craigmcc 01/03/19 20:14:48 Added: . RELEASE-NOTES-4.0-B2.txt Log: Add release notes describing the changes of a prospective Beta 2 release of Tomcat 4.0. Revision Changes Path 1.1 jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B2.txt Index: RELEASE-NOTES-4.0-B2.txt =================================================================== Apache Tomcat Version 4.0 Beta 2 ================================= Release Notes ============= $Id: RELEASE-NOTES-4.0-B2.txt,v 1.1 2001/03/20 04:14:48 craigmcc Exp $ ============ INTRODUCTION: ============ This document describes the changes that have been made in the current beta release of Apache Tomcat, relative to the previous release. Bug reports should be entered at the interim bug reporting system for Jakarta projects at: http://nagoya.apache.org/bugzilla/ Please use project codes "Catalina" and "Jasper" for servlet-related and JSP-related bug reports, respectively. IMPORTANT SECURITY NOTE: This release includes a fix to a "cross site scripting vulnerability" caused by a request URI such as: http://localhost:8080/<SCRIPT>alert(document.cookie)</SCRIPT>.xyz ============ NEW FEATURES: ============ --------------------- Catalina New Features: --------------------- Default WEB.XML File: Add MIME type mappings for WAP related content types. WebdavServlet: Add a Microsoft-specific header in response to an OPTIONS request, mirroring what mod_dav is doing. Valve API: Change the API for Valves so that it properly implements the "inversion of control" design pattern, and is more similar to the API design pattern implemented by javax.servlet.Filter. JNDI Naming Context: Implement a JNDI naming context for use by applications (for the <env-entry> and <resource-ref> elements) and by Catalina (for access to static resources of the web application). Security Manager: Web applications are now run under a security manager, providing fine-grained control over what web apps can do. Web Application Archives: You can now configure Tomcat 4.0 to run web applications directly from a WAR file, instead of having to expand them. Default Context Configuration: You can now specify a default set of configuration directives for contexts that are not explicitly defined. Servlet API Changes: Implement the servlet API changes that have been approved by the JSR-053 Expert Group, and will appear in the next release of the specification. ------------------- Jasper New Features: ------------------- Security Manager: Adapt Jasper to the new feature of running web applications under a security manager. Per-Page Class Loader: Each JSP page is now run in its own class loader. This eliminates the requirement to kludge the class name in the class file itself. This change also improves the performance of JSP pages. Session Persisence: Implement a PersistentManager that can swap sessions out of memory, as well as save them persistently. XML Parser Class Loader: Load the XML parser used by by Jasper from a separate class loader, which eliminates most cases of "package sealing violation" errors when a web application wishes to use Xerces. See the "KNOWN ISSUES" section for more information on this topic. ========================== BUG FIXES AND IMPROVEMENTS: ========================== ------------------ Catalina Bug Fixes: ------------------ DefaultServlet: Return dates on directory listings in GMT format. WebdavServlet: When a PROPFIND is done on a collection which has an encoded URI, the href elements being returned were incorrect. HttpConnector: Make sure that Tomcat will bind to only one IP address when a hostname is specified. AccessLogValve: Fix potential for incorrectly named log files. ResponseBase: setBufferSize() should throw IllegalStateException if any output has been written, *or* the response has been committed. StandardClassLoader: Fix a NullPointerException when the manifest file is missing. HttpRequestBase: Don't try to read parameters if the stream has already been opened. WebdavServlet: Make the DAV collection enumeration code more robust. FileResources: Fix rare NullPointerExceptions when File.list() returns null. DefaultServlet: Fix inclusion problem by catching the IllegalStateException which can be thrown by the servlet container. WebdavServlet: Update PROPFIND to use streaming. ApplicationContext: Return null from HttpServletRequest.getPathTranslated() and ServletContext.getRealPath() if current resources are not filesystem based. HttpResponseBase: Correct isEncodeable() to correctly assume a default port of 443 for https, rather than always assuming the default port is 80. Catalina: The shutdown process now looks up "127.0.0.1" instead of "localhost" when checking for a valid shutdown source. DefaultServlet: Encode unsafe characters in the generated hyperlinks. HttpRequestBase: Improve internationalization support when decoding parameters in a POST request. DefaultServlet: Encode and decode paths using UTF-8, and change the encoding name to UTF8 (UTF-8 is not present in early Java2 versions). WebdavServlet: Rewrite display names in PROPFIND responses. DefaultServlet: Fix more i18n issues with the directory browser. HttpResponseBase: Return a status report for every status except 200/304, emulating Apache 1.3.x behavior as closely as possible. Don't add a "Content-Length: 0" when status is 304. HttpSession: Fix a NullPointerException. HttpRequestImpl: Perform header name comparisons in lower case. JDBCRealm: Trim whitespace on reads from the database. ApplicationDispatcher: Change the propogation method for exceptions thrown by included or forwarded-to servlets. StandardManager/StandardSession: Remove "final" declaration so these classes can be subclassed. StandardServer: Correct the loop control for validating a reversed IP address. Bootstrap: Do not add jndi.jar to the classpath if it is already available via the system classloader (i.e. a JDK 1.3 environment). StandardContext: Fix an initialization problem when listeners and filters couldn't be loaded if they were in a JAR file, or if they were in /WEB-INF/classes and at least one JAR file was present in /WEB-INF/lib. AccessLogValve: Do not resolve host names by default. HttpRequestStream: Fix handling of unsigned bytes. StandardWrapperValve: Correctly report the actual exception that occurred to the error page, as well as the other request attributes. HttpRequestStream: Fix a chunking bug. ApplicationContext: Fix a Watchdog failure on GetResource_1Test. Bootstrap: Add the classes directory last for class loaders. HttpResponseImpl: Do not necessarily close the connection if the status is >= 400. HttpResponseImpl: Only set content length to zero if it is not an error. BasicAuthenticator/DigestAuthenticator: Do not set content length to zero. ResponseStream: Correctly support an offset on the write() method. DefaultServlet: Set the content length when doing a single ranged request, which fixes problems with the HTTP seek feature. HttpResponseImpl/HttpResponseStream: Allow chunking on status 206. DefaultServlet: POST should be treated like GET. FormAuthenticator: Restore correct operation of formn based login. HttpResopnseStream: An end chunk could be printed in the middle of a response if write(byte[] b, int off, int len) was called with len = 0. HttpConnector: If an accept exception occurs, close and reopen the server socket. HttpProcessor: Don't log interrupted I/O exceptions unless debug > 1. StandardWrapper: Modify the special case treatment of loading the Jasper servlet so that it works when you use <jsp-file>, as well as for the usual declaration of the JSP servlet. DefaultServlet: Make most methods protected instead of private, to ease subclassing. ---------------- Jasper Bug Fixes: ---------------- JspParseEventListener: Fix a potential race condition on _jspx_init(). JspServlet: Normalize the path (and use File.toURL()) to make sure the URL is valid. Parser: It is up to the tag implementation to process the body of a tagdependent tag. BodyContentImpl: Remove buffer allocation and array copy to improve performance. ParserController: JSPC did not work well under Windows since the file separator character was assumed to be "/". SimplePool: Fix a race condition. ============================ KNOWN ISSUES IN THIS RELEASE: ============================ ------------------------------------------ Redeploying From a Web Application Archive: ------------------------------------------ If you attempt to undeploy, then redeploy, an application from the same web application archive file URL (where the URL refers to an actual WAR file, not to a directory), the redeploy will fail with error "zip file is closed". There appears to be a problem in the JDK's JarURLConnection class where JAR files are cached, even after they are closed, so that a request for a connection to the same URL returns the previous JarFile object instead of a new one. As a workaround, you should do one of the following: * Change the URL of the web application archive each time you redeploy. * Deploy from an unpacked directory (on the same server) instead of from a WAR file (this is often more convenient in a development environment anyway). -------------------------- Tomcat 4.0 and XML Parsers: -------------------------- Previous versions of Tomcat 4.0 exposed the XML parser used by Jasper (the JAXP/1.1 reference implementation) to web applications. This is no longer the case, because Jasper loads its parser with a new class loader instead. This change was primarily made to deal with "package sealing violation" errors caused by the fact that the "jaxp.jar" and "crimson.jar" files (supplied with the JAXP/1.1 release) are sealed. While this change appears to have eliminated sealing violation problems when running under JDK 1.2, problems have still been reported under JDK 1.3. Until a solution to this problem is implemented, keep the following information in mind with respect to XML parsers. * If you wish to make the JAXP/1.1 RI XML parser available to all web applications, simply move the "jaxp.jar" and "crimson.jar" files from the "$TOMCAT_HOME/jasper" directory to the "$TOMCAT_HOME/lib" directory. * If you wish to make another XML parser that is JAXP/1.1-compatible available to all web applications, install that parser into the "$TOMCAT_HOME/lib" directory and remove "jaxp.jar" and "crimson.jar" from the "$TOMCAT_HOME/jasper" directory. WARNING: No current version of Xerces, including 2.0.0 alpha releases, fully implements the JAXP/1.1 specification. As a result, you will not be able to utilize JSP pages in XML syntax (which requires a parser that is compatible with JAXP/1.1) until Xerces completely implements this specification. * If you wish to include an XML parser (such as Xerces) in the WEB-INF/lib directory of your web application, you may encounter "package sealing violation" errors under JDK 1.3. One solution would be to manually modify the JAXP JAR files (jaxp.jar and crimson.jar) so that they are not sealed (Remove the "sealed" line from META-INF/MANIFEST.MF and re-JAR the files). This is being considered as a permanent solution to the sealing problem, so feedback is requested about successful (or unsuccessful) attempts to use this approach.