Re: Release plans

2022-10-04 Thread Mark Thomas




On 04/10/2022 03:53, Christopher Schultz wrote:

Mark,

On 10/3/22 03:33, Mark Thomas wrote:

Hi all,

Given the regression in the previous set of releases and that it is 
the beginning of October, my intention is to start the October release 
round shortly.


I have a couple of things I want to look at before I tag the releases 
as well as running my usual checks with the unit tests. Hopefully, 
I'll be in a position to tag later today.


I believe the other RMs are at ApacheCon this week so - unless there 
are objections - I'm intending to tag and release the full set of 
releases myself: 10.1.x, 10.0.x, 9.0.x and 8.5.x.


Thanks for doing this. If I had seen it earlier today, I would have done 
the 8.5 release.


No problem.

Rémy just arrived in NOLA and we had dinner together instead of doing 
these releases :)


I am very jealous. Hope you all have a great conference.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 8.5.83

2022-10-03 Thread Mark Thomas

The proposed Apache Tomcat 8.5.83 release is now available for voting.

The notable changes compared to 8.5.82 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Enforce the requirement of RFC 7230 onwards that a request with a
  malformed content-length header should always be rejected with a 400
  response.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.83/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1402

The tag is:
https://github.com/apache/tomcat/tree/8.5.83/
702df4f4db92b59e01d5d8824190ce2652d74a76

The proposed 8.5.83 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.83 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 9.0.68

2022-10-03 Thread Mark Thomas

The proposed Apache Tomcat 9.0.68 release is now available for voting.

The notable changes compared to 9.0.67 are:

- Fix bug 66277, a refactoring regression that broke JSP includes
  amongst other functionality

- Fix unexpected timeouts that may appear as client disconnections when
  using HTTP/2 and NIO2

- Enforce the requirement of RFC 7230 onwards that a request with a
  malformed content-length header should always be rejected with a 400
  response.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.68/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1401

The tag is:
https://github.com/apache/tomcat/tree/9.0.68
0cbd87a47606a7669c784d28b5133358a4dcff41

The proposed 9.0.68 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 9.0.68 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.0.27

2022-10-03 Thread Mark Thomas

The proposed Apache Tomcat 10.0.27 release is now available for
voting.

Apache Tomcat 10.0.27 is likely to be the last release of the 10.0.x 
series. Users of 10.0.x should plan to move to 10.1.x at the next update.


Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to jakarta.*

Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.27 are:

- Fix bug 66277, a refactoring regression that broke JSP includes
  amongst other functionality

- Fix unexpected timeouts that may appear as client disconnections when
  using HTTP/2 and NIO2

- Enforce the requirement of RFC 7230 onwards that a request with a
  malformed content-length header should always be rejected with a 400
  response.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.27/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1400

The tag is:
https://github.com/apache/tomcat/tree/10.0.27
ca8720d41f3be917dc3fcdd03fcca8d3152a13fb

The proposed 10.0.27 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.27 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.1.1

2022-10-03 Thread Mark Thomas

The proposed Apache Tomcat 10.1.1 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0 are:

- Fix bug 66277, a refactoring regression that broke JSP includes
  amongst other functionality

- Fix unexpected timeouts that may appear as client disconnections when
  using HTTP/2 and NIO2

- Update to Eclipse JDT compiler 4.23

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.1/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1399

The tag is:
https://github.com/apache/tomcat/tree/10.1.1
934df02dc68e72b95a38f372017f1b89b0d13a76


The proposed 10.1.1 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.1

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Release plans

2022-10-03 Thread Mark Thomas

Hi all,

Given the regression in the previous set of releases and that it is the 
beginning of October, my intention is to start the October release round 
shortly.


I have a couple of things I want to look at before I tag the releases as 
well as running my usual checks with the unit tests. Hopefully, I'll be 
in a position to tag later today.


I believe the other RMs are at ApacheCon this week so - unless there are 
objections - I'm intending to tag and release the full set of releases 
myself: 10.1.x, 10.0.x, 9.0.x and 8.5.x.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Tomcat 11 and other plans

2022-09-28 Thread Mark Thomas

Hi all,

Various things have come together this week that have got me thinking 
about the next few months. They include:

- Tomcat 10.1.x voted stable
- Jakarta EE 10 released
- Loom discussions at $work

I've been thinking about a short term plan along the following lines:

1. Make the October release of 10.0.x the final release (barring any
   regressions or serious security issues).

2. After the October releases, create a 10.1.x branch and move main
   development to Tomcat 11.

3. Start on a JioLoomEndpoint and associated plumbing.

2 & 3 I think need a little more detail.

Emmnanuel has already started the discussion about removing the 
SecurityManager. Minimum Java version is another key question but one 
where we'll need to wait for a decision from Jakarta EE. Are there any 
other significant pieces of work folks are thinking about for Tomcat 11?


I'd quite like to start to picking off the low-hanging fruit from the 
Servlet spec issues list and being able to implement things in Tomcat 11 
is key to being able to do that.



Interest in Loom seems to have picked up recently. I've been asked to 
present on Loom and Web Applications at the beginning of December so 
naturally I want to use Tomcat as the basis for my investigations. I 
have the basics (just HTTP Servlet and JSP requests, no HTTP/2, no 
WebSocket, no TLS, no async) working with relatively little code. My 
plan for Tomcat 11 would be continue this work, adding functionality and 
refactoring as necessary to:

- enable a clean separation between the existing and Loom
  implementations
- make any necessary adjustments to make Tomcat more Loom friendly

I am currently have a BIO based Loom endpoint (I should probably rename 
that to BioLoomEndpoint). I don't currently see what an NioLoomEndpoint 
could offer but that is something to explore at some point.


An obvious question at this point, particularly given that Loom is still 
in preview, is should this be in a separate module?


Thoughts?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Revert "Fix the typos in the XML schemas" due to license concerns

2022-09-28 Thread Mark Thomas

On 28/09/2022 15:12, ebo...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

ebourg pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new 23cb7814b1 Revert "Fix the typos in the XML schemas" due to license 
concerns
23cb7814b1 is described below

commit 23cb7814b1f692c25fd07cc3ae46dc5982edd162
Author: Emmanuel Bourg 
AuthorDate: Wed Sep 28 16:08:37 2022 +0200

 Revert "Fix the typos in the XML schemas" due to license concerns


Thanks.

Some of these typos have been annoying me for years. I guess we could 
try and see if the Jakarta schemas project will accept corrections for 
these.


Mark

 
 This reverts commit 2609b760e969cdbd096816fac65dd4a97cdc585c.

---
  java/jakarta/servlet/jsp/resources/jspxml.xsd| 2 +-
  java/jakarta/servlet/resources/jakartaee_web_services_2_0.xsd| 4 ++--
  java/jakarta/servlet/resources/jakartaee_web_services_client_2_0.xsd | 4 ++--
  java/jakarta/servlet/resources/javaee_web_services_1_2.xsd   | 2 +-
  java/jakarta/servlet/resources/javaee_web_services_1_3.xsd   | 2 +-
  java/jakarta/servlet/resources/javaee_web_services_1_4.xsd   | 2 +-
  java/jakarta/servlet/resources/javaee_web_services_client_1_2.xsd| 2 +-
  java/jakarta/servlet/resources/javaee_web_services_client_1_3.xsd| 2 +-
  java/jakarta/servlet/resources/javaee_web_services_client_1_4.xsd| 2 +-
  java/jakarta/servlet/resources/jsp_3_0.xsd   | 2 +-
  java/jakarta/servlet/resources/jsp_3_1.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_3_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_3_1.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_4_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_5_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_6_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-fragment_3_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_3_1.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_4_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_5_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_6_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-jsptaglibrary_3_0.xsd | 4 ++--
  java/jakarta/servlet/resources/web-jsptaglibrary_3_1.xsd | 4 ++--
  23 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/java/jakarta/servlet/jsp/resources/jspxml.xsd 
b/java/jakarta/servlet/jsp/resources/jspxml.xsd
index d93c6156e6..4cad6bb2bc 100644
--- a/java/jakarta/servlet/jsp/resources/jspxml.xsd
+++ b/java/jakarta/servlet/jsp/resources/jspxml.xsd
@@ -415,7 +415,7 @@
  jsp:useBean action or a custom action with an associated
  VariableInfo entry for this name.
  
-Exact valid combinations are not expressible in XML Schema.

+Exact valid combinations are not expressable in XML Schema.
  They are:
  
  name="Identifier" property="*"

diff --git a/java/jakarta/servlet/resources/jakartaee_web_services_2_0.xsd 
b/java/jakarta/servlet/resources/jakartaee_web_services_2_0.xsd
index c9963a7540..9f5716b32f 100644
--- a/java/jakarta/servlet/resources/jakartaee_web_services_2_0.xsd
+++ b/java/jakarta/servlet/resources/jakartaee_web_services_2_0.xsd
@@ -303,7 +303,7 @@
com.wombat.empl.EmployeeService
  
  This may not be specified in case there is no Service

-Endpoint Interface as is the case with directly using an
+Enpoint Interface as is the case with directly using an
  implementation class with the @WebService annotation.
  
  When the port component is a Provider implementation

@@ -464,7 +464,7 @@

  
  The jaxrpc-mapping-file element contains the name of a file that

-describes the Jakarta XML RPC mapping between the Java interfaces 
used by
+describes the Jakarta XML RPC mapping between the Java interaces 
used by
  the application and the WSDL description in the wsdl-file.  The
  file name is a relative path within the module.
  
diff --git a/java/jakarta/servlet/resources/jakartaee_web_services_client_2_0.xsd b/java/jakarta/servlet/resources/jakartaee_web_services_client_2_0.xsd

index 5547d5e50a..dd01c6f5a3 100644
--- a/java/jakarta/servlet/resources/jakartaee_web_services_client_2_0.xsd
+++ b/java/jakarta/servlet/resources/jakartaee_web_services_client_2_0.xsd
@@ -122,7 +122,7 @@

  
  The jaxrpc-mapping-file element contains the name of a file that

-describes the Jakarta XML RPC mapping between the Java interfaces 
used by

Re: Security manager support

2022-09-28 Thread Mark Thomas

On 28/09/2022 16:05, Emmanuel Bourg wrote:

Hi all,

The security manager has been deprecated for removal in Java 17 [1], and 
at some point Tomcat will have to stop supporting it.


Do we want to wait until it's no longer available in the JDK to remove 
it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or 11?


I tend to think there are better solutions at the OS level to isolate a 
Tomcat instance nowadays, and I lean toward dropping it before its 
removal from the JDK.


What do you think?


I was thinking of proposing its removal for Tomcat 11. I think 10.1 is a 
little early.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure

2022-09-28 Thread Mark Thomas

CVE-2021-43980 Apache Tomcat - Information Disclosure

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M12
Apache Tomcat 10.0.0-M1 to 10.0.18
Apache Tomcat 9.0.0-M1 to 9.0.60
Apache Tomcat 8.5.0 to 8.5.77

Description:
The simplified implementation of blocking reads and writes introduced in 
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long 
standing (but extremely hard to trigger) concurrency bug that could 
cause client connections to share an Http11Processor instance resulting 
in responses, or part responses, to be received by the wrong client.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M14 or later once released
- Upgrade to Apache Tomcat 10.0.20 or later once released
- Upgrade to Apache Tomcat 9.0.62 or later once released
- Upgrade to Apache Tomcat 8.5.78 or later once released
- Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released

Credit:
Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for 
discovering the issue and working with the Tomcat security team to 
identify the root cause and appropriate fix.


History:
2022-09-28 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] 01/06: Fix the typos in the XML schemas

2022-09-28 Thread Mark Thomas

On 28/09/2022 12:52, ebo...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

ebourg pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 2609b760e969cdbd096816fac65dd4a97cdc585c
Author: Emmanuel Bourg 
AuthorDate: Wed Sep 28 13:20:59 2022 +0200

 Fix the typos in the XML schemas


-1. Veto. The changes to the following files MUST be reverted. We are 
not permitted (by ASF policy) to modify EPL and/or CDDL licensed files.



  java/jakarta/servlet/resources/jakartaee_web_services_2_0.xsd| 4 ++--
  java/jakarta/servlet/resources/jakartaee_web_services_client_2_0.xsd | 4 ++--
  java/jakarta/servlet/resources/javaee_web_services_1_2.xsd   | 2 +-
  java/jakarta/servlet/resources/javaee_web_services_1_3.xsd   | 2 +-
  java/jakarta/servlet/resources/javaee_web_services_1_4.xsd   | 2 +-
  java/jakarta/servlet/resources/javaee_web_services_client_1_2.xsd| 2 +-
  java/jakarta/servlet/resources/javaee_web_services_client_1_3.xsd| 2 +-
  java/jakarta/servlet/resources/javaee_web_services_client_1_4.xsd| 2 +-
  java/jakarta/servlet/resources/jsp_3_0.xsd   | 2 +-
  java/jakarta/servlet/resources/jsp_3_1.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_3_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_3_1.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_4_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_5_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-app_6_0.xsd   | 2 +-
  java/jakarta/servlet/resources/web-fragment_3_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_3_1.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_4_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_5_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-fragment_6_0.xsd  | 2 +-
  java/jakarta/servlet/resources/web-jsptaglibrary_3_0.xsd | 4 ++--
  java/jakarta/servlet/resources/web-jsptaglibrary_3_1.xsd | 4 ++--


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Missing recent release versions in Bugzilla

2022-09-28 Thread Mark Thomas

On 28/09/2022 12:14, Konstantin Kolinko wrote:

Hi!

Some release managers forget the step to add the version number to Bugzilla.

E.g. 10.0.26, 10.1.0 are missing.

See the step in
https://cwiki.apache.org/confluence/display/TOMCAT/ReleaseProcess

A direct lhe link for this action is
https://bz.apache.org/bugzilla/editversions.cgi

I usually silently did this step,
but it is not my priority at the moment.


Ack.

I was aware that you took care of this so hadn't been checking. I'll add 
this to my list of things to check after a release.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: HTTP2 with NIO2 broken?

2022-09-28 Thread Mark Thomas

On 28/09/2022 11:03, Rainer Jung wrote:

Am 28.09.2022 um 11:40 schrieb Rainer Jung:

Hi all,

I observe the following behavior:

NIO2 connector with HTTP2 and JSSE.
Client is (recent) curl or recent Firefox or Chrome.

If I call a JSP, that sleep for 8 seconds before responding, then the 
client gets after 5 seconds:


curl: (92) HTTP/2 stream 1 was not closed cleanly before end of the 
underlying stream


The JSP is:


Begin Sleeping ...
<%
Thread.sleep(8000);
%>
Done

Turning on debug logging I see:

28-Sep-2022 11:11:11.408 FINE [https-jsse-nio2-8444-exec-5] 
org.apache.coyote.http2.Http2AsyncParser$FrameCompletionHandler.failed 
Connection [0], Stream [0], Frame type [null], Error

 java.net.SocketTimeoutException
 at 
org.apache.tomcat.util.net.SocketWrapperBase$VectoredIOCompletionHandler.failed(SocketWrapperBase.java:1124) 

 at 
org.apache.tomcat.util.net.SocketWrapperBase$VectoredIOCompletionHandler.failed(SocketWrapperBase.java:1066) 

 at 
org.apache.tomcat.util.net.SecureNio2Channel$2.failed(SecureNio2Channel.java:1158) 

 at 
java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:129)

 at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
 at 
java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112) 

 at 
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) 

 at 
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) 

 at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 


 at java.base/java.lang.Thread.run(Thread.java:829)


The request actually finished in Tomvcat, but when it tries to start 
back the response it gets another exception because of the closed stream



28-Sep-2022 11:11:14.809 FINE [https-jsse-nio2-8444-exec-4] 
org.apache.coyote.AbstractProcessor.setErrorState Error state 
[CLOSE_NOW] reported while processing request
 org.apache.coyote.CloseNowException: Connection [0], Stream 
[1], This stream is not writable
 at 
org.apache.coyote.http2.Stream.doStreamCancel(Stream.java:269)
 at 
org.apache.coyote.http2.Http2UpgradeHandler.reserveWindowSize(Http2UpgradeHandler.java:939) 


...


This only happens for NIO2, not NIO.

It happens for 10.1.0, 10.0.26, 9.0.67 but also for the older e.g. 
10.0.20 and 9.0.60.


Should I open an issue?


Also happens with 10.0.10 and 10.0.0, so an old bug.


I don't think we'll forget about this problem but please open a BZ issue 
so we can track / reference it easily.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[ANN] Apache Tomcat 10.0.26 available

2022-09-27 Thread Mark Thomas

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.26.

This release is targeted at Jakarta EE 9.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

The notable changes compared to 10.0.23 include:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE][RESULT] Release Apache Tomcat 10.0.26

2022-09-27 Thread Mark Thomas

The following votes were cast:

Binding:
+1: remm, markt, fschumacher

Non-binding:
+1: lihan

The vote therefore passes.

Thanks to everyone who voted.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Status of 10.0.x

2022-09-27 Thread Mark Thomas

On 27/09/2022 11:25, Rémy Maucherat wrote:

On Tue, Sep 27, 2022 at 12:17 PM Mark Thomas  wrote:


On 27/09/2022 11:15, Mark Thomas wrote:

On 27/09/2022 10:31, Rémy Maucherat wrote:

On Tue, Sep 27, 2022 at 11:23 AM Mark Thomas  wrote:


On 27/09/2022 03:42, Han Li wrote:




2022年9月26日 23:07,Rémy Maucherat  写道:

On Mon, Sep 26, 2022 at 4:51 PM Mark Thomas  wrote:


Hi all,

Now 10.1.x is stable, how to we want to handle 10.0.x? Than plan has
always been that we would support 10.0.x until 10.1.x was stable.

Assuming the vote passes (we need 1 more +1) then there will be a
10.0.26 release. Do we want that to be the last 10.0.x. release? If,
not, how many more 10.0.x releases should there be?


I'm not against stopping at 10.0.26 and directing people to 10.1.


+1


Given the regressions, I'm now thinking we do 10.0.27 at the start of
October (i.e. start the release process next week) and - assuming no
issues - make that the final release.


Ok, but I'll have trouble doing a release cycle next week. Since there
is a bad regression I would need to do 9.0.68 now.


Understood. Can you give me a few hours to update the translations etc?


Or we wait until the following week.

Or I could do the 9.0.x release.

Or ... ?


Or you can do the 9.0 release next week (along with 10.0 and 10.1).

So you have all the options on the table now I believe.


I'm leaning towards leaving it a few days in case other regressions 
emerge. I think that means me releasing next week if you are OK with 
that plan.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Status of 10.0.x

2022-09-27 Thread Mark Thomas

On 27/09/2022 11:15, Mark Thomas wrote:

On 27/09/2022 10:31, Rémy Maucherat wrote:

On Tue, Sep 27, 2022 at 11:23 AM Mark Thomas  wrote:


On 27/09/2022 03:42, Han Li wrote:




2022年9月26日 23:07,Rémy Maucherat  写道:

On Mon, Sep 26, 2022 at 4:51 PM Mark Thomas  wrote:


Hi all,

Now 10.1.x is stable, how to we want to handle 10.0.x? Than plan has
always been that we would support 10.0.x until 10.1.x was stable.

Assuming the vote passes (we need 1 more +1) then there will be a
10.0.26 release. Do we want that to be the last 10.0.x. release? If,
not, how many more 10.0.x releases should there be?


I'm not against stopping at 10.0.26 and directing people to 10.1.


+1


Given the regressions, I'm now thinking we do 10.0.27 at the start of
October (i.e. start the release process next week) and - assuming no
issues - make that the final release.


Ok, but I'll have trouble doing a release cycle next week. Since there
is a bad regression I would need to do 9.0.68 now.


Understood. Can you give me a few hours to update the translations etc?


Or we wait until the following week.

Or I could do the 9.0.x release.

Or ... ?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Status of 10.0.x

2022-09-27 Thread Mark Thomas

On 27/09/2022 10:31, Rémy Maucherat wrote:

On Tue, Sep 27, 2022 at 11:23 AM Mark Thomas  wrote:


On 27/09/2022 03:42, Han Li wrote:




2022年9月26日 23:07,Rémy Maucherat  写道:

On Mon, Sep 26, 2022 at 4:51 PM Mark Thomas  wrote:


Hi all,

Now 10.1.x is stable, how to we want to handle 10.0.x? Than plan has
always been that we would support 10.0.x until 10.1.x was stable.

Assuming the vote passes (we need 1 more +1) then there will be a
10.0.26 release. Do we want that to be the last 10.0.x. release? If,
not, how many more 10.0.x releases should there be?


I'm not against stopping at 10.0.26 and directing people to 10.1.


+1


Given the regressions, I'm now thinking we do 10.0.27 at the start of
October (i.e. start the release process next week) and - assuming no
issues - make that the final release.


Ok, but I'll have trouble doing a release cycle next week. Since there
is a bad regression I would need to do 9.0.68 now.


Understood. Can you give me a few hours to update the translations etc?

Mark




Remy


Mark




Han


Maybe we could make a promise for critical security fixes for a period
of time ?

Another item: there was supposed to be a 9.10 branch. But right now,
the changes are probably not significant enough and it's simply better
for everyone to keep all the work on 9.0.


Keep in mind that work on 11.0.x could start shortly - thread about that
to follow.


Ok !

Rémy



Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.0.26

2022-09-27 Thread Mark Thomas

Ping. One more PMC member vote required.

Mark


On 23/09/2022 12:58, Mark Thomas wrote:

The proposed Apache Tomcat 10.0.26 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to 
jakarta.*


Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.23 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.26/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1398

The tag is:
https://github.com/apache/tomcat/tree/10.0.26
b54b582e7cb867eccfee24d87d818a3ef6ef07dc

The proposed 10.0.26 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.26 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Status of 10.0.x

2022-09-27 Thread Mark Thomas

On 27/09/2022 03:42, Han Li wrote:




2022年9月26日 23:07,Rémy Maucherat  写道:

On Mon, Sep 26, 2022 at 4:51 PM Mark Thomas  wrote:


Hi all,

Now 10.1.x is stable, how to we want to handle 10.0.x? Than plan has
always been that we would support 10.0.x until 10.1.x was stable.

Assuming the vote passes (we need 1 more +1) then there will be a
10.0.26 release. Do we want that to be the last 10.0.x. release? If,
not, how many more 10.0.x releases should there be?


I'm not against stopping at 10.0.26 and directing people to 10.1.


+1


Given the regressions, I'm now thinking we do 10.0.27 at the start of 
October (i.e. start the release process next week) and - assuming no 
issues - make that the final release.


Mark




Han


Maybe we could make a promise for critical security fixes for a period
of time ?

Another item: there was supposed to be a 9.10 branch. But right now,
the changes are probably not significant enough and it's simply better
for everyone to keep all the work on 9.0.


Keep in mind that work on 11.0.x could start shortly - thread about that
to follow.


Ok !

Rémy



Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Fix BZ66276

2022-09-27 Thread Mark Thomas

On 27/09/2022 08:40, Han Li wrote:

I don’t  know where the changelog entry is placed as 10.0.26 is not released, 
so I don’t back-port this change.
After 10.0.26 release, I will go on.


Sorry, I haven't been very good at updating version numbers after 
tagging. I've just done 10.0.x. You should be OK to back-port now.


Mark




Han


2022年9月27日 15:30,li...@apache.org 写道:

This is an automated email from the ASF dual-hosted git repository.

lihan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 1ae46b1555 Fix BZ66276
1ae46b1555 is described below

commit 1ae46b15557067273aad2e2f16873e0c73515435
Author: lihan 
AuthorDate: Tue Sep 27 15:29:53 2022 +0800

Fix BZ66276

https://bz.apache.org/bugzilla/show_bug.cgi?id=66276
---
java/org/apache/coyote/http2/AbstractNonZeroStream.java | 4 ++--
webapps/docs/changelog.xml  | 8 
2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/coyote/http2/AbstractNonZeroStream.java 
b/java/org/apache/coyote/http2/AbstractNonZeroStream.java
index 0368c4fa6c..f67b17f7d9 100644
--- a/java/org/apache/coyote/http2/AbstractNonZeroStream.java
+++ b/java/org/apache/coyote/http2/AbstractNonZeroStream.java
@@ -75,8 +75,8 @@ abstract class AbstractNonZeroStream extends AbstractStream {
 if (isDescendant(parent)) {
 parent.detachFromParent();
 // Cast is always safe since any descendant of this stream must be
-// an instance of Stream
-getParentStream().addChild((Stream) parent);
+// an instance of AbstractNonZeroStream
+getParentStream().addChild((AbstractNonZeroStream) parent);
 }

 if (exclusive) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e8ea7712b6..85e487007a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,14 @@
   issues do not "pop up" wrt. others).
-->

+  
+
+  
+66276: Fix incorrect class cast when adding
+a descendant of HTTP/2 streams. (lihan)
+  
+
+  


   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Status of 10.0.x

2022-09-26 Thread Mark Thomas

On 26/09/2022 16:07, Rémy Maucherat wrote:

On Mon, Sep 26, 2022 at 4:51 PM Mark Thomas  wrote:


Hi all,

Now 10.1.x is stable, how to we want to handle 10.0.x? Than plan has
always been that we would support 10.0.x until 10.1.x was stable.

Assuming the vote passes (we need 1 more +1) then there will be a
10.0.26 release. Do we want that to be the last 10.0.x. release? If,
not, how many more 10.0.x releases should there be?


I'm not against stopping at 10.0.26 and directing people to 10.1.
Maybe we could make a promise for critical security fixes for a period
of time ?

Another item: there was supposed to be a 9.10 branch. But right now,
the changes are probably not significant enough and it's simply better
for everyone to keep all the work on 9.0.


Agreed. My thinking on how to do this has changed. I am currently 
thinking that when 9.0.x reaches end of life we create the 9.10.x branch 
and then do a diff against 10.0.x and back-port every change apart from 
those that change (or support) the Java EE API.


I think that will be less work.


Keep in mind that work on 11.0.x could start shortly - thread about that
to follow.


Ok !


:)

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Status of 10.0.x

2022-09-26 Thread Mark Thomas

Hi all,

Now 10.1.x is stable, how to we want to handle 10.0.x? Than plan has 
always been that we would support 10.0.x until 10.1.x was stable.


Assuming the vote passes (we need 1 more +1) then there will be a 
10.0.26 release. Do we want that to be the last 10.0.x. release? If, 
not, how many more 10.0.x releases should there be?


Keep in mind that work on 11.0.x could start shortly - thread about that 
to follow.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[ANN] Apache Tomcat 10.1.0 (stable) available

2022-09-26 Thread Mark Thomas

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.0 (stable).

This is the first stable release of the 10.1.x branch.

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


The notable changes compared to 10.1.0-M17 include:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing.

- Improve host header handling for HTTP/2 requests.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.1-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][RESULT] Release Apache Tomcat 10.1.0

2022-09-26 Thread Mark Thomas

The following votes were cast:

Binding:
+1 (stable): remm, jfclere, markt

Non-Binding:
+1 (stable): lihan

The vote therefore passes.

Thanks to everyone who contributed to this release.

Mark

On 23/09/2022 10:44, Mark Thomas wrote:

The proposed Apache Tomcat 10.1.0 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1396

The tag is:
https://github.com/apache/tomcat/tree/10.1.0
e9d17cddc285615807ec5fef09240777436b25dc


The proposed 10.1.0 release is:
[ ] Broken - do not release
[ ] Beta   - go ahead and release as 10.1.0 (beta)
[ ] Stable - go ahead and release as 10.1.0 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.0.26

2022-09-26 Thread Mark Thomas

On 23/09/2022 12:58, Mark Thomas wrote:


The proposed 10.0.26 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 10.0.26 (stable)


Unit tests pass on Linux, Windows and MacOS.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.1.0

2022-09-26 Thread Mark Thomas

On 23/09/2022 10:44, Mark Thomas wrote:


The proposed 10.1.0 release is:
[ ] Broken - do not release
[ ] Beta   - go ahead and release as 10.1.0 (beta)
[X] Stable - go ahead and release as 10.1.0 (stable)


Unit tests pass on Linux, Windows and MacOS.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.0.26

2022-09-23 Thread Mark Thomas

The proposed Apache Tomcat 10.0.26 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to jakarta.*

Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.23 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.26/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1398

The tag is:
https://github.com/apache/tomcat/tree/10.0.26
b54b582e7cb867eccfee24d87d818a3ef6ef07dc

The proposed 10.0.26 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.26 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Keep SNAPSHOT version aligned with current dev version

2022-09-23 Thread Mark Thomas

On 23/09/2022 11:37, Rémy Maucherat wrote:

On Fri, Sep 23, 2022 at 11:34 AM  wrote:


This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new e32d013f29 Keep SNAPSHOT version aligned with current dev version
e32d013f29 is described below

commit e32d013f29a61e826c9a3a09318cc896e53569ac
Author: Mark Thomas 
AuthorDate: Fri Sep 23 10:33:22 2022 +0100

 Keep SNAPSHOT version aligned with current dev version


I'm only half convinced. Overall, snapshots are not supposed to be
used except during dev activities or casual testing of maven, so
overwriting older ones may be kinda good. Not sure though.


My understanding of Maven versions (which may be wrong) is that we 
should have:


10.1.0-SNAPSHOT
10.1.1-SNAPSHOT
10.1.2-SNAPSHOT
etc
rather than
10.1-SNAPSHOT

I wasn't 100% sure myself so I only updated 10.1.x and 10.0.x

Happy for someone with more Maven expertise to advise on what we should 
be doing here.


If given a free choice, I think I prefer the 10.1-SNAPSHOT approach.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.1.0

2022-09-23 Thread Mark Thomas

The proposed Apache Tomcat 10.1.0 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1396

The tag is:
https://github.com/apache/tomcat/tree/10.1.0
e9d17cddc285615807ec5fef09240777436b25dc


The proposed 10.1.0 release is:
[ ] Broken - do not release
[ ] Beta   - go ahead and release as 10.1.0 (beta)
[ ] Stable - go ahead and release as 10.1.0 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Fix missing attributes

2022-09-23 Thread Mark Thomas

On 22/09/2022 21:56, r...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new 7be7b01b8d Fix missing attributes
7be7b01b8d is described below

commit 7be7b01b8dec50c36852cb0d5e519fbe786212bb
Author: remm 
AuthorDate: Thu Sep 22 22:56:19 2022 +0200

 Fix missing attributes
 
 The code is very confusing, but the main attribute map can contain

 either the get or set method as the value, so it must not be used. This
 should probably be refactored some more ...


Sorry. I read the code too quickly and missed the difference in Map names.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE][CANCELLED] Release Apache Tomcat 10.1.0-M20

2022-09-23 Thread Mark Thomas

Cancelled due to MBean attribute regression. New vote to follow shortly.

Mark


On 20/09/2022 19:35, Mark Thomas wrote:

The proposed Apache Tomcat 10.1.0-M20 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M20/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1393

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M20
920e86e465fc9db8b0c21b684b42456179308cfd


The proposed 10.1.0-M20 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M20 (beta)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][CANCELLED] Release Apache Tomcat 10.0.25

2022-09-23 Thread Mark Thomas

Cancelled due to MBean attribute regression. New vote to follow shortly.

Mark


On 22/09/2022 10:06, Mark Thomas wrote:

The proposed Apache Tomcat 10.0.25 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to 
jakarta.*


Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.23 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.25/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1394

The tag is:
https://github.com/apache/tomcat/tree/10.0.25
570397299d8a1d2c84d1bc34625758d995b38b7f

The proposed 10.0.25 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.25 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.1.0-M20

2022-09-23 Thread Mark Thomas

On 23/09/2022 08:13, Rémy Maucherat wrote:




The proposed 10.1.0-M20 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M20 (beta)


BTW, why is the vote not for "Stable" at this point ? Are there still
some concerns ? Or maybe you would like to make further refactorings
or API changes ?
(Just wondering if the 10.1 release could be out for ApacheCon ;) )


I was planning on suggesting that for the next release vote.

When I re-tag 10.1.x, I'll tag as 10.1.0 and include stable in the options.

I'd be happy to get that out in time for ApacheCon.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 9.0.66

2022-09-22 Thread Mark Thomas

On 22/09/2022 10:21, Rémy Maucherat wrote:

The proposed Apache Tomcat 9.0.66 release is now available for voting.

The notable changes compared to 9.0.65 are:

- Add support for authenticating WebSocket clients with an HTTP forward
proxy when establishing a connection to a WebSocket endpoint via a
forward proxy that requires authentication. Based on a patch provided
by Joe Mokos.

- Various fixes for edge case bugs in EL processing.

- Improve host header handling for HTTP/2 requests.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.66/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1395
The tag is:
https://github.com/apache/tomcat/tree/9.0.66
f4d5910eadd7c7c1a3580258712f52c47aef9dea

The proposed 9.0.66 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 9.0.66 (stable)


Unit tests pass on Linux, MacOS and Windows

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.0.25

2022-09-22 Thread Mark Thomas

The proposed Apache Tomcat 10.0.25 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to jakarta.*

Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.23 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.25/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1394

The tag is:
https://github.com/apache/tomcat/tree/10.0.25
570397299d8a1d2c84d1bc34625758d995b38b7f

The proposed 10.0.25 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.25 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.1.0-M20

2022-09-21 Thread Mark Thomas

On 20/09/2022 19:35, Mark Thomas wrote:

The proposed 10.1.0-M20 release is:
[ ] Broken - do not release
[X] Beta - go ahead and release as 10.1.0-M20 (beta)


Unit tests pass on Linux, Windows and MacOS

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.1.0-M20

2022-09-20 Thread Mark Thomas

The proposed Apache Tomcat 10.1.0-M20 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M20/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1393

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M20
920e86e465fc9db8b0c21b684b42456179308cfd


The proposed 10.1.0-M20 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M20 (beta)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.4

2022-09-20 Thread Mark Thomas

The Apache Tomcat team announces the immediate availability of Apache
Tomcat Migration Tool for Jakarta EE 1.0.4

Apache Tomcat Migration Tool for Jakarta EE is an open source software
tool for migrating binary web applications (WAR files) and other binary
artefacts from Java EE 8 to Jakarta EE 9.

The notable changes since 1.0.3 include:

- Improve the fix converting web applications that include JARs that
  store one or more entries in uncompressed form

- Add a new conversion profile that converts from Jakarta EE 9 to Java
  EE 8

Please refer to the change log for the complete list of changes:
https://github.com/apache/tomcat-jakartaee-migration/blob/master/CHANGES.md

Downloads:
http://tomcat.apache.org/download-migration.cgi

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][RESULT] Apache Tomcat migration tool for Jakarta EE 1.0.4

2022-09-20 Thread Mark Thomas

The following votes were cast:

Binding:
+1: remm, fschumacher, markt

Non-binding:
+1: lihan

The vote therefore passes.

Thanks to everyone who contributed to this release.

Mark


On 15/09/2022 10:06, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.4 is now
available for voting.

The significant changes since 1.0.3 are:

- Issue #26 - Re-fix
- PR #28 - Add Jakarta EE -. Java EE profile (with warnings)
- Add checkstyle

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.4/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1392/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.4
a74aad315b8af81de0fa1837acc2adb278f5cb5a

The proposed 1.0.4 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.4

2022-09-20 Thread Mark Thomas

On 20/09/2022 11:39, Felix Schumacher wrote:
Well, my second mail included a +1, but I will re-send a new +1 to make 
it more clear.


Thanks. I see that now but it wasn't clear when I first looked.

Mark



Felix

Am 19.09.22 um 15:07 schrieb Mark Thomas:

Ping.

We need one more PMC vote for this release.

While Felix did indicate support for the release, there wasn't an 
explicit +1 and I'm opting to err on the side of caution.


Mark


On 15/09/2022 10:06, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.4 is now
available for voting.

The significant changes since 1.0.3 are:

- Issue #26 - Re-fix
- PR #28 - Add Jakarta EE -. Java EE profile (with warnings)
- Add checkstyle

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.4/ 



The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1392/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.4
a74aad315b8af81de0fa1837acc2adb278f5cb5a

The proposed 1.0.4 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.4

2022-09-19 Thread Mark Thomas

Ping.

We need one more PMC vote for this release.

While Felix did indicate support for the release, there wasn't an 
explicit +1 and I'm opting to err on the side of caution.


Mark


On 15/09/2022 10:06, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.4 is now
available for voting.

The significant changes since 1.0.3 are:

- Issue #26 - Re-fix
- PR #28 - Add Jakarta EE -. Java EE profile (with warnings)
- Add checkstyle

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.4/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1392/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.4
a74aad315b8af81de0fa1837acc2adb278f5cb5a

The proposed 1.0.4 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.4

2022-09-16 Thread Mark Thomas

On 15/09/2022 10:06, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.4 is now
available for voting.

The significant changes since 1.0.3 are:

- Issue #26 - Re-fix
- PR #28 - Add Jakarta EE -. Java EE profile (with warnings)
- Add checkstyle

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.4/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1392/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.4
a74aad315b8af81de0fa1837acc2adb278f5cb5a

The proposed 1.0.4 release is:

[ ] -1: Broken. Do not release because...
[X] +1: Acceptable. Go ahead and release.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Refactor to avoid use of Hashtable. No functional change.

2022-09-16 Thread Mark Thomas

On 15/09/2022 22:37, Christopher Schultz wrote:

Mark,

On 9/15/22 11:26, Mark Thomas wrote:

On 15/09/2022 16:23, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new 00cf721f14 Refactor to avoid use of Hashtable. No 
functional change.

00cf721f14 is described below

commit 00cf721f14ac90e7ebc372a5303603ca408fc999
Author: Mark Thomas 
AuthorDate: Thu Sep 15 16:23:49 2022 +0100

 Refactor to avoid use of Hashtable. No functional change.


Any objections to back-porting this?

It changes some protected API for the CGIServlet inner classes (and 
the CGI Servlet is final). That seems pretty low risk to me.


I haven't read through the whole class, but is there any risk of 
multi-threaded access?


I don't believe so.


At what point is "shellEnv" stable?


Servlet initialisation.


Can it be wrapped in Collections.unmodifiableMap() at any point?


It could at the end of init(ServletConfig).


Can that be added to any other instances of Map<> usage in this class?


Yes.

I'm in two minds whether to use Collections.unmodifiableMap(). It makes 
the intended usage clearer (good) but it isn't necessary (bad) since the 
Maps aren't exposed to applications.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Refactor to avoid use of Hashtable. No functional change.

2022-09-15 Thread Mark Thomas

On 15/09/2022 16:23, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new 00cf721f14 Refactor to avoid use of Hashtable. No functional change.
00cf721f14 is described below

commit 00cf721f14ac90e7ebc372a5303603ca408fc999
Author: Mark Thomas 
AuthorDate: Thu Sep 15 16:23:49 2022 +0100

 Refactor to avoid use of Hashtable. No functional change.


Any objections to back-porting this?

It changes some protected API for the CGIServlet inner classes (and the 
CGI Servlet is final). That seems pretty low risk to me.


Mark


---
  java/org/apache/catalina/servlets/CGIServlet.java | 30 +++
  1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/java/org/apache/catalina/servlets/CGIServlet.java 
b/java/org/apache/catalina/servlets/CGIServlet.java
index 2f26337a41..dbc941dce5 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -29,10 +29,11 @@ import java.nio.file.Files;
  import java.util.ArrayList;
  import java.util.Date;
  import java.util.Enumeration;
+import java.util.HashMap;
  import java.util.HashSet;
-import java.util.Hashtable;
  import java.util.List;
  import java.util.Locale;
+import java.util.Map;
  import java.util.Map.Entry;
  import java.util.Set;
  import java.util.StringTokenizer;
@@ -306,7 +307,7 @@ public final class CGIServlet extends HttpServlet {
  private static final Object expandFileLock = new Object();
  
  /** the shell environment variables to be passed to the CGI script */

-private final Hashtable shellEnv = new Hashtable<>();
+private final Map shellEnv = new HashMap<>();
  
  /**

   * Enable creation of script command line arguments from query-string.
@@ -698,7 +699,7 @@ public final class CGIServlet extends HttpServlet {
  private File tmpDir = null;
  
  /** derived cgi environment */

-private Hashtable env = null;
+private Map env = null;
  
  /** cgi command to be invoked */

  private String command = null;
@@ -979,7 +980,7 @@ public final class CGIServlet extends HttpServlet {
   */
  
  // Add the shell environment variables (if any)

-Hashtable envp = new Hashtable<>(shellEnv);
+Map envp = new HashMap<>(shellEnv);
  
  // Add the CGI environment variables

  String sPathInfoOrig = null;
@@ -1317,7 +1318,7 @@ public final class CGIServlet extends HttpServlet {
   * @return   CGI environment
   *
   */
-protected Hashtable getEnvironment() {
+protected Map getEnvironment() {
  return env;
  }
  
@@ -1416,7 +1417,7 @@ public final class CGIServlet extends HttpServlet {

  private final String command;
  
  /** environment used when invoking the cgi script */

-private final Hashtable env;
+private final Map env;
  
  /** working directory used when invoking the cgi script */

  private final File wd;
@@ -1448,7 +1449,7 @@ public final class CGIServlet extends HttpServlet {
   * @param  params   ArrayList with the script's query command line
   *  parameters as strings
   */
-protected CGIRunner(String command, Hashtable env,
+protected CGIRunner(String command, Map env,
  File wd, ArrayList params) {
  this.command = command;
  this.env = env;
@@ -1511,20 +1512,17 @@ public final class CGIServlet extends HttpServlet {
   * key/value pair in the Hashtable to a String in the form
   * "key=value" (hashkey + "=" + hash.get(hashkey).toString())
   *
- * @param  h   Hashtable to convert
+ * @param  map Hashtable to convert
   *
   * @return converted string array
   *
   * @exception  NullPointerException   if a hash key has a null value
   *
   */
-protected String[] hashToStringArray(Hashtable h)
-throws NullPointerException {
-List list = new ArrayList<>(h.size());
-Enumeration e = h.keys();
-while (e.hasMoreElements()) {
-String k = e.nextElement();
-list.add(k + "=" + h.get(k).toString());
+protected String[] mapToStringArray(Map map) throws 
NullPointerException {
+List list = new ArrayList<>(map.size());
+for (Entry entry : map.entrySet()) {
+list.add(entry.getKey() + "=" + entry.getValue().toString());
  }
  return list.toArray(new String[0]);
  }
@@ -1630,7 +1628,7

Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.4

2022-09-15 Thread Mark Thomas

On 15/09/2022 14:36, Felix Schumacher wrote:


Am 15.09.22 um 11:06 schrieb Mark Thomas:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.4 is now
available for voting.

The significant changes since 1.0.3 are:

- Issue #26 - Re-fix
- PR #28 - Add Jakarta EE -. Java EE profile (with warnings)
- Add checkstyle

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.4/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1392/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.4
a74aad315b8af81de0fa1837acc2adb278f5cb5a

The proposed 1.0.4 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.


When I try to build the sources from the tar.gz maven complains about 
missing checkstyle files:


[ERROR] Failed to execute goal 
org.apache.maven.plugins:maven-checkstyle-plugin:3.2.0:check (validate) 
on project jakartaee-migration: Failed during checkstyle execution: 
Unable to find configuration file at location: 
res/checkstyle/checkstyle.xml: Could not find resource 
'res/checkstyle/checkstyle.xml'. -> [Help 1]


When I copy the files from git into the source folder mvn verify works 
as expected.


I'll get that fixed.

Do we want 1.0.5 for this?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.4

2022-09-15 Thread Mark Thomas

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.4 is now
available for voting.

The significant changes since 1.0.3 are:

- Issue #26 - Re-fix
- PR #28 - Add Jakarta EE -. Java EE profile (with warnings)
- Add checkstyle

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.4/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1392/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.4
a74aad315b8af81de0fa1837acc2adb278f5cb5a

The proposed 1.0.4 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][CANCELLED] Release Apache Tomcat 10.0.24

2022-09-15 Thread Mark Thomas

Vote cancelled due to regression in migration tool for Jakarta EE.

Mark

On 14/09/2022 14:40, Mark Thomas wrote:

The proposed Apache Tomcat 10.0.24 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to 
jakarta.*


Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.23 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.24/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1391

The tag is:
https://github.com/apache/tomcat/tree/10.0.24
74a5bd703f1d477548449bd400721e960cc4514c

The proposed 10.0.24 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.24 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][CANCELLED] Release Apache Tomcat 10.1.0-M19

2022-09-15 Thread Mark Thomas

Vote cancelled due to regression in migration tool for Jakarta EE.

Mark


On 13/09/2022 18:09, Mark Thomas wrote:

The proposed Apache Tomcat 10.1.0-M19 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M19/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1389

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M19
ff0b6c231b7a1a416688346fdd299a3d6cfb5b64


The proposed 10.1.0-M19 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M19 (beta)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: tomcat-jakartaee-migration #34 issue

2022-09-15 Thread Mark Thomas



On 15/09/2022 06:44, Han Li wrote:




2022年9月15日 04:06,Rémy Maucherat  写道:

On Wed, Sep 14, 2022 at 6:43 PM Han Li  wrote:


Hi all,

I am very sorry, I made a fatal mistake when fixing tomcat-jakartaee-migration 
#29 issue, which led to #34 issue.


Well, when you do things, you're more likely to break things. So no
need to apologize.


+1

We all make mistakes. One of the hardest things I had to get use to with 
open source was messing up in public. I was mortified the first time I 
did it. These days, I just fix whatever I broke and move on to the next 
task.


One of the reasons for stream-lining the release process is so that we 
can easily restart a release if we need to.



: )  Thanks.





I have re-fixed this issue with this solution: 
https://github.com/aooohan/tomcat-jakartaee-migration/blob/e07f9cb21b36fe44ef31cc97e39e2c1657a94424/src/main/java/org/apache/tomcat/jakartaee/Migration.java#L226-L239
 

(I 'll continue optimising code tomorrow, it's late and I'm sleepy.)

I will retest it tomorrow to make sure the problem is really fixed.

But I don't know if this will affect the release tasks , like 10.1.x or other 
version.

How will we handle this situation, possibly by continuing to release 
tomcat-jakartaee-migration 1.0.4?


With a regression, a 1.0.4 is needed, then start over the 10.1 and
10.0 release process.

I have fixed it.


I'll start the 1.0.4 release now and cancel the 10.1.x and 10.0.x releases.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.1.0-M19

2022-09-14 Thread Mark Thomas

On 13/09/2022 18:09, Mark Thomas wrote:

The proposed Apache Tomcat 10.1.0-M19 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M19/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1389

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M19
ff0b6c231b7a1a416688346fdd299a3d6cfb5b64


The proposed 10.1.0-M19 release is:
[ ] Broken - do not release
[X] Beta - go ahead and release as 10.1.0-M19 (beta)


Unit tests pass on Windows, Linux and MacOS.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.0.24

2022-09-14 Thread Mark Thomas

The proposed Apache Tomcat 10.0.24 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to jakarta.*

Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.23 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.24/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1391

The tag is:
https://github.com/apache/tomcat/tree/10.0.24
74a5bd703f1d477548449bd400721e960cc4514c

The proposed 10.0.24 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.24 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.1.0-M19

2022-09-13 Thread Mark Thomas

On 13/09/2022 19:09, Mark Thomas wrote:

On 13/09/2022 18:51, Konstantin Kolinko wrote:

вт, 13 сент. 2022 г. в 20:09, Mark Thomas :


The proposed Apache Tomcat 10.1.0-M19 release is now available for
voting.

[...]

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M19/


*.asc files are missing at dist.a.o
They were missing for 10.1.0-M18 release candidate as well.


Thanks for catching this.

I think I know what is going on but I need to test my theory. I'll get 
the signatures generated shortly. If my theory is correct, this will be 
a good opportunity to test the repeatability of the build.


I guessed wrong. The issue was I wasn't defining gpg.exec.

The good news is that I did a complete rebuild with gpg.exec defined and 
the repeatability of the build meant I could copy the new build over the 
svn checkout of dist and since the files were identical it just added 
the asc files.


I should have fixed this for future releases.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.1.0-M19

2022-09-13 Thread Mark Thomas

On 13/09/2022 18:51, Konstantin Kolinko wrote:

вт, 13 сент. 2022 г. в 20:09, Mark Thomas :


The proposed Apache Tomcat 10.1.0-M19 release is now available for
voting.

[...]

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M19/


*.asc files are missing at dist.a.o
They were missing for 10.1.0-M18 release candidate as well.


Thanks for catching this.

I think I know what is going on but I need to test my theory. I'll get 
the signatures generated shortly. If my theory is correct, this will be 
a good opportunity to test the repeatability of the build.


Mark




apache-tomcat-10.1.0-M19.exe is signed, OK.


The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1389


*.asc files are present in the Maven staging area, OK


The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M19
ff0b6c231b7a1a416688346fdd299a3d6cfb5b64


The proposed 10.1.0-M19 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M19 (beta)


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Release Apache Tomcat 10.1.0-M19

2022-09-13 Thread Mark Thomas

The proposed Apache Tomcat 10.1.0-M19 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M19/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1389

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M19
ff0b6c231b7a1a416688346fdd299a3d6cfb5b64


The proposed 10.1.0-M19 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M19 (beta)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Time for Tomcat 8.5.83?

2022-09-13 Thread Mark Thomas

On 13/09/2022 16:12, Christopher Schultz wrote:

All,

Looking at the changelog, I don't see anything really critical, but 
there are a bunch of little things that maybe we should just go ahead 
and release.


Any comments either way?


+1 to a release.

Note that I need to fix a regression first. I should have that 
back-ported in the next couple of hours - assuming the tests runs pass.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][CANCELLED] Release Apache Tomcat 10.1.0-M18

2022-09-13 Thread Mark Thomas

I am cancelling this release vote due to a regression caused by:

https://github.com/apache/tomcat/commit/8bb7c0980adfebe65ba23c1eedaa3408d472ca0a

Mark


On 12/09/2022 22:00, Mark Thomas wrote:

The proposed Apache Tomcat 10.1.0-M18 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M18/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1388

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M18
ae9df1bcc169a5b03adea54c8c19ca9bd902e44f


The proposed 10.1.0-M18 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M18 (beta)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.1.0-M18

2022-09-13 Thread Mark Thomas

On 13/09/2022 08:28, Han Li wrote:




2022年9月13日 15:19,Han Li  写道:




2022年9月13日 15:16,Mark Thomas mailto:ma...@apache.org>> 写道:

On 13/09/2022 08:14, Han Li wrote:

macOS 12.3.1(intel)


Tx. I now see this on Linux and I saw it on Windows yesterday.

Need to figure out what triggered this.

The swallowInput change maybe?


I will try to revert this change, and try again.

This problem still exists and it only occurs with NIO2 and OpenSSL.


"git bisect" found it quite quickly. It is my fault but a different 
change. It is the maxSavePostSize change.


I'll cancel the release vote and start looking into exactly what is 
going wrong.


Mark




Han


Han



Mark


Han

2022年9月13日 15:09,Mark Thomas mailto:ma...@apache.org>> 写道:

Which OS?

I saw the issue on Windows but thought it was a VM / load issue.

Mark


On 13/09/2022 07:16, Han Li wrote:

I'm missing the point, it's only under NIO2 that this problem occurs.
Han

2022年9月13日 14:12,Han Li mailto:li...@apache.org>> 写道:

I encountered a test case that would randomly fail.

I executed it individually several times and it failed a high percentage of 
times.

Env Info:
Tomcat Native 2.0.1
OpenSSL 3.0.5
OpenJDK 17.0.2

The following content is log:

Testcase: testClientCertPostZero[OpenSSL] took 6.057 sec
Caused an ERROR
Received close_notify during handshake
javax.net.ssl.SSLProtocolException: Received close_notify during handshake
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:305)
at 
java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:250)
at 
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at 
java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1503)
at 
java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1474)
at 
java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1059)
at 
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
at 
java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
at 
java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:791)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:726)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:750)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1688)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at 
java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
at 
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:794)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:749)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:720)
at 
org.apache.tomcat.util.net.TestClientCert.doTestClientCertPost(TestClientCert.java:184)
at 
org.apache.tomcat.util.net.TestClientCert.testClientCertPostZero(TestClientCert.java:133)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)


2022年9月13日 05:00,Mark Thomas mailto:ma...@apache.org>> 写道:

The proposed Apache Tomcat 10.1.0-M18 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
proxy when establishing a connection to a WebSocket endpoint via a
forward proxy that requires authentication. Based on a patch provided
by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
h

Re: [VOTE] Release Apache Tomcat 10.1.0-M18

2022-09-13 Thread Mark Thomas

On 13/09/2022 08:19, Han Li wrote:




2022年9月13日 15:16,Mark Thomas  写道:

On 13/09/2022 08:14, Han Li wrote:

macOS 12.3.1(intel)


Tx. I now see this on Linux and I saw it on Windows yesterday.

Need to figure out what triggered this.

The swallowInput change maybe?


I will try to revert this change, and try again.


Thanks. I'm looking too. It looks like the client is timing out which 
suggests Tomcat isn't sending something the client expects.


Mark




Han



Mark


Han

2022年9月13日 15:09,Mark Thomas  写道:

Which OS?

I saw the issue on Windows but thought it was a VM / load issue.

Mark


On 13/09/2022 07:16, Han Li wrote:

I'm missing the point, it's only under NIO2 that this problem occurs.
Han

2022年9月13日 14:12,Han Li  写道:

I encountered a test case that would randomly fail.

I executed it individually several times and it failed a high percentage of 
times.

Env Info:
Tomcat Native 2.0.1
OpenSSL 3.0.5
OpenJDK 17.0.2

The following content is log:

Testcase: testClientCertPostZero[OpenSSL] took 6.057 sec
Caused an ERROR
Received close_notify during handshake
javax.net.ssl.SSLProtocolException: Received close_notify during handshake
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:305)
at 
java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:250)
at 
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at 
java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1503)
at 
java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1474)
at 
java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1059)
at 
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
at 
java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
at 
java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:791)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:726)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:750)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1688)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at 
java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
at 
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:794)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:749)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:720)
at 
org.apache.tomcat.util.net.TestClientCert.doTestClientCertPost(TestClientCert.java:184)
at 
org.apache.tomcat.util.net.TestClientCert.testClientCertPostZero(TestClientCert.java:133)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)


2022年9月13日 05:00,Mark Thomas  写道:

The proposed Apache Tomcat 10.1.0-M18 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
proxy when establishing a connection to a WebSocket endpoint via a
forward proxy that requires authentication. Based on a patch provided
by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M18/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1388

The tag is:
https://github.com/apache/tomcat

Re: [VOTE] Release Apache Tomcat 10.1.0-M18

2022-09-13 Thread Mark Thomas

On 13/09/2022 08:14, Han Li wrote:

macOS 12.3.1(intel)


Tx. I now see this on Linux and I saw it on Windows yesterday.

Need to figure out what triggered this.

The swallowInput change maybe?

Mark



Han


2022年9月13日 15:09,Mark Thomas  写道:

Which OS?

I saw the issue on Windows but thought it was a VM / load issue.

Mark


On 13/09/2022 07:16, Han Li wrote:

I'm missing the point, it's only under NIO2 that this problem occurs.
Han

2022年9月13日 14:12,Han Li  写道:

I encountered a test case that would randomly fail.

I executed it individually several times and it failed a high percentage of 
times.

Env Info:
Tomcat Native 2.0.1
OpenSSL 3.0.5
OpenJDK 17.0.2

The following content is log:

Testcase: testClientCertPostZero[OpenSSL] took 6.057 sec
Caused an ERROR
Received close_notify during handshake
javax.net.ssl.SSLProtocolException: Received close_notify during handshake
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:305)
at 
java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:250)
at 
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at 
java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1503)
at 
java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1474)
at 
java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1059)
at 
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
at 
java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
at 
java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:791)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:726)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:750)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1688)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at 
java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
at 
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:794)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:749)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:720)
at 
org.apache.tomcat.util.net.TestClientCert.doTestClientCertPost(TestClientCert.java:184)
at 
org.apache.tomcat.util.net.TestClientCert.testClientCertPostZero(TestClientCert.java:133)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)


2022年9月13日 05:00,Mark Thomas  写道:

The proposed Apache Tomcat 10.1.0-M18 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
proxy when establishing a connection to a WebSocket endpoint via a
forward proxy that requires authentication. Based on a patch provided
by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M18/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1388

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M18
ae9df1bcc169a5b03adea54c8c19ca9bd902e44f


The proposed 10.1.0-M18 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M18 (beta)

-
To unsubscribe, e-mail

Re: [VOTE] Release Apache Tomcat 10.1.0-M18

2022-09-13 Thread Mark Thomas

Which OS?

I saw the issue on Windows but thought it was a VM / load issue.

Mark


On 13/09/2022 07:16, Han Li wrote:

I'm missing the point, it's only under NIO2 that this problem occurs.


Han


2022年9月13日 14:12,Han Li  写道:

I encountered a test case that would randomly fail.

I executed it individually several times and it failed a high percentage of 
times.

Env Info:
Tomcat Native 2.0.1
OpenSSL 3.0.5
OpenJDK 17.0.2

The following content is log:

Testcase: testClientCertPostZero[OpenSSL] took 6.057 sec
Caused an ERROR
Received close_notify during handshake
javax.net.ssl.SSLProtocolException: Received close_notify during handshake
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:305)
at 
java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:250)
at 
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at 
java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1503)
at 
java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1474)
at 
java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1059)
at 
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
at 
java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
at 
java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:791)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:726)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:750)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1688)
at 
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at 
java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
at 
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:794)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:749)
at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:720)
at 
org.apache.tomcat.util.net.TestClientCert.doTestClientCertPost(TestClientCert.java:184)
at 
org.apache.tomcat.util.net.TestClientCert.testClientCertPostZero(TestClientCert.java:133)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)


2022年9月13日 05:00,Mark Thomas  写道:

The proposed Apache Tomcat 10.1.0-M18 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
proxy when establishing a connection to a WebSocket endpoint via a
forward proxy that requires authentication. Based on a patch provided
by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M18/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1388

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M18
ae9df1bcc169a5b03adea54c8c19ca9bd902e44f


The proposed 10.1.0-M18 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M18 (beta)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org






-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional

[VOTE] Release Apache Tomcat 10.1.0-M18

2022-09-12 Thread Mark Thomas

The proposed Apache Tomcat 10.1.0-M18 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M17 are:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing

- Improve host header handling for HTTP/2 requests

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M18/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1388

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M18
ae9df1bcc169a5b03adea54c8c19ca9bd902e44f


The proposed 10.1.0-M18 release is:
[ ] Broken - do not release
[ ] Beta - go ahead and release as 10.1.0-M18 (beta)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.3

2022-09-12 Thread Mark Thomas

The Apache Tomcat team announces the immediate availability of Apache
Tomcat Migration Tool for Jakarta EE 1.0.3

Apache Tomcat Migration Tool for Jakarta EE is an open source software
tool for migrating binary web applications (WAR files) and other binary
artefacts from Java EE 8 to Jakarta EE 9.

The notable changes since 1.0.1 include:

- Update checksums for modified files to avoid issues when trying to use
  migrated JAR files
- Handle migration of manifest files when part of an exploded JAR


Please refer to the change log for the complete list of changes:
https://github.com/apache/tomcat-jakartaee-migration/blob/master/CHANGES.md

Downloads:
http://tomcat.apache.org/download-migration.cgi

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][RESULT] Apache Tomcat migration tool for Jakarta EE 1.0.3

2022-09-12 Thread Mark Thomas

The following votes were cast:

Binding:
+1: markt, remm, fschumacher

Non-binding:
+1: lihan

The vote therefore passes.

Thanks to everyone who contributed to this release.

Mark


On 06/09/2022 15:30, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.3 is now
available for voting.

The significant changes since 1.0.1 are:

- Issue #26 - bad CRC checksums
- Issue #32 - Manifests in exploded JARs

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.3/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1387/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.3
a5e9028e610b7b2ac1ef6fbef8a96dc3d97d7a45

The proposed 1.0.3 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.3

2022-09-11 Thread Mark Thomas

Ping.

We need one more +1 PMC member vote for this release vote to pass.

Mark


On 06/09/2022 15:30, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.3 is now
available for voting.

The significant changes since 1.0.1 are:

- Issue #26 - bad CRC checksums
- Issue #32 - Manifests in exploded JARs

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.3/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1387/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.3
a5e9028e610b7b2ac1ef6fbef8a96dc3d97d7a45

The proposed 1.0.3 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Avoid potential ConcurrentModificationException by using Iterator.

2022-09-09 Thread Mark Thomas

On 09/09/2022 15:57, li...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

lihan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
  new 5c5adba7fd Avoid potential ConcurrentModificationException by using 
Iterator.
5c5adba7fd is described below

commit 5c5adba7fdfc02ddaaf3a229efce89852bc305ae
Author: lihan 
AuthorDate: Fri Sep 9 22:57:17 2022 +0800

 Avoid potential ConcurrentModificationException by using Iterator.


Thanks for catching these.

Mark



---
  .../apache/catalina/servlets/WebdavServlet.java| 36 +-
  1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java 
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 54c4d0df78..97619c7e25 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -30,6 +30,7 @@ import java.util.Collections;
  import java.util.Date;
  import java.util.HashMap;
  import java.util.List;
+import java.util.Iterator;
  import java.util.Locale;
  import java.util.Map;
  import java.util.Stack;
@@ -1293,9 +1294,11 @@ public class WebdavServlet extends DefaultServlet {
  if (lock != null) {
  
  // At least one of the tokens of the locks must have been given

-for (String token : lock.tokens) {
+Iterator tokenList = lock.tokens.iterator();
+while (tokenList.hasNext()) {
+String token = tokenList.next();
  if (lockTokenHeader.contains(token)) {
-lock.tokens.remove(token);
+tokenList.remove();
  }
  }
  
@@ -1308,17 +1311,20 @@ public class WebdavServlet extends DefaultServlet {

  }
  
  // Checking inheritable collection locks

-for (LockInfo collectionLock : collectionLocks) {
-if (path.equals(collectionLock.path)) {
-for (String token : collectionLock.tokens) {
+Iterator collectionLocksList = collectionLocks.iterator();
+while (collectionLocksList.hasNext()) {
+lock = collectionLocksList.next();
+if (path.equals(lock.path)) {
+Iterator tokenList = lock.tokens.iterator();
+while (tokenList.hasNext()) {
+String token = tokenList.next();
  if (lockTokenHeader.contains(token)) {
-collectionLock.tokens.remove(token);
+tokenList.remove();
  break;
  }
  }
-
-if (collectionLock.tokens.isEmpty()) {
-collectionLocks.remove(collectionLock);
+if (lock.tokens.isEmpty()) {
+collectionLocksList.remove();
  // Removing any lock-null resource which would be present
  lockNullResources.remove(path);
  }
@@ -1392,12 +1398,14 @@ public class WebdavServlet extends DefaultServlet {
  }
  
  // Checking inheritable collection locks

-for (LockInfo collectionsLock : collectionLocks) {
-if (collectionsLock.hasExpired()) {
-collectionLocks.remove(collectionsLock);
-} else if (path.startsWith(collectionsLock.path)) {
+Iterator collectionLockList = collectionLocks.iterator();
+while (collectionLockList.hasNext()) {
+lock = collectionLockList.next();
+if (lock.hasExpired()) {
+collectionLockList.remove();
+} else if (path.startsWith(lock.path)) {
  boolean tokenMatch = false;
-for (String token : collectionsLock.tokens) {
+for (String token : lock.tokens) {
  if (ifHeader.contains(token)) {
  tokenMatch = true;
  break;


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.3

2022-09-07 Thread Mark Thomas

On 06/09/2022 15:30, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.3 is now
available for voting.

The significant changes since 1.0.1 are:

- Issue #26 - bad CRC checksums
- Issue #32 - Manifests in exploded JARs

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.3/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1387/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.3
a5e9028e610b7b2ac1ef6fbef8a96dc3d97d7a45

The proposed 1.0.3 release is:

[ ] -1: Broken. Do not release because...
[X] +1: Acceptable. Go ahead and release.


Tested by deploying Tomcat 9.0.x examples web application to Tomcat 10.1.x

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.3

2022-09-06 Thread Mark Thomas

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.3 is now
available for voting.

The significant changes since 1.0.1 are:

- Issue #26 - bad CRC checksums
- Issue #32 - Manifests in exploded JARs

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.3/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1387/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.3
a5e9028e610b7b2ac1ef6fbef8a96dc3d97d7a45

The proposed 1.0.3 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][CANCELLED] Apache Tomcat migration tool for Jakarta EE 1.0.2

2022-09-06 Thread Mark Thomas

Hi all,

Partly due to the fix I missed and partly due to the incomplete bz2 src 
archives, I am cancelling the 1.0.2 vote. 1.0.3 will follow very shortly.


Mark


On 02/09/2022 22:19, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.2 is now
available for voting.

The significant changes since 1.0.1 are:

- Issue #26 - bad CRC checksums

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.2/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1386/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.2
37a9d5a438206b429997d4c1a9bb19f21b133145

The proposed 1.0.2 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: A "tar.bz2" file in Apache Tomcat migration tool (1.0.2)

2022-09-06 Thread Mark Thomas
On 06/09/2022 14:10, Han Li wrote> I found that bz2 file is generated 
when use apache-release profile (-P apache-release)


Thanks. That helps.

Mark




Irrespective of migration tool version. ;)

Han


2022年9月6日 18:03,Mark Thomas  写道:

Hi,

Thanks for checking this.

Very strange. I have a couple of theories - neither of which I think are 
particularly likely:

1. The release build failed part way through due to an issue with my GPG 
passphrase. I re-ran the release and it appeared to carry on from the error but 
the bz2 file could be a result.

2. I upgraded the assembly plugin from 3.4.0 to 3.4.2

I've looked at the contents of the bz2 file and it is incomplete. The Maven 
wrapper and the change-log are both missing.

While I'd like to get the release out ASAP (it is blocking 10.1.x and 10.0.x 
releases) I think I am going to do the following:

1. Review and merge PR #32 that I missed in 1.0.2

2. Roll a 1.0.3 release and see if the bz2 archive re-appears. If it does, drop 
it from the Maven staging repo before I close it. I'll then look at what is 
creating the bz2 file separately.

I'm going to leave the 1.0.2 release vote running for now just to give me 
options but my expectation is that the 1.0.2 vote will be cancelled in favour 
of 1.0.3.

Mark



On 05/09/2022 15:16, Konstantin Kolinko wrote:

Hi!
Not a showstopper, but some oddity.
Looking at Maven artifacts for release candidate of
Apache Tomcat migration tool for Jakarta EE 1.0.2
in maven staging repository,
I am curious why does there exist the following file:
"jakartaee-migration-1.0.2-src.tar.bz2"
The files:
https://repository.apache.org/content/repositories/orgapachetomcat-1386/org/apache/tomcat/jakartaee-migration/1.0.2/
1. There already exists "jakartaee-migration-1.0.2-src.tar.gz".
It is the first time I see a *.bz2 file in our distributions.
2. Looking at the source code,
I do not see where it comes from.
pom.xml:
[[[
 
 maven-assembly-plugin
 3.4.2
 
   
 make-assembly
 
   single
 
 package
 
   
 src/assembly/bin.xml
 src/assembly/src.xml
   
 
   
 
   
]]]
src/assembly/bin.xml:
src/assembly/src.xml:
both have the following:
[[[
   
 tar.gz
 zip
   
]]]
There is no "tar.bz2" above.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: A "tar.bz2" file in Apache Tomcat migration tool (1.0.2)

2022-09-06 Thread Mark Thomas

Hi,

Thanks for checking this.

Very strange. I have a couple of theories - neither of which I think are 
particularly likely:


1. The release build failed part way through due to an issue with my GPG 
passphrase. I re-ran the release and it appeared to carry on from the 
error but the bz2 file could be a result.


2. I upgraded the assembly plugin from 3.4.0 to 3.4.2

I've looked at the contents of the bz2 file and it is incomplete. The 
Maven wrapper and the change-log are both missing.


While I'd like to get the release out ASAP (it is blocking 10.1.x and 
10.0.x releases) I think I am going to do the following:


1. Review and merge PR #32 that I missed in 1.0.2

2. Roll a 1.0.3 release and see if the bz2 archive re-appears. If it 
does, drop it from the Maven staging repo before I close it. I'll then 
look at what is creating the bz2 file separately.


I'm going to leave the 1.0.2 release vote running for now just to give 
me options but my expectation is that the 1.0.2 vote will be cancelled 
in favour of 1.0.3.


Mark



On 05/09/2022 15:16, Konstantin Kolinko wrote:

Hi!

Not a showstopper, but some oddity.

Looking at Maven artifacts for release candidate of
Apache Tomcat migration tool for Jakarta EE 1.0.2
in maven staging repository,

I am curious why does there exist the following file:
"jakartaee-migration-1.0.2-src.tar.bz2"

The files:

https://repository.apache.org/content/repositories/orgapachetomcat-1386/org/apache/tomcat/jakartaee-migration/1.0.2/

1. There already exists "jakartaee-migration-1.0.2-src.tar.gz".

It is the first time I see a *.bz2 file in our distributions.

2. Looking at the source code,
I do not see where it comes from.

pom.xml:

[[[
 
 maven-assembly-plugin
 3.4.2
 
   
 make-assembly
 
   single
 
 package
 
   
 src/assembly/bin.xml
 src/assembly/src.xml
   
 
   
 
   
]]]

src/assembly/bin.xml:
src/assembly/src.xml:
both have the following:

[[[
   
 tar.gz
 zip
   
]]]

There is no "tar.bz2" above.


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[ANN] New committer: Han Li

2022-09-06 Thread Mark Thomas

On behalf of the Tomcat committers I am delighted to announce that
Han Li (lihan) has been voted in as a new Tomcat committer.

Please join me in congratulating Han.

Kind regards,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.2

2022-09-05 Thread Mark Thomas

On 02/09/2022 22:19, Mark Thomas wrote:

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.2 is now
available for voting.

The significant changes since 1.0.1 are:

- Issue #26 - bad CRC checksums

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.2/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1386/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.2
37a9d5a438206b429997d4c1a9bb19f21b133145

The proposed 1.0.2 release is:

[ ] -1: Broken. Do not release because...
[X] +1: Acceptable. Go ahead and release.


Unit tests pass.

Tested with examples web application from 9.0.x on 10.1.x.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE] Apache Tomcat migration tool for Jakarta EE 1.0.2

2022-09-02 Thread Mark Thomas

The proposed Apache Tomcat migration tool for Jakarta EE 1.0.2 is now
available for voting.

The significant changes since 1.0.1 are:

- Issue #26 - bad CRC checksums

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/jakartaee-migration/v1.0.2/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1386/

The tag is:
https://github.com/apache/tomcat-jakartaee-migration/tree/1.0.2
37a9d5a438206b429997d4c1a9bb19f21b133145

The proposed 1.0.2 release is:

[ ] -1: Broken. Do not release because...
[ ] +1: Acceptable. Go ahead and release.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Why JsonErrorReportValve doesn't exist in 8.5.x

2022-09-02 Thread Mark Thomas

On 02/09/2022 10:23, Han Li wrote:

Hi all,


I found that JsonErrorReportValve doesn't exist in 8.5.x,but exists in all 
other branch.
I have looked at the implementation of this class and found nothing at the code 
level that 8.5.x couldn’t support,
And I also didn’t find any useful information on the mailing list.

So why does 8.5.x not support this feature?


I don't recall any discussion about this and I can't find anything in 
the archives.


I'd have no objection to it being back-ported.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Improve handling of EL error messages.

2022-08-31 Thread Mark Thomas

On 30/08/2022 13:21, Konstantin Kolinko wrote:

вт, 30 авг. 2022 г. в 10:13, Mark Thomas :


On 29/08/2022 14:06, Christopher Schultz wrote:

Mark,

On 8/29/22 02:39, ma...@apache.org wrote:





   public static String get(final String key, final Object... args) {
   String value = get(key);
+// Convert all Number arguments to String else MessageFormat
may try to
+// format them in unexpected ways.
+if (args != null) {
+for (int i = 0; i < args.length; i++) {
+if (args[i] instanceof Number) {
+args[i] = args[i].toString();
+}
+}
+}
+


This might represent a big change in behavior, especially with
floating-point numbers. I'm not sure what role MessageFormat plays in
the whole EL ecosystem... is it any part of the spec, or only for like
error messages and things like that?


It is only for error messages and the like.

oss-fuzz found an edge case where MessageFormat would output a number
with hundreds of thousands of digits as an integer rather than using
exponential form.

Any such instances would be application bugs (the issue is in parsing
the EL expression so there is no way for users to trigger this). It
seems unlikely that this would occur in practice.


1. I think we are actually dealing with a JRE bug here.

As such, while only MessageFactory in EL was tested, in theory it
concerns other copies of this class.

2. Personally, as a programmer, I do like when numbers are printed in
a programmer-friendly way, i.e. via toString() like here, but
generally it means losing i18n.

3. For future reference
- Javadoc of MessageFormat. Java 17:

https://docs.oracle.com/javase/8/docs/api/java/text/MessageFormat.html

- messages used by EL code come from
static final ResourceBundle bundle =
ResourceBundle.getBundle("org.apache.el.LocalStrings");

and look like

error.convert=Cannot convert [{0}] of type [{1}] to [{2}]


4. I think that the JRE bug is as follows:

(1) The Javadoc of MessageFormat says (see a table there) that to
format a number you specify the format with FormatType = "number". The
FormatStyle may be omitted.

E.g. "{0, number}" can be used to clearly declare that the argument
has to be formatted as a Number.

(2) It says that for FormatType=none, it creates a Subformat of null.

Looking into the source code (OpenJDK 17.0.4)
parsing the format string is implemented in method #makeFormat(...).
See the branch with "case TYPE_NULL:" there.

It results in assigning the null value to an entry in "formats[]" array.

(3) I suspect that a null format was actually intended to serve as a
"text" format. My concerns:

- The MessageFormat lacks an explicit "text" FormatType.

In comparison, with a java.util.Formatter I can use an explicit %s
pattern to specify textual format.

- There is a comment in the source code of MessageFormat #toPattern():

[[[
 if (fmt == null) {
 // do nothing, string format
 } else if ...
]]]

- I do not see any documentation in MessageFormat javadoc on how the
null Subformat is supposed to be treated.

Nor I found it in the official tutorial.
https://docs.oracle.com/javase/tutorial/i18n/format/messageFormat.html

I guess the behaviour may be "specified" in a hidden way, via TCK.


(4) The actual implementation of formatting (implemented in
MessageFormat#subformat(...)) is different:

[[[
 } else if (formats[i] != null) {
 subFormatter = formats[i];
 if (subFormatter instanceof ChoiceFormat) {
 arg = formats[i].format(obj);
 if (arg.indexOf('{') >= 0) {
 subFormatter = new MessageFormat(arg, locale);
 obj = arguments;
 arg = null;
 }
}
 } else if (obj instanceof Number) {
 // format number if can
 subFormatter = NumberFormat.getInstance(locale);
 } else if (obj instanceof Date) {
 // format a Date if can
 subFormatter = DateFormat.getDateTimeInstance(
  DateFormat.SHORT, DateFormat.SHORT, locale);//fix
 } else if (obj instanceof String) {
 arg = (String) obj;
 } else {
 arg = obj.toString();
 if (arg == null) arg = "null";
 }
]]]

I.e. if format[i] is null it does not interpret it as "text", but
tries "to be smart" and does some processing for Numbers.

(5) According to oss-fuzz we now know that such processing is broken.
It assumes that any Number can be sanely formatted by a
"NumberFormat.getInstance(locale);".


5. What

Re: [tomcat] branch 9.0.x updated: Fix BZ66246 https://bz.apache.org/bugzilla/show_bug.cgi?id=66246

2022-08-31 Thread Mark Thomas

On 31/08/2022 02:57, li...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

lihan pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
  new 971038192b Fix BZ66246 
https://bz.apache.org/bugzilla/show_bug.cgi?id=66246
971038192b is described below

commit 971038192b1d747810de71e4dac8559d4c04d7a3
Author: lihan 
AuthorDate: Wed Aug 31 09:56:36 2022 +0800

 Fix BZ66246
 https://bz.apache.org/bugzilla/show_bug.cgi?id=66246
---
  java/org/apache/jasper/resources/LocalStrings.properties | 2 +-
  webapps/docs/changelog.xml   | 3 +++
  2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/jasper/resources/LocalStrings.properties 
b/java/org/apache/jasper/resources/LocalStrings.properties
index 4339d968da..6e4496378f 100644
--- a/java/org/apache/jasper/resources/LocalStrings.properties
+++ b/java/org/apache/jasper/resources/LocalStrings.properties
@@ -389,7 +389,7 @@ jspc.webxml.footer=\n\
  \n\
  \n
  jspc.webxml.header=\n\
-http://xmlns.jcp.org/xml/ns/javaee"\n\
+http://xmlns.jcp.org/xml/ns/javaee"\n\
  \  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\n\
  \  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee\n\
  \  
http://xmlns.jcp.org/xml/ns/javaee/web-fragment_4_0.xsd"\n\


The schema location needs to be updated as well.

Mark



diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0831e26371..9322c11152 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -239,6 +239,9 @@
  type conversion fails during an EL arithmetic operation. This is an EL
  error so ELException seems more appropriate. (markt)

+  
+66246: Fix JspC generates invalid web.xml due to incorrect 
header. (lihan)
+  
  




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Improve handling of EL error messages.

2022-08-30 Thread Mark Thomas

On 29/08/2022 14:06, Christopher Schultz wrote:

Mark,

On 8/29/22 02:39, ma...@apache.org wrote:





  public static String get(final String key, final Object... args) {
  String value = get(key);
+    // Convert all Number arguments to String else MessageFormat 
may try to

+    // format them in unexpected ways.
+    if (args != null) {
+    for (int i = 0; i < args.length; i++) {
+    if (args[i] instanceof Number) {
+    args[i] = args[i].toString();
+    }
+    }
+    }
+


This might represent a big change in behavior, especially with 
floating-point numbers. I'm not sure what role MessageFormat plays in 
the whole EL ecosystem... is it any part of the spec, or only for like 
error messages and things like that?


It is only for error messages and the like.

oss-fuzz found an edge case where MessageFormat would output a number 
with hundreds of thousands of digits as an integer rather than using 
exponential form.


Any such instances would be application bugs (the issue is in parsing 
the EL expression so there is no way for users to trigger this). It 
seems unlikely that this would occur in practice.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: jakarta.el, useless getResource?

2022-08-25 Thread Mark Thomas

On 24/08/2022 14:40, Romain Manni-Bucau wrote:

Hi

Went ahead and created https://github.com/apache/tomcat/pull/547  (if it
helps)


Thanks. There weren't any objections so I'll merge that PR shortly.

Mark




Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le lun. 22 août 2022 à 14:25, Romain Manni-Bucau  a
écrit :


+1

To answer the proxy reference: it affects other cases - loading classes
from a "database", proxies is just a well known case I used to illustrate
my point. By contract a classloader is not always an URLClassLoader which
is the assumption of the impl right now. Also CDS changes the perf there
too - a lot when enabled.

Side note: graalvm integration is way easier without that check ;).

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github
<https://github.com/rmannibucau> | LinkedIn
<https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le lun. 22 août 2022 à 13:54, Mark Thomas  a écrit :


On 22/08/2022 11:48, Mark Thomas wrote:

On 22/08/2022 10:20, Romain Manni-Bucau wrote:





So overall I wonder if this check can be dropped now we have concurrent
classloaders and cache almost everywhere. If not, should the missed

items

be cached in some (webapp) classloader to help to exit faster?


We need to test with various JDKs but if the results are comparable to
those for Java 11, I'd have no objection to simplifying the code.


I've just run the performance test with Java 7, Java 8 and Java 11 with
8.5.x and in all three cases, the average time to run the test was less
without the performance fix than with it.

Given these, results, I think we remove this performance hack for all
current versions.

Objections?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org






-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [DISCUSS] MessageBytes refactoring

2022-08-24 Thread Mark Thomas

On 24/08/2022 09:08, Rémy Maucherat wrote:

On Tue, Aug 23, 2022 at 10:43 PM Mark Thomas  wrote:


Hi all,

I've been looking at a fix for bug 66196. My ideas so far have revolved
around MessageBytes but the solutions are being made more complex by the
current behaviour of MessageBytes in some cases.

For example (I'm using strings in place of byte[] and char[] to keep it
simple):

mb.setBytes("aaa");
mb.setChars("bbb");
mb.toBytes();

mb.getByteChunk() returns "aaa" whereas I'd expect it to be "bbb".

I'd like to refactor MessageBytes so it always behaves as if it has a
single current value regardless of whether that value was set as a
String, byte[] or char[]. If a get() method is called for a different
type, conversion occurs on demand.

I'm reasonably confident that changing MessageBytes to always have a
single, consistent value will also enable a few useful optimizations -
particularly around ISO-8859-1 String to byte conversions which gets
used a lot for HTTP response headers.

Note: As currently, if you write to the ByteChunk or CharChunk directly
the caller is expected to take responsibility for keeping the values in
sync or dealing with the consequences.

Thoughts?


Well, this is a bit risky obviously but you can attempt it.


Fair point.

On my first pass I found that the RewriteValve was accessing the 
internals directly. That case looked to be manageable. I agree the risk 
is that this is happening in other places that don't get spotted.


One option would be to refactor 10.1.x but delay the back-port to see if 
any regressions emerge.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[DISCUSS] MessageBytes refactoring

2022-08-23 Thread Mark Thomas

Hi all,

I've been looking at a fix for bug 66196. My ideas so far have revolved 
around MessageBytes but the solutions are being made more complex by the 
current behaviour of MessageBytes in some cases.


For example (I'm using strings in place of byte[] and char[] to keep it 
simple):


mb.setBytes("aaa");
mb.setChars("bbb");
mb.toBytes();

mb.getByteChunk() returns "aaa" whereas I'd expect it to be "bbb".

I'd like to refactor MessageBytes so it always behaves as if it has a 
single current value regardless of whether that value was set as a 
String, byte[] or char[]. If a get() method is called for a different 
type, conversion occurs on demand.


I'm reasonably confident that changing MessageBytes to always have a 
single, consistent value will also enable a few useful optimizations - 
particularly around ISO-8859-1 String to byte conversions which gets 
used a lot for HTTP response headers.


Note: As currently, if you write to the ByteChunk or CharChunk directly 
the caller is expected to take responsibility for keeping the values in 
sync or dealing with the consequences.


Thoughts?

Mark


[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=66196

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: jakarta.el, useless getResource?

2022-08-22 Thread Mark Thomas

On 22/08/2022 11:48, Mark Thomas wrote:

On 22/08/2022 10:20, Romain Manni-Bucau wrote:





So overall I wonder if this check can be dropped now we have concurrent
classloaders and cache almost everywhere. If not, should the missed items
be cached in some (webapp) classloader to help to exit faster?


We need to test with various JDKs but if the results are comparable to 
those for Java 11, I'd have no objection to simplifying the code.


I've just run the performance test with Java 7, Java 8 and Java 11 with 
8.5.x and in all three cases, the average time to run the test was less 
without the performance fix than with it.


Given these, results, I think we remove this performance hack for all 
current versions.


Objections?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: jakarta.el, useless getResource?

2022-08-22 Thread Mark Thomas

On 22/08/2022 10:20, Romain Manni-Bucau wrote:

Hi all,

I just spotted that in jakarta.el.ImportHandler#findClass there is a
cl.getResource(path)
== null (similar code exists when there is a security manager).
One line later there is a clazz = cl.loadClass(name);.

I assume the intent is to check the class is physically accessible but I
have a few questions about that:

1. It seems it does not respect the classloader API since this one enables
by contract to define a class (loadclass) without having a resource - it is
often used by proxies for ex,


Do we need to worry about proxies for this use case?


2. getResource is insanely slow (dropping it by using a subclass which
overrides ImportHandler by reflection I got a x10 ops/s on a 4 lines
template with one import)


See TesterImportHandlerPerformance. Previous results were 2 orders of 
magnitude the other way.



3. Why would getResource fail but loadClass succeed - I ignore any
configuration error which is "fixable"?


From memory this trick failed when used under a SecurityManager with 
classes that had circular dependencies. I might not have the details 
quite right but there wasn't anything wrong with the classes or the 
application.



 From the comment on top of the getResource check it seems it is for
performances (getresource being cheaper than loadClass) but I wonder if it
is still accurate (from my window it depends on the classpath size plus
loadClass will mainly go through getResource).


A quick test with TesterImportHandlerPerformance and Java 11 suggests 
there performance benefits are a lot smaller.



So overall I wonder if this check can be dropped now we have concurrent
classloaders and cache almost everywhere. If not, should the missed items
be cached in some (webapp) classloader to help to exit faster?


We need to test with various JDKs but if the results are comparable to 
those for Java 11, I'd have no objection to simplifying the code.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Migrate from Bugzilla to GitHub Issues

2022-08-18 Thread Mark Thomas




On 18/08/2022 13:21, Graham Leggett wrote:

On 18 Aug 2022, at 06:57, Vladimir Sitnikov  wrote:


Have you considered migrating from Bugzilla to GitHub Issues?

I think co-locating issues, code, and PRs at GitHub would make it easier to
browse both issues and code.


-1.

GitHub as a service is hosted by someone else, who are in no way obligated to 
keep the service running for our benefit. Hosted services come and go 
regularly, and it is an enormous waste of time and effort for people to perform 
avoidable migrations each time this happens.

We mirror to Github because Github did the work to make that happen. It’s great 
that they did that, but support could be withdrawn at any time and without 
warning.


The ASF wrote the GitBox <-> GitHub synchronization code as there wasn't 
anything available that would allow us to keep an independent ASF repo 
in sync with a GitHub repo and allow commits to either. It was that sync 
code that opened up the possibility of commits to AS projects via GitHub.


There is also the problem that hosting issue tracking at GitHub requires 
users to sign up for a GitHub account and agree to GitHub's Ts in 
order to report an issue. There are a small number of users that are not 
prepared to do that.


There are benefits and risks associated with switching to issue tracking 
at GitHub. We need to weigh the one against the other.


As an experiment, we are tracking Migration Tool issues on GitHub. It is 
a small tool so there are only a few issues and limited data. I haven't 
seen anything yet that convinces me that there is a strong argument for 
or against using GitHub issues. If the Tomcat Maven plugin project 
starts to show signs of life, we could try migrating its issues to 
GitHub as a larger experiment.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: tcnative crashes during shutdown (TC 10.x unit tests)

2022-08-15 Thread Mark Thomas

On 19/07/2022 23:16, Rainer Jung wrote:

Roughly the same pattern I saw for TC 10.0 now also seen for TC 10.1.


A failure rate of 1 in 50 is going to make any testing a relatively slow 
process. We are going to need at least 250 test runs to get a reasonable 
degree of certainty in the results.


I agree that it seems likely that the Connector shutdown code isn't 100% 
robust. I took a quick look and cleanup seems to be triggered by GC 
which should avoid these sorts of issues. This one may take a while to 
track down.


Did you have any success in narrowing down the scope of the tests while 
still reproducing the issue?


Mark




Am 18.07.2022 um 12:09 schrieb Rainer Jung:

Hi there,

this is just an info, at this point probably not a showstopper. The 
topic is crashes in tcnative 1.2 and 2.0 for TC 10.0 during shutdown 
after TLS unit tests.


Details:

I ran the TC unit tests for latest 9.x, 10.x and 10.1.x with tcnative 
1.2.35 OpenSSL 1.1.1q, 1.2.35 OpenSSL 3.0.2 and 2.0.1 OpenSSL 3.0.2.


I ran the test for a variety of OpenJDK builds (Adoptium, Zulu, 
Oracle, RedHat) and versions (latest 1.8.0 except for 10.1, 11, 17 and 
current 19).


The platforms where SLES 11, 12 and 15 and RHEL 6, 7 and 8. For RHEL 7 
and 8 there were 48 runs, for the other platforms 39 (no RedHat JDK).


I only ran about 150 test classes (for NIO and also for NIO2), because 
I also ran the full unit tests (about 450 classes) for JSSE and didn't 
want to rerun all tests for time and efficiency reasons.


For TC 10 I observed crashes in TLS tests during shutdown: Out of the 
roughly 250 test runs, 5 produced such a crash. For TC 9 I did not 
observe a single one. Tests for TC 10.1 are ongoing, until now no 
crash, but it is a bit early for a final result. I think the crashes 
are not new. All hapened in the TLS tests in org.apache.tomcat.util.net.


The list of crashes I saw for TC 10.0.23:

RHEL7 jdk1.8.0 tcnative 1.2.35 OpenSSL 3.0.2
org.apache.tomcat.util.net.TestSsl FAILED (crashed)
openjdk version "1.8.0_332-ea"
OpenJDK Runtime Environment (build 1.8.0_332-ea-b06)
OpenJDK 64-Bit Server VM (build 25.332-b06, mixed mode)
double free or corruption (!prev): 0x7f473c19df50
=== Backtrace: =
/lib64/libc.so.6(+0x7d56d)[0x7f4742aa456d]
/.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7f472871923d]
/.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x30)[0x7f4728719c10]
[0x7f472d018427]

RHEL7 jdk17 tcnative 1.2.35 OpenSSL 1.1.1q
org.apache.tomcat.util.net.TestCustomSslTrustManager FAILED (crashed)
openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-86)
OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)
corrupted double-linked list: 0x7f6bb8001d10
=== Backtrace: =
/lib64/libc.so.6(+0x7bfc7)[0x7f6bf481dfc7]
/lib64/libc.so.6(+0x7d774)[0x7f6bf481f774]
/.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7f6bc543223d]
/.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x30)[0x7f6bc5432c10]
[0x7f6bd572249a]

SLES11 oracle_jdk1.8.0 tcnative 2.0.1 OpenSSL 3.0.2
org.apache.tomcat.util.net.TestSsl FAILED (crashed)
java version "1.8.0_331"
Java(TM) SE Runtime Environment (build 1.8.0_331-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.331-b09, mixed mode)
double free or corruption (!prev): 0x7fbf88c1de10
=== Backtrace: =
/lib64/libc.so.6(+0x75018)[0x7fbf87b35018]
/lib64/libc.so.6(cfree+0x6c)[0x7fbf87b39f6c]
/.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7fbf718a5aad]
/.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x34)[0x7fbf718a66f4]
[0x7fbf770264a7]

SLES11 jdk11 tcnative 1.2.35 OpenSSL 1.1.1q
org.apache.tomcat.util.net.TestSsl FAILED (crashed)
openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment 18.9 (build 11.0.15+10)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+10, mixed mode)
double free or corruption (!prev): 0x7f4f6bb93040
=== Backtrace: =
/lib64/libc.so.6(+0x75018)[0x7f4f6a171018]
/lib64/libc.so.6(cfree+0x6c)[0x7f4f6a175f6c]
/.../tcnative-deps/libapr-1.so.0(apr_allocator_destroy+0x1d)[0x7f4f49403aad]
/.../tcnative-deps/libapr-1.so.0(apr_pool_terminate+0x34)[0x7f4f494046f4]
[0x7f4f508b88b0]

RHEL 8 Adoptium jdk11 tcnative 1.2.35 OpenSSL 1.1.1q
Test org.apache.tomcat.util.net.TestClientCert FAILED (crashed)

Since they are rare and happen in various tests and version 
combinations, it seems the general shutdown behavior w.r.t. the 
library is not yet perfect.


Once the tests for 10.1 complete, I will see, whether I can force the 
crashes more often by focusing on the TLS tests in 
org.apache.tomcat.util.net.


Best regards,

Rainer


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional 

Re: svn commit: r56264 - /release/tomcat/tomcat-8/v8.5.82/

2022-08-13 Thread Mark Thomas



13 Aug 2022 16:03:03 schu...@apache.org:


Author: schultz
Date: Sat Aug 13 15:03:03 2022
New Revision: 56264

Log:
Drop previous release.

Removed:
    release/tomcat/tomcat-8/v8.5.82/


That looks like the current release. I'm my phone so I can't fix it right 
now. I should be able to fix it in a hour or two but if someone is able 
to get to it sooner, that would be great.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 8.5.82

2022-08-11 Thread Mark Thomas

On 10/08/2022 22:16, Christopher Schultz wrote:

On 8/10/22 06:02, Mark Thomas wrote:


Agreed. I also spotted that adding "do.codesigning=true" would help 
repeatable builds. I'll get both of those added.


I don't think we want that to affect people trying to perform their own 
builds. It will fail every time, right? I have do.codesigning=true in 
~/build.properties which should be sufficient for Tomcat release managers.


It shouldn't fail. I was thinking of adding "do.codesigning=true" in 
build.properties.release. The builds are repeatable (assuming the 
timezone issue is fixed) so inserting the detached signature should work.



2. Require UTC.


Can that be done on the CLI for a single process on Windows? It will 
likely work for *NIX no problem. I use a semi-dedicated Windows VM 
for building releases, so I have no problem just switching it to UTC.


I'm not sure. Figuring that out is next on my TODO list. I'd really 
like to make this part of the Ant build script if I can though.


+1

I also really need to switch to building natively on my Mac because 
the whole VM thing is really cramping my style. :)


That should be doable. From memory, wine required a little hoop 
jumping to get working but it didn't take too long.


It's the wine thing that's really stopping me. Ironically, I already 
have Crossover (which is paid-for wine) installed and it would be nice 
it I could just use that, but my guess is it would be enough of a PITA 
to get working that I should just install Vanilla wine and use that.


You might be surprised. The hassle (for me) was getting the initial 
configuration right to run wine in 64-bit mode on MacOS. The build "just 
worked". I was pleasantly surprised when I was working on repeatable 
builds that used wine on Linux to find that the NSIS output was 
identical with no configuration tweaks required.




3. Find a way to force Ant to use a specific timezone.


-Duser.timezone?


That should work. We could require that to be used on the command 
line. I was hoping to find a way to set that within the script so the 
release manager still just has to do a "ant release".


Put it in pre-release, and stash it into build.properties.release?


Agreed. I'm trying to figure out exactly what to put in there.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 8.5.82

2022-08-10 Thread Mark Thomas

On 09/08/2022 20:19, Christopher Schultz wrote:

On 8/9/22 14:09, Mark Thomas wrote:




This issue is the zip files. Time stamps in zip files use local (yes, 
local - I didn't mistype that) time. Hence you need to use the same 
time zone to get a repeatable build.


We have a few options here:

1. Document the time zone in use for the build and require the same 
timezone to be used for repeatable builds.


We might want to do this anyway, regardless.


Agreed. I also spotted that adding "do.codesigning=true" would help 
repeatable builds. I'll get both of those added.



2. Require UTC.


Can that be done on the CLI for a single process on Windows? It will 
likely work for *NIX no problem. I use a semi-dedicated Windows VM for 
building releases, so I have no problem just switching it to UTC.


I'm not sure. Figuring that out is next on my TODO list. I'd really like 
to make this part of the Ant build script if I can though.


I also really need to switch to building natively on my Mac because the 
whole VM thing is really cramping my style. :)


That should be doable. From memory, wine required a little hoop jumping 
to get working but it didn't take too long.



3. Find a way to force Ant to use a specific timezone.


-Duser.timezone?


That should work. We could require that to be used on the command line. 
I was hoping to find a way to set that within the script so the release 
manager still just has to do a "ant release".


I was thinking about a custom Ant task that set the global time zone (if 
there isn't anything built into Any that does that).


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 8.5.82

2022-08-09 Thread Mark Thomas

On 09/08/2022 16:22, Mark Thomas wrote:

On 09/08/2022 15:46, Mark Thomas wrote:

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able 
to generate the correct signed Windows binaries, of course, but you 
should theoretically be able to build everything else.


TL;DR the build isn't reproducible.

There is something weird going on with time zones and timestamps that I 
haven't got my head around yet. The tar.gz source archive is fine. The 
zip archive is not.


In the release vote files, the files in the zip archive have a timestamp 
15 hours earlier that those in the tar.gz archive. In my local build the 
files in the zip archive have a timestamp 1 hour later than the tar.gz 
archive.


I'm digging into this now.


Good news and bad news.

Once I switched my machine to the same timezone Chris was in when he 
built the release, the release was 100% repeatable.


This issue is the zip files. Time stamps in zip files use local (yes, 
local - I didn't mistype that) time. Hence you need to use the same time 
zone to get a repeatable build.


We have a few options here:

1. Document the time zone in use for the build and require the same 
timezone to be used for repeatable builds.


2. Require UTC.

3. Find a way to force Ant to use a specific timezone.

Thoughts?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 8.5.82

2022-08-09 Thread Mark Thomas

On 09/08/2022 15:46, Mark Thomas wrote:

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able to 
generate the correct signed Windows binaries, of course, but you 
should theoretically be able to build everything else.


TL;DR the build isn't reproducible.

There is something weird going on with time zones and timestamps that I 
haven't got my head around yet. The tar.gz source archive is fine. The 
zip archive is not.


In the release vote files, the files in the zip archive have a timestamp 
15 hours earlier that those in the tar.gz archive. In my local build the 
files in the zip archive have a timestamp 1 hour later than the tar.gz 
archive.


I'm digging into this now.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 8.5.82

2022-08-09 Thread Mark Thomas

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able to 
generate the correct signed Windows binaries, of course, but you should 
theoretically be able to build everything else.


I'll give it a go.

Note that the signed Windows binaries should build correctly. The 
detached signatures for the installer should be in the tag and the 
installer build should be reproducible. It should be possible to insert 
the detached signatures and get a valid, signed Windows binary.


You will need to consult build.properties.release in order to use the 
same toolchain I used.


Hmm. I think I ran the release-prep target before upgrading my JDK to 
its current version. The build.properties.release file states I used 
"Adoptium 11.0.15+10" but in fact I used "Adoptium 11.0.16+8". I'm not 
sure if that will have a significant impact on the build in terms of 
reproducibility.


It will. The JARs that don't get processed by BND will have the Ant and 
JRE version in the manifest.


Wish me luck...

Mark



Thanks,
-chris

On 8/8/22 18:15, Christopher Schultz wrote:

The proposed Apache Tomcat 8.5.82 release is now available for voting.

The notable changes compared to 8.5.81 are:

  - Update the packaged version of the Tomcat Native Library to 1.2.35 to
    pick up Windows binaries built with OpenSSL 1.1.1q.

  - Enable the use of the FIPS provider for TLS enabled Connectors when
    using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.

  - Improvements to HTTP/2 header handling.

  - Fix CVE-2022-34305, a low severity XSS vulnerability in the
    Form authentication example.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1385
The tag is:
https://github.com/apache/tomcat/tree/8.5.82/
237076605ea6b44ec7b97ee1158d5aa7f2f0b53c

The proposed 8.5.82 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.82 (stable)

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch 10.0.x updated: Fix checkstyle warnings

2022-08-08 Thread Mark Thomas

On 08/08/2022 21:29, Christopher Schultz wrote:

Mark,

On 8/8/22 15:37, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
  new 5891d62e53 Fix checkstyle warnings
5891d62e53 is described below


Thanks. I was looking at back-porting your existing changes and I got 
caught up on 8.5.x which requires a slightly different solution from the 
other branches.


No worries. I would have left it but I needed to build Tomcat from 
source and it was quicker to back-port the fix than to edit my 
build.properties to disable checkstyle.


Mark



-chris


commit 5891d62e536d526968ab7dbbddc7324b695edfdc
Author: Mark Thomas 
AuthorDate: Mon Aug 8 13:19:08 2022 +0100

 Fix checkstyle warnings
---
  java/org/apache/catalina/users/MemoryGroup.java    |  1 -
  java/org/apache/catalina/users/MemoryUserDatabase.java | 12 
++--

  2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/catalina/users/MemoryGroup.java 
b/java/org/apache/catalina/users/MemoryGroup.java

index 9de5b959f9..7f5d90eb2b 100644
--- a/java/org/apache/catalina/users/MemoryGroup.java
+++ b/java/org/apache/catalina/users/MemoryGroup.java
@@ -17,7 +17,6 @@
  package org.apache.catalina.users;
-import org.apache.catalina.Role;
  import org.apache.catalina.UserDatabase;
  import org.apache.tomcat.util.buf.StringUtils;
  import org.apache.tomcat.util.security.Escape;
diff --git a/java/org/apache/catalina/users/MemoryUserDatabase.java 
b/java/org/apache/catalina/users/MemoryUserDatabase.java

index 9c0ce74851..d251bbdbe6 100644
--- a/java/org/apache/catalina/users/MemoryUserDatabase.java
+++ b/java/org/apache/catalina/users/MemoryUserDatabase.java
@@ -296,7 +296,7 @@ public class MemoryUserDatabase implements 
UserDatabase {

  throw new IllegalArgumentException(msg);
  }
-    Group group = new GenericGroup(this, groupname, description, 
null);
+    Group group = new GenericGroup<>(this, groupname, 
description, null);

  readLock.lock();
  try {
  groups.put(group.getGroupname(), group);
@@ -321,7 +321,7 @@ public class MemoryUserDatabase implements 
UserDatabase {

  throw new IllegalArgumentException(msg);
  }
-    Role role = new GenericRole(this, rolename, description);
+    Role role = new GenericRole<>(this, rolename, description);
  readLock.lock();
  try {
  roles.put(role.getRolename(), role);
@@ -348,7 +348,7 @@ public class MemoryUserDatabase implements 
UserDatabase {

  throw new IllegalArgumentException(msg);
  }
-    User user = new GenericUser(this, username, password, 
fullName, null, null);
+    User user = new GenericUser<>(this, username, password, 
fullName, null, null);

  readLock.lock();
  try {
  users.put(user.getUsername(), user);
@@ -622,7 +622,7 @@ public class MemoryUserDatabase implements 
UserDatabase {

  writer.print("\"");
  }
  writer.print(" roles=\"");
-    for(Iterator roles=group.getRoles(); 
roles.hasNext(); ) {
+    for (Iterator roles=group.getRoles(); 
roles.hasNext();) {

  Role role = roles.next();
  writer.print(Escape.xml(role.getRolename()));
  if(roles.hasNext()) {
@@ -646,7 +646,7 @@ public class MemoryUserDatabase implements 
UserDatabase {

  writer.print("\"");
  }
  writer.print(" groups=\"");
-    for(Iterator groups=user.getGroups(); 
groups.hasNext(); ) {
+    for (Iterator groups=user.getGroups(); 
groups.hasNext();) {

  Group group = groups.next();
  writer.print(Escape.xml(group.getGroupname()));
  if(groups.hasNext()) {
@@ -654,7 +654,7 @@ public class MemoryUserDatabase implements 
UserDatabase {

  }
  }
  writer.print("\" roles=\"");
-    for(Iterator roles=user.getRoles(); 
roles.hasNext(); ) {
+    for (Iterator roles=user.getRoles(); 
roles.hasNext();) {

  Role role = roles.next();
  writer.print(Escape.xml(role.getRolename()));
  if(roles.hasNext()) {


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-

Re: Updated HTTP specifications

2022-08-08 Thread Mark Thomas

Thanks for this Konstantin. I hadn't seen that these were progress.

I've reviewed the changes sections of each spec and have updated the 
tests and the HTTP parsing code to reflect these changes/clarifications. 
I also fixed a few edge cases I spotted along the way.


Mark


On 21/07/2022 19:46, Konstantin Kolinko wrote:

Hi!

I updated the list of specifications in our wiki with new versions of
HTTP specifications.
Those were published in June 2022, along with HTTP./3.

https://cwiki.apache.org/confluence/display/TOMCAT/Specifications#Specifications-HTTP,HTTP/2

RFC 9110 (June 2022) - HTTP Semantics
RFC 9111 (June 2022) - HTTP Caching
RFC 9112 (June 2022) - HTTP/1.1
RFC 9113 (June 2022) - HTTP/2
RFC 9114 (June 2022) - HTTP/3

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [tomcat] branch main updated: Do not include sensitive headers in responses to HTTP TRACE requests

2022-08-01 Thread Mark Thomas

On 01/08/2022 18:03, Christopher Schultz wrote:




  private volatile boolean cachedUseLegacyDoHead;
+    static {
+    SENSITIVE_HTTP_HEADERS.add("cookie");
+    SENSITIVE_HTTP_HEADERS.add("www-authenticate");


How about "Authorization"?


That makes more sense than WWW-Authenticate which is the challenge 
rather than the response. I'll get that fixed.


Is there a standard way for HTTP TRACE to reply to the client saying "oh 
and btw I removed the Cookie and Authentication headers you sent, so 
they aren't there but you did send them"?


Unfortunately not.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Do we want to increase the default value of maxHttpHeaderSize?

2022-08-01 Thread Mark Thomas

Hi all,

RFC 9110 recommends supporting URIs of at least 8000 octets in size.

Currently, all versions of Tomcat limit the request line and headers to 
8192 octets by default.


The current limit is, technically, in compliance with RFC 9110 but with 
a ~8000 octet URI there isn't much room left for any HTTP headers. Given 
the recommendation of RFC 9110 do we want to increase this default?


I am currently leaning towards leaving the default as is unless we have 
any evidence that the majority of users are finding they need to 
increase it.


Thoughts?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[ANN] Apache Tomcat 10.0.23 available

2022-07-26 Thread Mark Thomas

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.23.

This release is targeted at Jakarta EE 9.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

The notable changes compared to 10.0.22 include:

- Implement support for repeatable builds

- Update the packaged version of the Tomcat Native Library to 1.2.35.
  This includes Windows binaries built with with OpenSSL 1.1.1q.

- Fix CVE-2022-34305, a low severity XSS vulnerability in the Form
  authentication example

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[VOTE][RESULT] Release Apache Tomcat 10.0.23

2022-07-26 Thread Mark Thomas

The following votes were cast:

Binding:
+1: markt, remm, jfclere

Non-binding:
+1: Han Li

The vote therefore passes.

Thanks to everyone who contributed to this release.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.0.23

2022-07-24 Thread Mark Thomas
Ping. This vote has been open for 10 days and we still need one more PMC 
vote for it to pass.


Mark


On 20/07/2022 19:30, Mark Thomas wrote:

Ping.

We need one more PMC vote for this release.

Mark


On 14/07/2022 10:25, Mark Thomas wrote:

The proposed Apache Tomcat 10.0.23 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to 
jakarta.*


Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.22 are:

- Implement support for repeatable builds

- Update the packaged version of the Tomcat Native Library to 1.2.35.
   This includes Windows binaries built with with OpenSSL 1.1.1q.

- Fix CVE-2022-34305, a low severity XSS vulnerability in the Form
   authentication example

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.23/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1383

The tag is:
https://github.com/apache/tomcat/tree/10.0.23
cda46e050e09bd394c82ba874633367f80eeb259

The proposed 10.0.23 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.23 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Delay between release tags and announcement

2022-07-21 Thread Mark Thomas

On 21/07/2022 07:06, Nemo wrote:



What happens if a vote doesn't pass or get vetoed - do the tags get 
deleted?


Release votes cannot be vetoed.

If a release vote doesn't pass, that release doesn't happen. In Tomcat, 
we'll fix whatever the problem was and then do another release. Version 
numbers are cheap so we just use the next one.


Once any artefacts have been made public using that tag - including for 
a release vote we never delete the tag as it is part of the record of 
what was voted on.


If we spot an issue with a tag before anything is uploaded, we will 
delete the tag, fix the issue and re-tag.



Perhaps the tagging/voting process should include a rc tag instead of a
release tag, so as to avoid getting released downstream accidentally?


I don't see that happening.

We have to vote on exactly what is being released. So even if we vote on 
an a.b.c-RC1 its version number has to be a.b.c. That creates an issue 
if we have multiple RCs. When a user reports an issue with version a.b.c 
we can't tell if that is a.b.c-RC1, a.b.c-RC2, a.b.c-RC3 etc.


There are ways to address this with the version number (e.g. add a build 
number) but we have been doing it this way for quite a while and it 
works for us.


Generally, I'd strongly discourage anyone from assuming that GitHub tag 
== ASF release.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 10.0.23

2022-07-20 Thread Mark Thomas

Ping.

We need one more PMC vote for this release.

Mark


On 14/07/2022 10:25, Mark Thomas wrote:

The proposed Apache Tomcat 10.0.23 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to 
jakarta.*


Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.22 are:

- Implement support for repeatable builds

- Update the packaged version of the Tomcat Native Library to 1.2.35.
   This includes Windows binaries built with with OpenSSL 1.1.1q.

- Fix CVE-2022-34305, a low severity XSS vulnerability in the Form
   authentication example

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.23/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1383

The tag is:
https://github.com/apache/tomcat/tree/10.0.23
cda46e050e09bd394c82ba874633367f80eeb259

The proposed 10.0.23 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.23 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



  1   2   3   4   5   6   7   8   9   10   >