45 Modified:src/doc readme Log: Update for Milestone 4 Revision ChangesPath 1.14 +13 -13jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- readme2001/05/15 18:52:32 1.13 +++ readme2001/06/21 04:52:45 1.14 @@ -1,8 +1,8 @@ -$Id: readme,v 1.13 2001/05/15 18:52:32 clucas Exp $ +$Id: readme,v 1.14 2001/06/21 04:52:45 larryi Exp $ Release Notes for: - TOMCAT Version 3.3m3 + TOMCAT Version 3.3m4 @@ -43,19 +43,19 @@ file. IMPORTANT NOTE: Some important changes have been recently added to -Tomcat 3.3m3 which are not yet covered in the accompanying documentation. -These changes make Tomcat 3.3m3 quite different from Tomcat 3.2 in a number +Tomcat 3.3m4 which are not yet covered in the accompanying documentation. +These changes make Tomcat 3.3m4 quite different from Tomcat 3.2 in a number of ways. These changes include the following: - Class Loading: - Tomcat 3.3m3 now uses a new hierarchy of class loaders. It provides for the + Tomcat 3.3m4 now uses a new hierarchy of class loaders. It provides for the separation of the classes used by the Tomcat container and the classes used by web applications. This solves a major problem in Tomcat 3.2 where all web applications had to share Tomcat's XML parser. Now each web applicaton can have its own XML parser, or if desired all web applications can share an XML parser different from the one used by Tomcat. As a side effect of - this change, web applications in Tomcat 3.3m3 are not provided an XML + this change, web applications in Tomcat 3.3m4 are not provided an XML parser by default. You must supply one if your web application requires one. For details about where to place jar files, see the README files in the lib/container, lib/common, and lib/apps directories of your Tomcat @@ -65,7 +65,7 @@ The configuration of Tomcat has been reorganized into separate configuration files. The conf/modules.xml file contains module definitions for the modules - (a.k.a Interceptors) available in Tomcat 3.3m3. The conf/server.xml file + (a.k.a Interceptors) available in Tomcat 3.3m4. The conf/server.xml file specifies which modules and connectors the Tomcat container should use along with their settings. @@ -87,17 +87,17 @@ Netscape config: NSConfig / Note: The old organization used in Tomcat 3.2 where all the configuration is - placed in server.xml is still supported by Tomcat 3.3m3. + placed in server.xml is still supported by Tomcat 3.3m4. - Tomcat Testing: The test web application along with the test-tomcat.xml and - associated support files are not part of the binary Tomcat 3.3m3 distribution. + associated support files are not part of the binary Tomcat 3.3m4 distribution. The test web application is supplied separately as test.war. This file - may be downloaded from the v3.3-m3/apps directory of the Tomcat 3.3m3 + may be downloaded from the v3.3-m4/apps directory of the Tomcat 3.3m4 release and placed in the webapps directory of your installation. Running the test has been integrated into the Admin web application that is part of - the Tomcat 3.3m3 distribution. A preliminary step to running the test is to + the Tomcat 3.3m4 distribution. A preliminary step to running the test is to trust the Admin web application. It is set to untrusted by default. This change can be accomplished by executing the command from the TOMCAT_HOME directory with JAVA_HOME set: @@ -105,7 +105,7 @@ ./bin/tomcat.sh run -enableAdmin-- Unix bin\tomcat run -enableAdmin -- Windows - Start or restart Tomcat 3.3m3 and invoke the following URL in your browser: + Start or restart Tomcat 3.3m4 and invoke the following URL in your browser: http://localhost:8080/admin/test/test.jsp @@ -217,7 +217,7 @@ Please note the following information about this implementation: - BASIC and FORM based authentication should work correctly. Please - report any bugs you encounter here at http://jakarta.apache.org/bugs. + report any bugs you encounter here at http://nagoya.apache.org/bugzilla. The example application has a protected area defined at the following URL: http://localhost:8080/examples/jsp/security/protected
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/05/15 06:06:22 Modified:src/doc readme Log: Update for Milestone 3 Revision ChangesPath 1.12 +17 -19jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- readme2001/03/11 21:55:09 1.11 +++ readme2001/05/15 13:06:18 1.12 @@ -1,8 +1,8 @@ -$Id: readme,v 1.11 2001/03/11 21:55:09 larryi Exp $ +$Id: readme,v 1.12 2001/05/15 13:06:18 larryi Exp $ Release Notes for: - TOMCAT Version 3.3m2 + TOMCAT Version 3.3m3 @@ -43,19 +43,19 @@ file. IMPORTANT NOTE: Some important changes have been recently added to -Tomcat 3.3m2 which are not yet covered in the accompanying documentation. -These changes make Tomcat 3.3m2 quite different from Tomcat 3.2 in a number +Tomcat 3.3m3 which are not yet covered in the accompanying documentation. +These changes make Tomcat 3.3m3 quite different from Tomcat 3.2 in a number of ways. These changes include the following: - Class Loading: - Tomcat 3.3m2 now uses a new hierarchy of class loaders. It provides for the + Tomcat 3.3m3 now uses a new hierarchy of class loaders. It provides for the separation of the classes used by the Tomcat container and the classes used by web applications. This solves a major problem in Tomcat 3.2 where all web applications had to share Tomcat's XML parser. Now each web applicaton can have its own XML parser, or if desired all web applications can share an XML parser different from the one used by Tomcat. As a side effect of - this change, web applications in Tomcat 3.3m2 are not provided an XML + this change, web applications in Tomcat 3.3m3 are not provided an XML parser by default. You must supply one if your web application requires one. For details about where to place jar files, see the README files in the lib/container, lib/common, and lib/apps directories of your Tomcat @@ -65,7 +65,7 @@ The configuration of Tomcat has been reorganized into separate configuration files. The conf/modules.xml file contains module definitions for the modules - (a.k.a Interceptors) available in Tomcat 3.3m2. The conf/server.xml file + (a.k.a Interceptors) available in Tomcat 3.3m3. The conf/server.xml file specifies which modules and connectors the Tomcat container should use along with their settings. @@ -87,17 +87,17 @@ Netscape config: NSConfig / Note: The old organization used in Tomcat 3.2 where all the configuration is - placed in server.xml is still supported by Tomcat 3.3m2. + placed in server.xml is still supported by Tomcat 3.3m3. - Tomcat Testing: The test web application along with the test-tomcat.xml and - associated support files are not part of the binary Tomcat 3.3m2 distribution. + associated support files are not part of the binary Tomcat 3.3m3 distribution. The test web application is supplied separately as test.war. This file - may be downloaded from the v3.3-m2/apps directory of the Tomcat 3.3m2 + may be downloaded from the v3.3-m3/apps directory of the Tomcat 3.3m3 release and placed in the webapps directory of your installation. Running the test has been integrated into the Admin web application that is part of - the Tomcat 3.3m2 distribution. A preliminary step to running the test is to + the Tomcat 3.3m3 distribution. A preliminary step to running the test is to trust the Admin web application. It is set to untrusted by default. This change can be accomplished by executing the command from the TOMCAT_HOME directory with JAVA_HOME set: @@ -105,7 +105,7 @@ ./bin/tomcat.sh run -enableAdmin-- Unix bin\tomcat run -enableAdmin -- Windows - Start or restart Tomcat 3.3m2 and invoke the following URL in your browser: + Start or restart Tomcat 3.3m3 and invoke the following URL in your browser: http://localhost:8080/admin/test/test.jsp @@ -123,17 +123,15 @@ for the admin user in the admin-users.xml file located in Tomcat's conf/users directory. - You may also download the Watchdog jsp-tests.war and servlet-tests.war web + You may also download the Watchdog servlet-tests.war and jsp-tests.war web applications to your webapps directory. These tests may be run in the same fashion as the test web application using the following URLs: - http://localhost:8080/admin/test/watchdog-jsp.jsp http://localhost:8080/admin/test/watchdog-servlet.jsp +
RE: Tomcat 3.2.2 : RE : cvs commit: jakarta-tomcat/src/doc readme
Henri, I didn't go for the DNS lookup stuff before was because I felt that it was too large of a change (because it causes external communications) to put it in without a public beta. At the time I was hoping to release 3.2.2 without any more beta cycles. The %00 JSP security problem forced my hand and I had to release another beta. Since I had to the do the beta I went ahead and implemented the DNS lookup for getRemoteHost(), too. I've updated the release notes accordingly. -Original Message- From: GOMEZ Henri [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 08, 2001 5:25 PM To: [EMAIL PROTECTED] Subject: Tomcat 3.2.2 : RE : cvs commit: jakarta-tomcat/src/doc readme Hi Marc, Could you clarify the getRemoteHost in readme := == == === 7. FIXES AND ENHANCEMENTS IN UPDATES @@ -318,6 +332,8 @@ - HttpServletRequest.encodeURL() now properly encodes URLs that contain an anchor but no query string. (#1182) - Error pages now work in virtual hosts. + - ServletRequest.getRemoteHost() now returns the remote IP address + if the remote host name isn't known. (#208) = == == === 7. FIXES AND ENHANCEMENTS IN UPDATES @@ -318,6 +332,8 @@ - HttpServletRequest.encodeURL() now properly encodes URLs that contain an anchor but no query string. (#1182) - Error pages now work in virtual hosts. + - ServletRequest.getRemoteHost() now returns the remote IP address + if the remote host name has not been resolved by web-server. (#208) Regards
cvs commit: jakarta-tomcat/src/doc readme
clucas 01/05/15 11:52:40 Modified:src/doc readme Log: added small comment about tag pooling Revision ChangesPath 1.13 +13 -1 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- readme2001/05/15 13:06:18 1.12 +++ readme2001/05/15 18:52:32 1.13 @@ -1,4 +1,4 @@ -$Id: readme,v 1.12 2001/05/15 13:06:18 larryi Exp $ +$Id: readme,v 1.13 2001/05/15 18:52:32 clucas Exp $ Release Notes for: @@ -178,6 +178,18 @@ - The code has undergone a refactoring effort resulting in (we hope) improved readability, ease of use, and performance. + +- Tag handler pooling has been added (but disabled by default). If your JSPs + use a lot of custom tags then you might want to enable tag pooling to + increase performance. To enable, add the TagPoolManagerInterceptor module + inside an application's Context section such as: + +Context path=... +!-- other modules etc... -- +TagPoolManagerInterceptor/ +/Context + + See conf/server.xml for more information. - (more to be added)
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/05/11 15:44:33 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Updated description of the fix for bug 208. Revision ChangesPath No revision No revision 1.1.2.8 +6 -3 jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.7 retrieving revision 1.1.2.8 diff -u -r1.1.2.7 -r1.1.2.8 --- RELEASE-NOTES 2001/05/08 01:31:17 1.1.2.7 +++ RELEASE-NOTES 2001/05/11 22:44:28 1.1.2.8 @@ -1,4 +1,4 @@ -$Id: RELEASE-NOTES,v 1.1.2.7 2001/05/08 01:31:17 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.8 2001/05/11 22:44:28 marcsaeg Exp $ Release Notes for: @@ -295,6 +295,7 @@ will indicate a URL scheme of HTTP. The AJP13 protocol does not suffer from this problem. + === 7. FIXES AND ENHANCEMENTS IN UPDATES @@ -332,8 +333,10 @@ - HttpServletRequest.encodeURL() now properly encodes URLs that contain an anchor but no query string. (#1182) - Error pages now work in virtual hosts. - - ServletRequest.getRemoteHost() now returns the remote IP address - if the remote host name isn't known. (#208) + - ServletRequest.getRemoteHost() now does a DNS lookup (if necessary) to + determine the name of the remote host. As required by the spec, if this + look up fails the method returns the remote host's IP address. (#208) + Jasper - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269) No revision No revision 1.8.2.20 +6 -3 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.19 retrieving revision 1.8.2.20 diff -u -r1.8.2.19 -r1.8.2.20 --- readme2001/05/08 01:31:19 1.8.2.19 +++ readme2001/05/11 22:44:32 1.8.2.20 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.19 2001/05/08 01:31:19 marcsaeg Exp $ +$Id: readme,v 1.8.2.20 2001/05/11 22:44:32 marcsaeg Exp $ Release Notes for: @@ -295,6 +295,7 @@ will indicate a URL scheme of HTTP. The AJP13 protocol does not suffer from this problem. + === 7. FIXES AND ENHANCEMENTS IN UPDATES @@ -332,8 +333,10 @@ - HttpServletRequest.encodeURL() now properly encodes URLs that contain an anchor but no query string. (#1182) - Error pages now work in virtual hosts. - - ServletRequest.getRemoteHost() now returns the remote IP address - if the remote host name isn't known. (#208) + - ServletRequest.getRemoteHost() now does a DNS lookup (if necessary) to + determine the name of the remote host. As required by the spec, if this + look up fails the method returns the remote host's IP address. (#208) + Jasper - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269)
Tomcat 3.2.2 : RE : cvs commit: jakarta-tomcat/src/doc readme
Hi Marc, Could you clarify the getRemoteHost in readme := === 7. FIXES AND ENHANCEMENTS IN UPDATES @@ -318,6 +332,8 @@ - HttpServletRequest.encodeURL() now properly encodes URLs that contain an anchor but no query string. (#1182) - Error pages now work in virtual hosts. + - ServletRequest.getRemoteHost() now returns the remote IP address + if the remote host name isn't known. (#208) = === 7. FIXES AND ENHANCEMENTS IN UPDATES @@ -318,6 +332,8 @@ - HttpServletRequest.encodeURL() now properly encodes URLs that contain an anchor but no query string. (#1182) - Error pages now work in virtual hosts. + - ServletRequest.getRemoteHost() now returns the remote IP address + if the remote host name has not been resolved by web-server. (#208) Regards
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/05/07 06:34:36 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Some final updates to the release notes. Revision ChangesPath No revision No revision 1.1.2.6 +7 -14 jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.5 retrieving revision 1.1.2.6 diff -u -r1.1.2.5 -r1.1.2.6 --- RELEASE-NOTES 2001/04/30 13:18:59 1.1.2.5 +++ RELEASE-NOTES 2001/05/07 13:34:25 1.1.2.6 @@ -1,4 +1,4 @@ -$Id: RELEASE-NOTES,v 1.1.2.5 2001/04/30 13:18:59 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.6 2001/05/07 13:34:25 marcsaeg Exp $ Release Notes for: @@ -173,15 +173,8 @@ its experimental nature, and the extra overhead required to perform the necessary checks on every request. -6.5 Returned strings from getServletPath, getPathInfo, and getPathTranslated +6.5 Avoiding Out of environment space errors on Windows 95/98 -The Servlet 2.2 Errata - April 27, 2000 specifies that HttpServletRequest -methods getServletPath, getPathInfo, and getPathTranslated should return -decoded strings. This clarification has not been implemented in Tomcat 3.2. -In Tomcat 3.2, these methods return encoded strings. - -6.6 Avoiding Out of environment space errors on Windows 95/98 - This error can easily occur since the default amount of environment space is typically insufficient to run Tomcat. Here are a couple of ways to avoid it. @@ -212,7 +205,7 @@ line to your autoexec.bat or to the startup.bat and shutdown.bat files themselves. -6.7 URL's are now case sensitive on all operating systems +6.6 URL's are now case sensitive on all operating systems As of Tomcat 3.2, URL's are case sensitive for all operating systems, including operating systems which have case insensitive file systems, such as @@ -241,7 +234,7 @@ Tomcat, then invoking those links would carry the mismatched case to Tomcat where it cause the resource not to be found. -6.8 Generated Configuration Files for Web Connectors +6.7 Generated Configuration Files for Web Connectors At startup time, Tomcat normally generates configuration files like tomcat-apache.conf to reflect the contexts that are defined. However, the @@ -254,7 +247,7 @@ and will be addressed by the introduction of the MOD_WARP connector in Tomcat 4.0. -6.9 Limitation on Form Based Login +6.8 Limitation on Form Based Login If the pages you specify for form-login-page or form-error-page are within the area protected by a security constraint, Tomcat 3.2 will be unable to @@ -267,7 +260,7 @@ or more subdirectories, and establish security constraints to protect the subdirectories. -6.10 Limitation on Document Base Paths +6.9 Limitation on Document Base Paths Tomcat 3.2 is unable to support Windows SMB paths in a Context directive like this: @@ -282,7 +275,7 @@ where r: is mapped to this share. -6.11 Resource Paths Can't Contain URL Escapes +6.10 Resource Paths Can't Contain URL Escapes The path passed to javax.servlet.Context.getResource() and javax.servlet.Context.getResrouceAsStream() cannot contain URL escapes of No revision No revision 1.8.2.18 +7 -14 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.17 retrieving revision 1.8.2.18 diff -u -r1.8.2.17 -r1.8.2.18 --- readme2001/04/30 13:18:59 1.8.2.17 +++ readme2001/05/07 13:34:32 1.8.2.18 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.17 2001/04/30 13:18:59 marcsaeg Exp $ +$Id: readme,v 1.8.2.18 2001/05/07 13:34:32 marcsaeg Exp $ Release Notes for: @@ -173,15 +173,8 @@ its experimental nature, and the extra overhead required to perform the necessary checks on every request. -6.5 Returned strings from getServletPath, getPathInfo, and getPathTranslated +6.5 Avoiding Out of environment space errors on Windows 95/98 -The Servlet 2.2 Errata - April 27, 2000 specifies that HttpServletRequest -methods getServletPath, getPathInfo, and getPathTranslated should return -decoded strings. This clarification has not been implemented in Tomcat 3.2. -In Tomcat 3.2, these methods return encoded strings. - -6.6 Avoiding Out of environment space errors on Windows 95/98 - This error can easily occur since the default amount of environment
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/05/07 18:31:20 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Updated descriptions in section 4, added note about AJP12/SSL limitation to section 6 and added description of fix for bug 208. Revision ChangesPath No revision No revision 1.1.2.7 +19 -3 jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.6 retrieving revision 1.1.2.7 diff -u -r1.1.2.6 -r1.1.2.7 --- RELEASE-NOTES 2001/05/07 13:34:25 1.1.2.6 +++ RELEASE-NOTES 2001/05/08 01:31:17 1.1.2.7 @@ -1,4 +1,4 @@ -$Id: RELEASE-NOTES,v 1.1.2.6 2001/05/07 13:34:25 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.7 2001/05/08 01:31:17 marcsaeg Exp $ Release Notes for: @@ -70,9 +70,14 @@ version 3.1 also focused on reorganizing the code (modularization, cleanup, refactoring, removal of dead code, and separation of J2EE-specific code). -- Tomcat 3.2 is the first performance tune-up, and also adds a few new -features (see next section). +- Tomcat 3.2 was the first performance tune-up, and also added a few new +features. +- Tomcat 3.2.1 was a security update. See section 7.3 for details. + +- Tomcat 3.2.2 is a bug fix release. Section 7.1 describes the issues +that have been fixed in the version. + - Tomcat 4.0 is separate development from Tomcat 3.x. It is based on the Catalina architecture, which is very different from the architecture of Tomcat 3.x. In addition, Tomcat 4.0 is to be the reference implementation @@ -281,6 +286,15 @@ javax.servlet.Context.getResrouceAsStream() cannot contain URL escapes of the form %HH. Paths containing any URL escapes will return null. +6.11 AJP12 and SSL + +The AJP12 protocol does not provide a mechanism for identifying requests +that arrived on a secure transport (e.g. SSL). Tomcat assumes that any +request that arrived on server port 443 is secure and sets the URL scheme +to HTTPS. Requests on any other port are assumed to be non-secure and +will indicate a URL scheme of HTTP. The AJP13 protocol does not suffer +from this problem. + === 7. FIXES AND ENHANCEMENTS IN UPDATES @@ -318,6 +332,8 @@ - HttpServletRequest.encodeURL() now properly encodes URLs that contain an anchor but no query string. (#1182) - Error pages now work in virtual hosts. + - ServletRequest.getRemoteHost() now returns the remote IP address + if the remote host name isn't known. (#208) Jasper - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269) No revision No revision 1.8.2.19 +19 -3 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.18 retrieving revision 1.8.2.19 diff -u -r1.8.2.18 -r1.8.2.19 --- readme2001/05/07 13:34:32 1.8.2.18 +++ readme2001/05/08 01:31:19 1.8.2.19 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.18 2001/05/07 13:34:32 marcsaeg Exp $ +$Id: readme,v 1.8.2.19 2001/05/08 01:31:19 marcsaeg Exp $ Release Notes for: @@ -70,9 +70,14 @@ version 3.1 also focused on reorganizing the code (modularization, cleanup, refactoring, removal of dead code, and separation of J2EE-specific code). -- Tomcat 3.2 is the first performance tune-up, and also adds a few new -features (see next section). +- Tomcat 3.2 was the first performance tune-up, and also added a few new +features. +- Tomcat 3.2.1 was a security update. See section 7.3 for details. + +- Tomcat 3.2.2 is a bug fix release. Section 7.1 describes the issues +that have been fixed in the version. + - Tomcat 4.0 is separate development from Tomcat 3.x. It is based on the Catalina architecture, which is very different from the architecture of Tomcat 3.x. In addition, Tomcat 4.0 is to be the reference implementation @@ -281,6 +286,15 @@ javax.servlet.Context.getResrouceAsStream() cannot contain URL escapes of the form %HH. Paths containing any URL escapes will return null. +6.11 AJP12 and SSL + +The AJP12 protocol does not provide a mechanism for identifying requests +that arrived on a secure transport (e.g. SSL). Tomcat assumes that any +request that arrived on server port 443 is secure and sets the URL scheme +to HTTPS. Requests on any other port are
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/04/30 06:18:59 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Release note updates for beta 4. Revision ChangesPath No revision No revision 1.1.2.5 +6 -1 jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.4 retrieving revision 1.1.2.5 diff -u -r1.1.2.4 -r1.1.2.5 --- RELEASE-NOTES 2001/04/08 01:51:05 1.1.2.4 +++ RELEASE-NOTES 2001/04/30 13:18:59 1.1.2.5 @@ -1,4 +1,4 @@ -$Id: RELEASE-NOTES,v 1.1.2.4 2001/04/08 01:51:05 marcsaeg Exp $ +$Id: RELEASE-NOTES,v 1.1.2.5 2001/04/30 13:18:59 marcsaeg Exp $ Release Notes for: @@ -322,6 +322,9 @@ error-page tags in web.xml. (#291) - URL encoded data in servlet paths and path info are now decoded properly. (#657) + - HttpServletRequest.encodeURL() now properly encodes URLs that contain + an anchor but no query string. (#1182) + - Error pages now work in virtual hosts. Jasper - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269) @@ -337,6 +340,8 @@ - Fixed the defualt character encoding. The default charset is now ISO-8859-1. (#285) - jsp:plugin was not being expanded correctly. (#467) + - Fixed bug that could cause the body of a JSP page to be exeucted before + or while its jspInit() method was being executed. (#1280) Connectors No revision No revision 1.8.2.17 +6 -1 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.16 retrieving revision 1.8.2.17 diff -u -r1.8.2.16 -r1.8.2.17 --- readme2001/04/08 01:51:05 1.8.2.16 +++ readme2001/04/30 13:18:59 1.8.2.17 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.16 2001/04/08 01:51:05 marcsaeg Exp $ +$Id: readme,v 1.8.2.17 2001/04/30 13:18:59 marcsaeg Exp $ Release Notes for: @@ -322,6 +322,9 @@ error-page tags in web.xml. (#291) - URL encoded data in servlet paths and path info are now decoded properly. (#657) + - HttpServletRequest.encodeURL() now properly encodes URLs that contain + an anchor but no query string. (#1182) + - Error pages now work in virtual hosts. Jasper - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269) @@ -337,6 +340,8 @@ - Fixed the defualt character encoding. The default charset is now ISO-8859-1. (#285) - jsp:plugin was not being expanded correctly. (#467) + - Fixed bug that could cause the body of a JSP page to be exeucted before + or while its jspInit() method was being executed. (#1280) Connectors
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/04/07 18:51:05 Modified:.Tag: tomcat_32 RELEASE-NOTES src/doc Tag: tomcat_32 readme Log: Updates prior to releasing 3.2.2 beta 3. Revision ChangesPath No revision No revision 1.1.2.4 +305 -59 jakarta-tomcat/Attic/RELEASE-NOTES Index: RELEASE-NOTES === RCS file: /home/cvs/jakarta-tomcat/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.3 retrieving revision 1.1.2.4 diff -u -r1.1.2.3 -r1.1.2.4 --- RELEASE-NOTES 2001/02/25 20:38:11 1.1.2.3 +++ RELEASE-NOTES 2001/04/08 01:51:05 1.1.2.4 @@ -1,3 +1,5 @@ +$Id: RELEASE-NOTES,v 1.1.2.4 2001/04/08 01:51:05 marcsaeg Exp $ + Release Notes for: TOMCAT Version 3.2.2 @@ -27,11 +29,10 @@ You should read the License Agreement (in the LICENSE file of the top level directory), which applies to all software included in this release. - -This document adds descriptions of the bug fixes and enhancements that have -been added in update releases of Tomcat 3.2 since the original release. See -Section 7 for details. +Tomcat Version 3.2.2 is a bug fix release. No new features have been +added in this release. The bugs known to be fixed in Version 3.2.2 +are described in section 7.1 below. = 2. INSTALLING AND RUNNING TOMCAT @@ -43,8 +44,7 @@ For detailed information about installing and running Tomcat, point your browser at file "doc/uguide/tomcat_ug.html" under the directory into which -you unpacked the Tomcat distribution or see the documentation at -http://jakarta.apache.org/tomcat/index.html. +you unpacked the Tomcat distribution. = @@ -59,35 +59,39 @@ = 4. TOMCAT: PAST, PRESENT, AND FUTURE -- Version 3.0 (released 12/1999) was the initial release of Tomcat. In -addition to implementing the Java Servlet and Server Pages specification, +- Version 3.0 (released 12/1999) was the initial release of Tomcat. In +addition to implementing the Java Servlet and Server Pages specification, this release featured a minimal Apache connector. -- Tomcat 3.1 (released 4/2000) improved the Apache connection and added -connector support for Netscape and IIS web servers. It also added WAR file -support, automatic servlet reloading, and a command line tool (jspc) to -compile the JSP pages that comprise your application in advance of -deployment. Finally, version 3.1 also focused on reorganizing the code -(modularization, cleanup, refactoring, removal of dead code, and separation -of J2EE-specific code). +- Tomcat 3.1 (released 4/2000) improved the Apache connection and added +connector support for Netscape and IIS web servers. It also added WAR file +support, automatic servlet reloading, and a command line tool (jspc) to +compile ahead of time the JSP pages that comprise your application. Finally, +version 3.1 also focused on reorganizing the code (modularization, cleanup, +refactoring, removal of dead code, and separation of J2EE-specific code). -- Tomcat 3.2 is the first performance tune-up, and also adds a few new +- Tomcat 3.2 is the first performance tune-up, and also adds a few new features (see next section). -- Tomcat 3.2.2 is a bug fix release that collects the fixes that have -been applied since version 3.2.1 was released. +- Tomcat 4.0 is separate development from Tomcat 3.x. It is based on the +Catalina architecture, which is very different from the architecture of +Tomcat 3.x. In addition, Tomcat 4.0 is to be the reference implementation +for the Servlet 2.3 and JSP 1.2 specifications. -- It is expected that Tomcat 3.3 will feature additional major performance -improvements resulting from changes in data representation and algorithms. -Version 3.3 will also undergo a major review of security (to be able to -trust that "untrusted" code runs safely), and support for I18N character -sets. = 5. NEW FEATURES IN THIS RELEASE + +5.1 Docbase and File Based Localization + +Tomcat 3.2.2 now supports a method mapping requests into localized resources +automatically based on the client's and the server's locale. Localized +content can be organized using one directory per locale (Docbase) or +into a single directory the locale specified in the file names (File based). + +A detailed description of this feature can be found in +doc/tomcat-localization-how.html
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/03/21 15:07:01 Modified:src/doc Tag: tomcat_32 readme Log: Another round of updates to the release notes prior to releasing 3.2.2-beta 2 Revision ChangesPath No revision No revision 1.8.2.15 +22 -2 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.14 retrieving revision 1.8.2.15 diff -u -r1.8.2.14 -r1.8.2.15 --- readme2001/03/09 18:51:40 1.8.2.14 +++ readme2001/03/21 23:06:58 1.8.2.15 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.14 2001/03/09 18:51:40 marcsaeg Exp $ +$Id: readme,v 1.8.2.15 2001/03/21 23:06:58 marcsaeg Exp $ Release Notes for: @@ -82,9 +82,17 @@ = 5. NEW FEATURES IN THIS RELEASE -Tomcat Version 3.2.2 is a bug release only. No new features were added. +5.1 Docbase and File Based Localization +Tomcat 3.2.2 now supports a method mapping requests into localized resources +automatically based on the client's and the server's locale. Localized +content can be organized using one directory per locale (Docbase) or +into a single directory the locale specified in the file names (File based). +A detailed description of this feature can be found in +doc/tomcat-localization-how.html + + = 6. KNOWN BUGS AND ISSUES @@ -305,6 +313,11 @@ - Fix session tracking through forward(). (#504) - Fix problem with getSession() overwritting the requested session ID and related URL rewritting problems. (#160) + - Better error reporting for load-on-startup servler load failures. ((#489) + - Static files (e.g. .html) can how be used as the location for + error-page tags in web.xml. (#291) + - URL encoded data in servlet paths and path info are now decoded + properly. (#657) Jasper - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269) @@ -317,16 +330,23 @@ - Better error reporting if compile fails due to missing tag library. - Fix thread synchronization problem that can cause page compilation to fail (#44). + - Fixed the defualt character encoding. The default charset is now + ISO-8859-1. (#285) + - jsp:plugin was not being expanded correctly. (#467) + Connectors - Fix infinite loop on invalid content-length for ajp12. (#264) - Fix infinite llop if Tomcat connector closed connection. (#510) - For ajp13 protocol, add support for multipart form encoding and file uploads now work. - Reading session ids from cookies in the load balancer. (#603) + - HTTP connections now time out if no data is received from the + client. (#1006) IIS - Better error logging for startup failures. + NetWare - Fix for netbuf_getbytes() not supported on NetWare 5.1.
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/03/11 13:55:10 Modified:src/doc readme Log: Changes to prepare for Milestone 2 Revision ChangesPath 1.11 +22 -16jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- readme2001/02/13 04:35:01 1.10 +++ readme2001/03/11 21:55:09 1.11 @@ -1,8 +1,8 @@ -$Id: readme,v 1.10 2001/02/13 04:35:01 larryi Exp $ +$Id: readme,v 1.11 2001/03/11 21:55:09 larryi Exp $ Release Notes for: - TOMCAT Version 3.3m1 + TOMCAT Version 3.3m2 @@ -39,32 +39,33 @@ Kit 1.1 or later environment, including JDKs conformant with Java2. For detailed information about installing and running Tomcat, point your -browser at file "doc/tomcat_ug.html" under the directory into which -you unpacked the Tomcat distribution. +browser at the file "tomcat_ug.html" found in the same directory as this +file. IMPORTANT NOTE: Some important changes have been recently added to -Tomcat 3.3m1 which are not yet covered in the accompanying documentation. -These changes make Tomcat 3.3m1 quite different from Tomcat 3.2 in a number +Tomcat 3.3m2 which are not yet covered in the accompanying documentation. +These changes make Tomcat 3.3m2 quite different from Tomcat 3.2 in a number of ways. These changes include the following: - Class Loading: - Tomcat 3.3m1 now uses a new hierarchy of class loaders. It provides for the + Tomcat 3.3m2 now uses a new hierarchy of class loaders. It provides for the separation of the classes used by the Tomcat container and the classes used by web applications. This solves a major problem in Tomcat 3.2 where all web applications had to share Tomcat's XML parser. Now each web applicaton can have its own XML parser, or if desired all web applications can share an XML parser different from the one used by Tomcat. As a side effect of - this change, web applications in Tomcat 3.3m1 are not provided an XML + this change, web applications in Tomcat 3.3m2 are not provided an XML parser by default. You must supply one if your web application requires one. For details about where to place jar files, see the README files in the - "lib", "lib/common", and "lib/shared" directories of your Tomcat installation. + "lib/container", "lib/common", and "lib/apps" directories of your Tomcat + installation. - Tomcat Configuration: The configuration of Tomcat has been reorganized into separate configuration files. The conf/modules.xml file contains module definitions for the modules - (a.k.a Interceptors) available in Tomcat 3.3m1. The conf/server.xml file + (a.k.a Interceptors) available in Tomcat 3.3m2. The conf/server.xml file specifies which modules and connectors the Tomcat container should use along with their settings. @@ -86,17 +87,17 @@ Netscape config: NSConfig / Note: The old organization used in Tomcat 3.2 where all the configuration is - placed in server.xml is still supported by Tomcat 3.3m1. + placed in server.xml is still supported by Tomcat 3.3m2. - Tomcat Testing: The "test" web application along with the test-tomcat.xml and - associated support files are not part of the binary Tomcat 3.3m1 distribution. + associated support files are not part of the binary Tomcat 3.3m2 distribution. The "test" web application is supplied separately as "test.war". This file - may be downloaded from the "v3.3-m1/apps" directory of the Tomcat 3.3m1 - release and placed in the "webapps" directory of you installation. Running + may be downloaded from the "v3.3-m2/apps" directory of the Tomcat 3.3m2 + release and placed in the "webapps" directory of your installation. Running the test has been integrated into the Admin web application that is part of - the Tomcat 3.3m1 distribution. A preliminary step to running the test is to + the Tomcat 3.3m2 distribution. A preliminary step to running the test is to "trust" the Admin web application. It is set to "untrusted" by default. This change can be accomplished by executing the command from the TOMCAT_HOME directory with JAVA_HOME set: @@ -104,7 +105,7 @@ ./bin/tomcat.sh run -enableAdmin-- Unix bin\tomcat run -enableAdmin -- Windows - Start or restart Tomcat 3.3m1 and invoke the following URL in your browser: + Start or restart Tomcat 3.3m2 and invoke the following URL in your browser: http://localhost:8080/admin/test/test.jsp @@ -129,6 +130,11 @@
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/03/09 10:51:43 Modified:src/doc Tag: tomcat_32 readme Log: More updates for the 3.2.2 release. Revision ChangesPath No revision No revision 1.8.2.14 +8 -22 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.13 retrieving revision 1.8.2.14 diff -u -r1.8.2.13 -r1.8.2.14 --- readme2001/03/05 14:26:29 1.8.2.13 +++ readme2001/03/09 18:51:40 1.8.2.14 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.13 2001/03/05 14:26:29 marcsaeg Exp $ +$Id: readme,v 1.8.2.14 2001/03/09 18:51:40 marcsaeg Exp $ Release Notes for: @@ -14,7 +14,7 @@ 4. Tomcat: Past, Present, and Future 5. New Features In This Release 6. Known Bugs and Issues -7. Security Vulnerabilities Fixed in 3.2.1 +7. Fixes and Enhancements in Updates = @@ -30,17 +30,10 @@ You should read the License Agreement (in the LICENSE file of the top level directory), which applies to all software included in this release. -Tomcat Version 3.2.1 is a security related update! See Section 7, below, -for details on the changes that have been made. All other existing issues with -Tomcat 3.2 will remain in 3.2.1 -- they will be addressed in subsequent -maintenance updates (3.2.2, and so on). - -No changes to the native code components of Tomcat 3.2 have been made. -Therefore, you should *not* need to recompile components such as mod_jserv -in order to take advantage of this release. You only need to replace the -Java based modules in the "jakarta-tomcat-3.2.*" distribution. +Tomcat Version 3.2.2 is a bug fix release. No new features have been +added in this release. The bugs known to be fixed in Version 3.2.2 +are described in section 7.1 below. - = 2. INSTALLING AND RUNNING TOMCAT @@ -88,16 +81,8 @@ = 5. NEW FEATURES IN THIS RELEASE - -Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2 -(final) code base. The following changes are included: - -- Disallowed requesting JSP pages under the WEB-INF directory - (/WEB-INF/dummy.jsp). Previously, only requests for static files - were being disallowed. -- The JDBCRealm request interceptor will now log the description of any - JDBC exception that occurs, to aid in debugging. +Tomcat Version 3.2.2 is a bug release only. No new features were added. = @@ -318,6 +303,8 @@ - Better initialization of psuedo-random number generator improves response time for first request that generates a session. - Fix session tracking through forward(). (#504) + - Fix problem with getSession() overwritting the requested session ID + and related URL rewritting problems. (#160) Jasper - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269) @@ -330,7 +317,6 @@ - Better error reporting if compile fails due to missing tag library. - Fix thread synchronization problem that can cause page compilation to fail (#44). - Connectors - Fix infinite loop on invalid content-length for ajp12. (#264) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/doc readme
marcsaeg01/03/05 06:26:36 Modified:src/doc Tag: tomcat_32 readme Log: Updates for 3.2.2. Why do we have two release notes files (doc/readme and RELEASE-NOTES) and why are they different? Revision ChangesPath No revision No revision 1.8.2.13 +57 -14jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.12 retrieving revision 1.8.2.13 diff -u -r1.8.2.12 -r1.8.2.13 --- readme2001/02/16 04:13:16 1.8.2.12 +++ readme2001/03/05 14:26:29 1.8.2.13 @@ -1,8 +1,8 @@ -$Id: readme,v 1.8.2.12 2001/02/16 04:13:16 marcsaeg Exp $ +$Id: readme,v 1.8.2.13 2001/03/05 14:26:29 marcsaeg Exp $ Release Notes for: - TOMCAT Version 3.2.1 + TOMCAT Version 3.2.2 @@ -124,7 +124,7 @@ Please note the following information about this implementation: - BASIC and FORM based authentication should work correctly. Please - report any bugs you encounter here at http://jakarta.apache.org/bugs. + report any bugs you encounter here at http://jakarta.apache.org/site/bugs.html. The example application has a protected area defined at the following URL: http://localhost:8080/examples/jsp/security/protected @@ -289,22 +289,65 @@ where "r:" is mapped to this share. -6.11 Misconfiguration Can Cause CPU-Bound Loop -If you misconfigure Tomcat 3.2 in a way that there is no valid context to -handle a request (such as removing the root context and then attempting a -request that should be handled by that context), Tomcat will enter a CPU-bound -loop instead of responding with a 404 error. +=== +7. FIXES AND ENHANCEMENTS IN UPDATES -Workaround: kill the offending Tomcat process and correct your server.xml -file such that there is a properly configured root context. +7.1 Fixes and Enhancements in Release 3.2.2 -=== -7. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1 +This section highlights the bugs fixed in this release. In addition to +these, there have been many other minor bug fixes through the product. + +Documentation + - Several updates to how-to documents and users guide. + +Servlet + - Fix infinite loop if no prefix matches the request URI. Now returns + a 404 error. + - Handle UnavailableException in included servlets. + - User principle was incorrectly maintained. (#757) + - Use access control for forward() and include() when security manager + is being used. + - Properly interpret url-patterns inside security-contraints. (#567) + - Fix authentication with Sybase ASE 11.9.2 and Interbase. + - reqeust.getPort() now returns the correct port when using SSL. (#743) + - Fix problem accessing via HTTP without protocol. (#513) + - Fix JSP source disclosure problem. (#619) + - ServletRequest.getProtocol() could contain a CRLF. (#620) + - Better initialization of psuedo-random number generator improves + response time for first request that generates a session. + - Fix session tracking through forward(). (#504) + +Jasper + - Fix for UnsupportedEncodingException due to UTF8 instead of UTF-8. (#269) + - Support compiling with debug information. + - If JSP source file is removed, then generated files are removed + and subsequent requests return a 404 error. (#698) + - Fix compile error with more than one set of tags with the same + name. (#540) + - Support for non 8859-1 character encodings for included pages. + - Better error reporting if compile fails due to missing tag library. + - Fix thread synchronization problem that can cause page compilation to + fail (#44). + + +Connectors + - Fix infinite loop on invalid content-length for ajp12. (#264) + - Fix infinite llop if Tomcat connector closed connection. (#510) + - For ajp13 protocol, add support for multipart form encoding + and file uploads now work. + - Reading session ids from cookies in the load balancer. (#603) + + IIS + - Better error logging for startup failures. + NetWare + - Fix for netbuf_getbytes() not supported on NetWare 5.1. + +7.2 Security vulnerabilities fixed in Tomcat 3.2.1 -7.1 Protection of Resources in /WEB-INF and /META-INF Directories +7.2.1 Protection of Resources in /WEB-INF and /META-INF Directories The servlet specification prohibits servlet containers from serving
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/02/12 20:35:02 Modified:src/doc readme Log: Update to document some major changes from Tomcat 3.2 Revision ChangesPath 1.10 +88 -1 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- readme2001/02/08 21:38:31 1.9 +++ readme2001/02/13 04:35:01 1.10 @@ -1,4 +1,4 @@ -$Id: readme,v 1.9 2001/02/08 21:38:31 larryi Exp $ +$Id: readme,v 1.10 2001/02/13 04:35:01 larryi Exp $ Release Notes for: @@ -41,6 +41,93 @@ For detailed information about installing and running Tomcat, point your browser at file "doc/tomcat_ug.html" under the directory into which you unpacked the Tomcat distribution. + +IMPORTANT NOTE: Some important changes have been recently added to +Tomcat 3.3m1 which are not yet covered in the accompanying documentation. +These changes make Tomcat 3.3m1 quite different from Tomcat 3.2 in a number +of ways. These changes include the following: + +- Class Loading: + + Tomcat 3.3m1 now uses a new hierarchy of class loaders. It provides for the + separation of the classes used by the Tomcat container and the classes used + by web applications. This solves a major problem in Tomcat 3.2 where all + web applications had to share Tomcat's XML parser. Now each web applicaton + can have its own XML parser, or if desired all web applications can share + an XML parser different from the one used by Tomcat. As a side effect of + this change, web applications in Tomcat 3.3m1 are not provided an XML + parser by default. You must supply one if your web application requires + one. For details about where to place jar files, see the README files in the + "lib", "lib/common", and "lib/shared" directories of your Tomcat installation. + +- Tomcat Configuration: + + The configuration of Tomcat has been reorganized into separate configuration + files. The conf/modules.xml file contains module definitions for the modules + (a.k.a Interceptors) available in Tomcat 3.3m1. The conf/server.xml file + specifies which modules and connectors the Tomcat container should use along + with their settings. + + Web application configuration can now be specified in a conf/apps.xml file or + in separate flies using the name conf/apps-[name].xml. For example, + conf/apps-examples.xml would be the configuration file for the examples web + application. + + The tomcat.policy file remains in the "conf" directory. However, other + configuration files have been moved to directories under "conf". + + Another change related to Tomcat configuration is that auto-generated + web server configuration files, such as tomcat-apache.conf, are not generated + by default. To turn these on, add the following modules after the + AutoWebApp ... / module in the server.xml file: + + Apache configs: ApacheConfig / + IIS config: IISConfig / + Netscape config: NSConfig / + + Note: The old organization used in Tomcat 3.2 where all the configuration is + placed in server.xml is still supported by Tomcat 3.3m1. + +- Tomcat Testing: + + The "test" web application along with the test-tomcat.xml and + associated support files are not part of the binary Tomcat 3.3m1 distribution. + The "test" web application is supplied separately as "test.war". This file + may be downloaded from the "v3.3-m1/apps" directory of the Tomcat 3.3m1 + release and placed in the "webapps" directory of you installation. Running + the test has been integrated into the Admin web application that is part of + the Tomcat 3.3m1 distribution. A preliminary step to running the test is to + "trust" the Admin web application. It is set to "untrusted" by default. This + change can be accomplished by executing the command from the TOMCAT_HOME + directory with JAVA_HOME set: + + ./bin/tomcat.sh run -enableAdmin-- Unix + bin\tomcat run -enableAdmin -- Windows + + Start or restart Tomcat 3.3m1 and invoke the following URL in your browser: + + http://localhost:8080/admin/test/test.jsp + + and then click "Submit Query". The build targets for the Ant based test + script are then listed and the tests executed. After the tests are + completed, the results will appear with "FAILED Tests" listed first, + followed the "PASSED Tests". + + For security reasons, after you are done with the test, you should either + restore the Admin web application to the default "untrusted" state, or change + the password for the "admin" user. To restore the Admin web application to + the default "untrusted" state, change
cvs commit: jakarta-tomcat/src/doc readme
larryi 01/02/08 13:38:37 Modified:src/doc readme Log: Port 3.2 readme with some updates for Tomcat 3.3m1. The new features needs to be filled out. Bugs and issues needs to be reviewed. Revision ChangesPath 1.9 +165 -54 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- readme2000/04/18 01:42:52 1.8 +++ readme2001/02/08 21:38:31 1.9 @@ -1,9 +1,9 @@ -$Id: readme,v 1.8 2000/04/18 01:42:52 craigmcc Exp $ +$Id: readme,v 1.9 2001/02/08 21:38:31 larryi Exp $ Release Notes for: - == - TOMCAT Version 3.1 - == + + TOMCAT Version 3.3m1 + 0. TABLE OF CONTENTS: @@ -11,8 +11,9 @@ 1. Introduction 2. Installing and Running Tomcat 3. Application Development Using Tomcat -4. New Features In This Release -5. Known Bugs and Issues +4. Tomcat: Past, Present, and Future +5. New Features In This Release +6. Known Bugs and Issues = @@ -38,7 +39,7 @@ Kit 1.1 or later environment, including JDKs conformant with Java2. For detailed information about installing and running Tomcat, point your -browser at file "doc/uguide/tomcat_ug.html" under the directory into which +browser at file "doc/tomcat_ug.html" under the directory into which you unpacked the Tomcat distribution. @@ -52,41 +53,47 @@ = -4. NEW FEATURES IN THIS RELEASE +4. TOMCAT: PAST, PRESENT, AND FUTURE -Many new features have been added to Tomcat since the 3.0 release. Among the -most important are: - -- Connectors for using Tomcat to run servlets with Microsoft's IIS - and Netscape's NES web server, as well as Apache and stand-alone. - -- Automatic generation of configuration files for Apache integration. +- Version 3.0 (released 12/1999) was the initial release of Tomcat. In +addition to implementing the Java Servlet and Server Pages specification, +this release featured a minimal Apache connector. + +- Tomcat 3.1 (released 4/2000) improved the Apache connection and added +connector support for Netscape and IIS web servers. It also added WAR file +support, automatic servlet reloading, and a command line tool (jspc) to +compile ahead of time the JSP pages that comprise your application. Finally, +version 3.1 also focused on reorganizing the code (modularization, cleanup, +refactoring, removal of dead code, and separation of J2EE-specific code). + +- Tomcat 3.2 is the first performance tune-up, and also added a few new +features. + +- Tomcat 3.3 is the completion of the modularization, cleanup, and +refactoring that started in Tomcat 3.1. This work carries a number of +new features (see next section). + +- Tomcat 4.x is separate development from Tomcat 3.x. It is based on the +Catalina architecture, which is very different from the architecture of +Tomcat 3.x. In addition, Tomcat 4.x is to be the reference implementation +for the Servlet 2.3 and JSP 1.2 specifications. -- Automatic deployment of applications delivered as Web ARchive (WAR) - files. To deploy an application, copy the WAR file to the - $TOMCAT_HOME/webapps directory and restart Tomcat, after which the - WAR file will be automatically expanded. To remove an application, - remove the expanded directory (and the WAR file) for that application. -- Automatic servlet reloading when servlet classes are changed in - WEB-INF/classes or WEB-INF/lib/*.jar. This support can be configured - on a per-web-application basis. - -- Enhanced support for logging on a per-Tomcat-component basis. - -- Minimal administration tool, allowing new web applications to be deployed - into a running Tomcat environment, as well as removing existing applications. += +5. NEW FEATURES IN THIS RELEASE -- Command line tool (jspc) to compile the JSP pages that comprise your - application ahead of time. +Many new features have been added to Tomcat since the 3.2.x release. Among the +most important are: -- Substantially improved installation and development documentation. +- The code has undergone a refactoring effort resulting in (we hope) improved + readability, ease of use, and performance. +- (more
cvs commit: jakarta-tomcat/src/doc readme
craigmcc00/11/17 16:07:01 Modified:src/doc Tag: tomcat_32 readme Log: Remove the old comment about security constraints and RequestDispatcher, which turned out to be incorrect. Add a new "Known Issue" comment about the fact that the generated configuration files (such as tomcat-apache.conf) for web server integration known nothing about the contents of "web.xml". Revision ChangesPath No revision No revision 1.8.2.6 +12 -13jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.5 retrieving revision 1.8.2.6 diff -u -r1.8.2.5 -r1.8.2.6 --- readme2000/11/05 07:25:02 1.8.2.5 +++ readme2000/11/18 00:07:00 1.8.2.6 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.5 2000/11/05 07:25:02 craigmcc Exp $ +$Id: readme,v 1.8.2.6 2000/11/18 00:07:00 craigmcc Exp $ Release Notes for: == @@ -270,17 +270,16 @@ Tomcat, then invoking those links would carry the mismatched case to Tomcat where it cause the resource not to be found. -6.8 Container Managed Security Constraints +6.8 Generated Configuration Files for Web Connectors -Due to the way that Tomcat 3.2 is implemented, container managed security -constraints are imposed both on the original request URI *and* on subrequests -initiated to handle RequestDispatcher.forward() or RequestDispatcher.include() -calls. Whether or not this should actually be done was not defined in the -Servlet 2.2 Specification, but has been clarified in 2.3 -- security -constraints should only be applied on the original request URI. - -For future compatibility, you should be aware of this issue as you design your -security constraint architecture, to avoid portability problems if you ever -migrate to a different Servlet 2.2 container (which might implement this -differently), or to a Servlet 2.3 container at a later date. +At startup time, Tomcat normally generates configuration files like +"tomcat-apache.conf" to reflect the contexts that are defined. However, the +generated files do NOT reflect any configuration settings found inside the +web application deployment descriptor file (web.xml) for your application. +You will need to configure any such settings that are relevant directly into +your web server's configuration files. + +This is a known limitation of the design of the web connectors for Tomcat 3.2, +and will be addressed by the introduction of the MOD_WARP connector in +Tomcat 4.0.
Re: cvs commit: jakarta-tomcat/src/doc readme
Modified:src/doc Tag: tomcat_32 readme Log: Remove references to "Tomcat 3.3" and "Tomcat 3.4" since that code base is now a "revolution", not the plan of record. ??? Supporting servlet2.3 is a revolution, but "performance enhancements" and "security" and "I18N" are normal developments for tomcat3 branch. I don't remember any vote on changing the rules - the main branch is for development, and enhancing performance and fixing are normal developments of tomcat3. - Tomcat 3.2 is the first performance tune-up, and also adds a few new features (see next section). - -- It is expected that Tomcat 3.3 will feature additional major performance -improvements resulting from changes in data representation and algorithms. -Version 3.3 will also undergo a major review of security (to be able to -trust that "untrusted" code runs safely), and support for I18N character -sets. -1 on removing that - tomcat3.3 still exists, and most of this already happened or is happening. -It will also support version 2.3 of the Java Servlet specification. -(First-round support for version 2.3 for the servlet specification may be -included in version 3.3.) That is ok to be removed, we agreed on that. Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/doc readme
craigmcc00/11/04 13:07:28 Modified:src/doc Tag: tomcat_32 readme Log: Add a note about the fact that Tomcat 3.2 applies security constraints on request dispatcher forwards and includes. Revision ChangesPath No revision No revision 1.8.2.4 +16 -1 jakarta-tomcat/src/doc/readme Index: readme === RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v retrieving revision 1.8.2.3 retrieving revision 1.8.2.4 diff -u -r1.8.2.3 -r1.8.2.4 --- readme2000/10/13 02:52:31 1.8.2.3 +++ readme2000/11/04 21:07:26 1.8.2.4 @@ -1,4 +1,4 @@ -$Id: readme,v 1.8.2.3 2000/10/13 02:52:31 larryi Exp $ +$Id: readme,v 1.8.2.4 2000/11/04 21:07:26 craigmcc Exp $ Release Notes for: == @@ -280,3 +280,18 @@ URL. If that static page contains relative links to resources served by Tomcat, then invoking those links would carry the mismatched case to Tomcat where it cause the resource not to be found. + +6.8 Container Managed Security Constraints + +Due to the way that Tomcat 3.2 is implemented, container managed security +constraints are imposed both on the original request URI *and* on subrequests +initiated to handle RequestDispatcher.forward() or RequestDispatcher.include() +calls. Whether or not this should actually be done was not defined in the +Servlet 2.2 Specification, but has been clarified in 2.3 -- security +constraints should only be applied on the original request URI. + +For future compatibility, you should be aware of this issue as you design your +security constraint architecture, to avoid portability problems if you ever +migrate to a different Servlet 2.2 container (which might implement this +differently), or to a Servlet 2.3 container at a later date. + - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
