craigmcc 01/07/19 23:13:49 Modified: . RELEASE-NOTES-4.0-B6.txt Log: Remove redundant note from the release notes. Revision Changes Path 1.3 +372 -18 jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B6.txt Index: RELEASE-NOTES-4.0-B6.txt =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B6.txt,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- RELEASE-NOTES-4.0-B6.txt 2001/06/22 20:31:25 1.2 +++ RELEASE-NOTES-4.0-B6.txt 2001/07/20 06:13:49 1.3 @@ -3,7 +3,7 @@ Release Notes ============= -$Id: RELEASE-NOTES-4.0-B6.txt,v 1.2 2001/06/22 20:31:25 glenn Exp $ +$Id: RELEASE-NOTES-4.0-B6.txt,v 1.3 2001/07/20 06:13:49 craigmcc Exp $ ============ @@ -22,6 +22,13 @@ Please report bugs and feature requests under product name "Tomcat 4". +----> SECURITY NOTE: This version of Tomcat fixes a security vulnerability +----> that was first reported on July 16, 2001, related to unnormalized request +----> URI paths bypassing security constraints defined in the web application +----> deployment descriptor. Users who rely on container managed security are +----> *strongly* urged to update to this release of Tomcat 4.0. + + ----> UPCOMING CHANGE NOTICE: In a future beta release of Tomcat 4.0, it ----> is likely that the default operational mode will be to run Tomcat ----> under a security manager (rather than the current default of not @@ -40,23 +47,118 @@ ============ +-------------------- +General New Features: +-------------------- + +Tomcat 4.0-beta-6 includes a new, experimental, installer for the Windows +platform. This installer operates in a manner similar to installers for other +applications on Windows, and also lets you install support for executing +Tomcat as a Service under Windows NT. This version of the download is packaged +as a ".exe" file, and contains the same contents as a standard Tomcat binary +distribution. Please try this new installer out and give us your feedback. +--> NOTE: A known issue with this capability is that stopping Tomcat +--> service can take so long that it fails and logs an error in the +--> NT event log. The solution to this problem will be to make the +--> server shutdown time shorter so that the timeout is not exceeded. + +Tomcat 4.0-beta-6 now includes an updated version of the Java side of the +MOD_WEBAPP connector, used to run Tomcat behind Apache. Binary versions of +the MOD_WEBAPP connector for various platforms will be published (in the same +directory where you downloaded Tomcat-4.0-beta-6 shortly). + +Catalina and Jasper now utilize copies of the web application deployment +descriptor and tag library descriptor from the servlet.jar file that is +included (generated from the "jakarta-servletapi-4" repository) instead of +including their own copies. This avoids the risk of having Tomcat use versions +of the DTDs that are out of synchronization with the servlet API classes. + +Updated the build process to make it easier to build Tomcat 4.0 from the +source distribution. Rather than requiring environment variables to be +created, the new scheme allows the use of "build.properties" files (in either +the Tomcat source directory or the user home directory) to define property +values. You can use all standard Ant property replacement expressions in +these definitions. As a result, the "build.bat" and "build.sh" scripts are +no longer necessary; simply run the "ant" command directly. See the install +instructions for more information. + +The build scripts have been enhanced to support the compilation and execution +of unit tests for the JUnit unit testing framework <http://www.junit.org>. +A small set of initial tests have been checked in to illustrate the use of +this new feature. + + --------------------- Catalina New Features: --------------------- +Catalina is now in conformance to the requirements of the Servlet 2.3 +Proposed Final Draft 3 Specification, available at: + http://java.sun.com/products/servlet/download.html + Created a new Java SecurityManager permission called JndiPermission for use in setting security policy for file based JNDI named resources. +Started creating developer-oriented documentation for Catalina in an XML +format that should be compatible with whatever presentation technology +that we select. Initial effort is to create "functional specification" +documents that capture the functionality of the default file-serving +servlet, the "invoker" servlet that handles anonymous servlet requests +(/servlet/*), JDBCRealm, and JNDIRealm. + +You can now optionally specify that DNS lookups should be performed when an +application servlet calls request.getRemoteHost(). To enable the lookup, +set the enableLookups property on the corresponding <Connector> element to +"true" (which is also the default). To disable lookups, set this attribute +to "false" instead. + +A new Loader, and corresponding class loader, for web applications +(org.apache.catalina.loader.WebappLoader and +org.apache.catalina.loader.WebappClassLoader) has been created and made the +default, replacing StandardLoader and StandardClassLoader. It implements +the following new features: +* Supports reloading of classes in /WEB-INF/lib/*.jar as well as + /WEB-INF/classes. +* Recognizes JAR files added to /WEB-INF/lib while the web app is running. +* Substantially improved efficiency (and therefore faster class loading + performance). +* Correctly scans /WEB-INF/classes before /WEB-INF/lib/*.jar in all cases, + as required by the Servlet 2.3 PFD3 specification. + ------------------- Jasper New Features: ------------------- +Jasper is now in conformance to the requirements of the JSP 1.2 Proposed +Final Draft 3 Specification + http://java.sun.com/products/jsp/download.html + +All remaining areas where Jasper (or Jasper-generated code) refered to +java.io.File objects have been removed, so that JSP-based applications can +be run directly from a WAR file. + +The JSP page compiler now has enhanced compile-time error reporting. If +Jasper detects a Java compilation error on the generated page, it will include +information highlighting the line(s) within your source page where the actual +error actually occurred. + -------------------- Webapps New Features: -------------------- +Created a version of the Manager servlet that supports an HTML interface +for easier administration. To use it, change the <servlet> definition (in +the web.xml file of the Manager application) from +org.apache.catalina.servlets.ManagerServlet to +org.apache.catalina.servlets.HTMLManagerServlet. + +Included support for executing external CGI scripts. To execute them, +create scripts (or executable programs) inside your web application, and +map them to org.apache.catalina.servlets.CGIServlet. By default, the url +pattern "*.cgi" is mapped to this servlet. + ========================== BUG FIXES AND IMPROVEMENTS: ========================== @@ -66,37 +168,289 @@ Catalina Bug Fixes: ------------------ +org.apache.catalina.authenticator.FormAuthenticator: Update form based login +processing to be consistent with the requirements of the 2.3 PFD3 spec. +Previously, Catalina did an "internal forward" to display the form login page, +and an "internal forward" to display the originally requested page after +successful authentication. Now, Catalina does HTTP redirects in both cases +(the former is optional but makes relative references in the login page work +correctly; the latter is required by the spec). + +org.apache.catalina.connector.http.*: Replace calls to indexOf("x") by +indexOf('x') and lastIndexOf("x") by lastIndexOf('x') to improve performance. + +org.apache.catalina.connector.http.HttpConnector: Set the TCPNoDelay +property on incoming connections, to avoid unnecessary delays on HTTP/1.1 +persistent connections. + +org.apache.catalina.connector.http.HttpConnector: Implement the documented +behavior that a negative value for the "maxProcessors" property means that +there will be no limit on the total number of processors created. + +org.apache.catalina.connector.http.HttpProcessor: Correctly handle requests +with absolute (instead of server-relative) URLs, as required by the +HTTP/1.1 specification. + +org.apache.catalina.connector.http.HttpProcessor: Skip any leftover bytes +before closing a socket on a connection that has been aborted. + +org.apache.catalina.connector.http.HttpRequestBase: Add a doPrivileged() +block around getSession(), to avoid security exceptions when running under +a security manager. + +org.apache.catalina.connector.http.HttpRequestLine: Correct a buffer size, +which was much larger than necessary. + +org.apache.catalina.connector.http.HttpRequestStream: Correct a potential +NullPointerException where readLineFromStream() might return null because of +network errors and other transient conditions. + +org.apache.catalina.connector.http.HttpResponseBase: Do not send response +headers on an HTTP/0.9 request, as required by the HTTP specification. + +org.apache.catalina.connector.http.SocketInputStream: Correctly handle +HTTP/0.9 requests, as required by the HTTP/1.1 specification. + +org.apache.catalina.core.ApplicationContext: When an "attribute replaced" +event is fired, correctly send the *old* value in the event, not the *new* +value. + +org.apache.catalina.core.ApplicationDispatcher: Modify the way that a +servlet's service() method is invoked to remove compiler complaints on +Win2k/Forte2.0/JDK1.0.0_01. + +org.apache.catalina.core.ApplicationDispatcher: Modify the way that request +dispatching is performed. Previously, Catalina would create request and/or +response wrappers (as needed) around the application-specified request and +response objects, which might themselves be wrappers. This behavior is +prohibited in the Servlet 2.3 PFD3 specification, so it is now implemented +in a different way. Filters and Servlets can now assume that any request or +response wrappers they create will be the same object instances passed to the +service() method of a servlet, unless later wrapped by other application +components. + +org.apache.catalina.core.ApplicationFilterChain: Remove unnecessary +synchronization around the call to the service() method of a +SingleThreadModel servlet, since the wrapper.allocate() method already +guarantees that the same instance will not be allocated to more than one +request at the same time. + +org.apache.catalina.core.StandardContext: Correct the order of operations +during a reload that caused problems reinitializing filters, listeners, and +the manager servlet. + +org.apache.catalina.core.StandardContext: Make the naming context name +unique, to avoid conflicts when multiple engines use the same host and +context names. + +org.apache.catalina.core.StandardContext: When processing an application +restart, erase all application-originated servlet context attributes to avoid +dangling references to object instances created by the old class loader. + +org.apache.catalina.core.StandardContext: When processing an application +restart, reinitialize all <load-on-startup> servlets defined in web.xml, in +the same order that they were called at application startup. + +org.apache.catalina.core.StandardContext: When processing an application +restart, reinitialize the Jasper class loader so that bean references after +the reload work correctly. + +org.apache.catalina.core.StandardContextValve: Bind and unbind the request +processing thread (as well as the class loader), to fix problems with JBoss +and optimized VM-local RMI servers that may replace the context class loader +with their own. + +org.apache.catalina.core.StandardHost: Correct handling of the <alias> +element for assigning host name aliases, which was not being properly +recorded during configuration. + +org.apache.catalina.core.StandardWrapperValve: Correct the invocation of +servlets defined using the <jsp-file> element in the web.xml file. Previously, +the request URI (and therefore the servlet path and path info) seen by the +invoked page was being modified by the container. + +org.apache.catalina.realm.JDBCRealm: Restore a static Digest() method, and +a corresponding static main() method, that was accidentally removed when this +class was refactored. + +org.apache.catalina.loader.StandardClassLoader: Synchronize put() calls that +modify the class cache to avoid ConcurrentModificationException errors in the +background task running the modified() method. + +org.apache.catalina.loader.StandardLoader: Remove useless thread binding +and unbinding during the creation of a Loader. + +org.apache.catalina.loader.StandardLoader: Trickle down any non-zero setting +for the "debug" property to the ClassLoader implementation we create. + +org.apache.catalina.loader.StandardLoader: Copy JAR files from /WEB-INF/lib +to the work directory if the web application is *not* filesystem based, +rather than if it *is* filesystem based. + +org.apache.catalina.servlets.InvokerServlet: Instead of using a request +dispatcher to execute the anonymous servlet on the first invocation, call the +service() method directly. This avoids problems when the invoked servlet is +executed through a RequestDispatcher.forward() call, which would cause the +response to be committed and closed at unexpected times. + +org.apache.catalina.servlets.InvokerServlet: Correct the behavior of the +invoker servlet that caused incorrect 404 errors when invoked servlets were +accessed through a request dispatcher in a chain of two or more forwards or +includes. + +org.apache.catalina.session.StandardManager: Delete the persistent sessions +file, even if there was an error during loading. Also, make sure that the +persistent sessions file is closed during unloading, even if an error occurs. + +org.apache.catalina.sesison.StandardManager: Log an exception and stack trace +when problems occur serializing or deserializing sessions to or from persistent +store during a restart. Previously, such errors would be silently ignored but +would terminate attempts to unload or reload sessions. + +org.apache.catalina.session.StandardSession: When an "attribute replaced" +event is fired, correctly send the *old* value in the event, not the +*new* value. + +org.apache.catalina.session.StandardSession: Log an exception and stack trace +if problems occur during serialization of sessions to persistent store. + +org.apache.catalina.session.StandardSession: If a null attribute name is +specified, throw IllegalArgumentException as documented in the Javadocs. + +org.apache.catalina.startup.Catalina: When no command line arguments at all +are included, print a usage message and exit. + +org.apache.catalina.startup.ContextConfig: Remove useless thread binding +and unbinding, which is now done in StandardContext. + +org.apache.catalina.startup.ContextConfig: Refactor code used to start and +stop subcomponents of a Context into StandardContext, because they are +required when processing web application restarts as well. + +org.apache.catalina.util.xml.XmlMapper: Do not print double debug messages +when processing a method setter that reads its argument from an element body. + +org.apache.catalina.valves.AccessLogValve: Fix the time format used in +access logs to use 00-23 for hours, rather than 01-24. + +org.apache.naming.ContextAccessController: Fix a bug on the access controller +when stopping and restarting a Context. + +org.apache.naming.ContextBindings: Correct an unbindThread() call that was +inadvertently calling itself. + +org.apache.naming.JndiPermission: Create a new permission, rather than using +FilePermission, for access to JNDI based resources. + +org.apache.naming.factory.TyrexDataSourceFactory: The JNDI factory for +JDBC connections now supports Tyrex 0.9.7 as well as Tyrex 0.9.6. + +org.apache.naming.resources.DirContextURLConnection: Fix several possible +NullPointerExceptions when calling getLastModified() and getHeaderField(). + +org.apache.naming.resources.FileDirContext: Deal correctly with Windows +file separators. + +org.apache.naming.resources.ResourceAttributes: Make property setters +public, which makes it possible to plug a directory context external to +Catalina without having to reimplement something like ResourceAttributes, +or having to use BaseAttributes (which would be slower). + +org.apache.naming.resources.jndi.Handler: Create a URLStreamHandler that +respects the package naming conventions of the JDK. + ---------------- Jasper Bug Fixes: ---------------- +org.apache.jasper.JspEngineContext: Make Jasper dynamically retrieve the +web application class loader, instead of doing so only at initialization +time. This avoids problems when reloading a web app, where Jasper would +mistakenly maintain references to the old versions of the loaded classes. + +org.apache.jasper.compiler.CharDataGenerator: Do not generate indentation +in println(), which caused problems when rendering runtime expressions. + +org.apache.jasper.compiler.Compiler: Correct a Windows-specific problem in +performing the error line mappinng from the generated Java code back to the +source JSP page. + +org.apache.jasper.compiler.JspCompiler: Remove a case where java.io.File was +used, which prevented correct operation in a web app executed directly from +the WAR file. + +org.apache.jasper.compiler.JspUtil: Correct delimiter and quote escaping in +generated expressions. + +org.apache.jasper.compiler.Parser: Correctly reject a <jsp:params> element +nested inside <jsp:forward> or <jsp:include>. + +org.apache.jasper.compiler.ParserController: Correctly process include +directives and actions with relative URLs, in accordance with the spec. +org.apache.jasper.compiler.TagEndGenerator: Change the variable name +generated for an exception handling block to avoid potential conflicts with +user-defined variable names. + +org.apache.jasper.compiler.TldLocationsCache: Update TLD parsing code so +that it uses ServletContext.getResourcePaths(), rather than direct filesystem +access. + +org.apache.jasper.compiler.XmlOutputter: Correct a syntax error in the XML +output, by properly checking for and closing an element with no body. + +org.apache.jasper.runtime.JspException: Migrate this class from +org.apache.jasper to increase the granularity of package access permissions +when running under a security manager. + +org.apache.jasper.runtime.JspRuntimeLibrary: Fix a class comparison that +caused problems with the generated code when a custom tag property of +type Object was referenced. + +org.apache.jasper.runtime.PageContextImpl: Add a missing "break" +statement on a REQUEST_SCOPE case. + +org.apache.jasper.runtime.PageContextImpl: Fix an "infinite loop" bug when +doing an include followed by a forward, to a page that has an error in it. + +org.apache.jasper.servlet.JasperLoader: Use the context class loader as the +parent class loader for individual JSP pages. + +org.apache.jasper.servlet.JasperLoader: Add a doPrivileged() block around +getContextClassLoader(), to avoid security exceptions when running under +a security manager. + +org.apache.jasper.servlet.JspServlet: Correctly check for modified JSP pages +and cause them to be recompiled (was broken in "beta 5"). + +org.apache.jasper.servlet.JspServlet: Use the thread context class loader, +rather than the class loader ServletContext attribute, to retrieve the web +application class loader. + + ----------------- Webapps Bug Fixes: ----------------- +Several incorrect hyperlinks in the "examples" web application have been +corrected. + +CookieExample: Deal with the fact that request.getCookies() can return null. + +filters.RequestDumperFilter: Deal with the fact that request.getCookies() +can return null. + +org.apache.catalina.servlets.ManagerServlet: Make it possible to subclass +this servlet. +org.apache.catalina.valves.RequestDumperValve: Deal with the fact that +request.getCookies() can return null. + + ============================ KNOWN ISSUES IN THIS RELEASE: ============================ - - ------------------------------------------- -Redeploying From a Web Application Archive: ------------------------------------------- - -If you attempt to undeploy, then redeploy, an application from the same -web application archive file URL (where the URL refers to an actual WAR -file, not to a directory), the redeploy will fail with error "zip file is -closed". There appears to be a problem in the JDK's JarURLConnection class -where JAR files are cached, even after they are closed, so that a request -for a connection to the same URL returns the previous JarFile object instead -of a new one. As a workaround, you should do one of the following: -* Change the URL of the web application archive each time you redeploy. -* Deploy from an unpacked directory (on the same server) instead of from - a WAR file (this is often more convenient in a development environment - anyway). --------------------------