The Apache Tomcat Servlet/JSP Container

The Apache Tomcat 5.5 Servlet/JSP Container

Apache Logo

Links

User Guide

Reference

Apache Tomcat Development

The Apache Tomcat 5.5 Servlet/JSP Container

Changelog

Tomcat 5.5.35 (jim)
Catalina
add Make configuration issues for security related Valves and Filters result in the failure of the valve or filter rather than just a warning message. (markt)
fix Ensure changes to the configuration of the RemoteHostValve and the RemoteAddrValve via JMX are thread-safe. (markt)
update In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor value matching logic into separate method and expose this new method isAllowed through JMX. (kkolinko)
add Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko)
add New filter FailedRequestFilter that will reject a request if there were errors during HTTP parameter parsing. (kkolinko)
fix 52384: Do not fail with parameter parsing when debug logging is enabled. (kkolinko, jim)
fix Do not flag extra '&' characters in parameters as parse errors. (kkolinko, jim)
fix Slightly improve performance of UDecoder.convert(). Align %2f handling between implementations. (kkolinko)
fix 52225: Fix ClassCastException when adding an alias for an existing host via JMX. (kkolinko)
fix Do not throw an IllegalArgumentException from a parseParameters() call when a chunked POST request is too large, but treat it like an IO error. (kkolinko)
add Add SetCharacterEncodingFilter (similar to the one contained in the examples web application) to the org.apache.catalina.filters package so it is available for all web applications. (kkolinko)
General
update Update Eclipse compiler to 3.7 and switch to using ecj.jar. (markt)
Coyote
fix Improve multi-byte character handling in all connectors. (rjung)
Jasper
fix 52335: Only handle <\% and not \% as escaped in template text. (markt)
Webapps
fix 52049: Improve setup instructions for running as a Windows service: correct information on how a JRE is identified and selected. (kkolinko)
update 52172: Update Tomcat build instructions. Includes changes proposed by bmargulies. (kkolinko)
fix 52243: Improve windows service documentation to clarify how to include # and/or ; in the value of an environment variable that is passed to the service. (markt)
Other
fix 52059: Ensure Windows registry keys are removed when using the un-install option of the Windows installer. (markt)
Tomcat 5.5.34 (jim)released 2011-09-22
General
update Update Tomcat-Native to 1.1.22. (jim)
update Fix CVE-2011-2729. Update to Commons Daemon 1.0.7. (markt)
fix 33262: When using the Windows installer, the monitor is now auto-started for the current user rather than all users to be consistent with menu item creation. (markt)
fix 40510: Provide an option within the Windows installer to create menu entries for the current user or all users. (markt)
fix 50949: Add the ability to specify the AJP port and the shutdown port when using the Windows installer. (markt)
fix 51135: Fix auto-detection of JAVA_HOME for 64-bit Windows platforms that only have a 32-bit JVM installed when using the Windows installer. (markt)
Catalina
fix 27988: Improve reporting of missing files. (markt)
fix 28852: Add URL encoding where missing to parameters in URLs presented by Ant tasks to the Manager application. Based on a patch by Stephane Bailliez. (mark)
fix 41179: Return 404 rather than 400 for requests to the ROOT context when no ROOT context has been deployed. (markt)
fix 50189: Once the application has finished writing to the response, prevent further reads from the request since this causes various problems in the connectors which do not expect this. (markt)
fix Fix CVE-2011-2204. Prevent user passwords appearing in log files if a runtime exception (e.g. OOME) occurs while creating a new user for a MemoryUserDatabase via JMX. (markt)
fix 51042: Don't trigger session creation listeners when a session ID is changed as part of the authentication process. (markt)
fix 51324: Improve handling of exceptions when flushing the response buffer to ensure that the doFlush flag does not get stuck in the enabled state. Patch provided by Jeremy Norris. (kkolinko)
fix 51403: Avoid NullPointerException in JULI FileHandler if formatter is misconfigured. (kkolinko)
fix 51473: Fix concatenation of values in SecurityConfig.setSecurityProperty() when the value provided by JRE is null. (kkolinko)
fix 51550: Internal errors in Tomcat components that process requests before they are passed to a web application, such as Authenticators, now return a 500 response rather than a 200 response. (markt)
add CVE-2011-1184: Add additional configuration options to the DIGEST authenticator. (markt)
Coyote
fix Fix CVE-2011-2526. Protect against crashes (HTTP APR) if sendfile is configured to send more data than is available in the file. (markt)
fix 50394: Return -1 from read operation instead of throwing an exception when encountering an EOF with the HTTP APR connector. (kkolinko)
fix 50744: Skip the SSL configuration check on platforms where an unbounded socket cannot be created. (kkolinko)
fix 51073: Throw an exception and do not start the APR connector if it is configured for SSL and an invalid value is provided for SSLProtocol. (markt)
fix 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt)
add Detect incomplete AJP messages and reject the associated request if one is found. (markt)
Jasper
fix 36362: Handle the case where tag file attributes (which can use any valid XML name) have a name which is not a Java identifier. (markt)
fix Fix possible threading issue in JSP compilation when development mode is enabled. (markt)
Cluster
fix 48717: Ensure session activation events are fired. (markt)
fix 50771: Ensure HttpServletRequest#getAuthType() returns the name of the authentication scheme if request has already been authenticated. (kfujino)
fix 51647: Fix session replication when a session attribute is a Java dynamic proxy. Based on a patch by Tomasz Skutnik. (markt)
Webapps
fix 41498: Add the allRolesMode attribute to the Realm configuration page in the documentation web application. (markt)
update Configure Security Manager How-To to include a copy of the actual conf/catalina.policy file when the documentation is built, rather than maintaining a copy of its content. (kkolinko)
fix 48997: Fixed some typos and improve cross-referencing to the HTTP Connector and APR documentation with the SSL How-To page of the documentation web application. (markt)
Other
fix Align jpda settings in catalina.bat with catalina.sh, tc6.0.x, tc7.0.x and trunk. (markt)
update Clarify error messages in *.sh files to mention that if a script is not found it might be because execute permission is needed. (kkolinko)
Tomcat 5.5.33 (jim)released 2011-02-10
General
fix Fix permissions of version.sh in bin tarball. (rjung)
fix 45332, 45852, 50140: Backport numerous improvements to the Windows installer. Specify the correct encoding (the current Windows code page) rather than assuming UTF-8 when creating tomcat-users.xml - 45332, 45852. Update install/uninstall icons. Create an installation log. Allow 32-bit JVMs to be selected when installing on a 64-bit platform. Do not ignore install directory if it is specified with the command line switch on 64-bit platforms - 50140. Add support for the /? command line switch. Replace the .ini files with the script equivalents. Provide the ability to edit the roles for the added user. Clean up fully after installation. Add DetailPrint statements for operations that may take time. Improve the descriptions of the components. (kkolinko, mturk, markt)
add Add roles (admin-gui, admin-script, manager-gui, manager-script, manager-jmx, manager-status) to the Manager, Host Manager and Admin applications to allow more fine-grained control of permissions. The old roles are deprecated but will still work in the same way. (kkolinko)
Catalina
fix Improve HTTP specification compliance in support of Accept-Language header. This protects from known exploit of the Oracle JVM bug that triggers a DoS, CVE-2010-4476. (kkolinko)
fix 50620: Stop exceptions that occur during Session.endAccess() from preventing the normal completion of Request.recycle(). (markt/kkolinko)
Coyote
update Remove JSSE13Factory, JSSE13SocketFactory classes, as Tomcat 5.5 always runs on JRE 1.4 or later. (kkolinko)
fix 50325: When the JVM indicates support for RFC 5746, disable Tomcat's allowUnsafeLegacyRenegotiation configuration attribute and use the JVM configuration to control renegotiation. (markt/kkolinko)
Tomcat 5.5.32 (jim)released 2011-02-01
General
update Update to Commons Daemon 1.0.5. (mturk)
update Update to commons-pool 1.5.5. (markt)
fix Ensure POM files have correct line endings in source distributions. (rjung/markt)
Catalina
add 43960: Expose available property of StandardWrapper via JMX. (markt)
fix 50131: Avoid possible NPE in debug output in PersistentValve. Patch provided by sebb. (kkolinko)
fix 50413: Ensure 304s are not returned when using static files as error pages. (markt/kkolinko)
fix Avoid unnecessary cast in StandardContext. (markt)
fix 50460: Avoid a possible memory leak caused by using a cached exception instance. (kkolinko)
fix 50550: When a new directory is created (e.g. via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt/kkolinko)
Coyote
fix 47913: Return the IP address rather than null for getRemoteHost() with the APR connector if the IP address does not resolve. (markt)
fix 49521: Disable scanning for a free port in Jk AJP/1.3 connector by default. Do not change maxPort field value of ChannelSocket in its setPort() and init() methods. Add support for maxPort attribute on a Connector element as a synonym for channelSocket.maxPort. (kkolinko)
Jasper
fix 49935: Handle compilation of recursive tag files. (markt)
Cluster
fix Improve sending an access message in DeltaManager. maxInactiveInterval of not Manager but the session is used. If maxInactiveInterval is negative, an access message is not sending. (kfujino)
fix 50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino)
Webapps
add 50294: Add more information to documentation regarding format of configuration files. Patch provided by Luke Meyer. (markt)
update Improve documentation of database connection factory. (rjung)
fix Improve filtering of Manager display output. (kkolinko)
update Configure the Admin, Manager and Host-Manager web applications to use HttpOnly flag for their session cookies. (kkolinko)
Tomcat 5.5.31 (jim)released 2010-09-16
General
fix Add svn:executable property to some script files and remove it from non-executable files. (rjung)
Catalina
fix 38113 Add system property (ALLOW_EMPTY_QUERY_STRING) to allow spec compliant handling of query string. (markt/kkolinko/jim)
fix Return a copy of the URL being used from the webapp class loader, not the original array. (kkolinko/markt)
fix 49749: Use HttpOnly flag of current context when genrating a Single-Sign-On cookie. (markt)
Coyote
fix 49718: Fix regression in previous fix for 46984 caused by the patch being applied to the wrong section of code. The regression caused HTTP 0.9 requests to fail. (markt)
Webapps
fix 49585: Update JSVC documentation to reflect new packaging of Commons Daemon. (markt)
fix 49774: Add support for SSL with either JSSE or APR baaed connectors to the admin app. (markt)
Cluster
fix Add Null check when CHANGE_SESSION_ID message received. (kfujino)
Tomcat 5.5.30 (jim)released 2010-07-09
General
updateUpdate to Commons Daemon 1.0.2. Use service launcher (procrun) from the Commons Daemon release. Do not keep a copy of it in our source tree. (mturk/kkolinko)
update Update to NSIS 2.46. (kkolinko)
update Update to Apache Commons DBCP 1.3. (markt)
fix 48840: Swallow output (if any) from use of cd when determining $CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch provided by mdietze. (markt/kkolinko)
fix 49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
fix 48990: Build windows distributions correctly on Linux and add support for the skip.installer property. (kkolinko)
Catalina
fix Fix CVE-2010-1157. Prevent possible disclosure of host name or IP address via the HTTP WWW-Authenticate header when using BASIC or DIGEST authentication. (markt)
fix 44041, 48694: Fix duplicate class definition under load. Avoid possible deadlock in class loading. (markt/kkolinko)
fix 47774: Ensure web application class loader is used when calling session listeners. (kfujino)
update 48179: Improve error handling when reading or writing TLD cache file ("tldCache.ser"). (kkolinko)
fix 49398: ByteChunk.indexOf(String, int, int, int) could not find a string of length 1. (kkolinko)
fix Ensure all required i18n messages are present for the APR/native Listener. (kkolinko)
fix Fix possible overflows when calculating session statistics. (kkolinko)
fix 49424: Avoid NPE if client provides no data with a chunked POST request. (markt)
fix Minor code cleanup in AccessLogValve and FastCommonAccessLogValve classes. (kkolinko)
Coyote
fixArrange filter logic. (jfclere)
fix 48613: Only attempt APR/native connector initialization if the Listener element has been specified in server.xml. (fhanik/kkolinko)
fix 48843: Prevent possible deadlock and correct queue handling for worker allocation in APR connectors. (kkolinko)
fix Use chunked encoding for http 1.1 responses with no content-length (regardless of keep-alive) so client can differentiate between complete and partial responses. (markt)
Jasper
fix 42390, 48616: Fix compilation error with some nested tag files and simple tags. Do not declare or synchronize scripting variables for JSP fragments since they are scriptless. (kkolinko)
fix 47878: Return “404”s rather than a permanent “500” if a JSP is deleted. Make sure first response after deletion is correct. (markt/kkolinko)
fix 48701: Add a system property to allow disabling enforcement of JSP.5.3. The specification recommends, but does not require, this enforcement. (kkolinko)
fix 48580: Prevent AccessControlException when running under a security manager if the first access is to a JSP that uses a FunctionMapper. (markt/kkolinko)
fix 49196: Avoid NullPointerException in PageContext.getErrorData() if an error-handling JSP page is called directly. (kkolinko)
Cluster
fix 48717: When a node joins a cluster and it receives all the current sessions, ensure the sessionCreated event is fired if the Manager is configured to replicate session events. (markt)
fix 49170: Do not send duplicated session. (kfujino)
fix 49445: When session ID is changed after authentication, ensure the DeltaManager replicates the change in ID to the other nodes in the cluster. (kfujino)
Webapps
add Backport documentation stylesheet improvements from Tomcat 6: use CSS styles to provide printer-friendly layout, support generation of TOC tables, support links to revision numbers, use underscores instead of spaces in anchor names. (kkolinko)
Tomcat 5.5.29 (fhanik)released 2010-04-20
General
add 37847: Make location and filename of catalina.out configurable in catalina.sh. (fhanik/kkolinko)
fix 47609: Provide fail-safe EOL conversion for build process. (sebb/markt/kkolinko)
fix 47689: Enable the test Ant target to work. (markt)
fix 47712: Loading tcnative was broken in 5.5.28. (rjung)
fix Correct CVE-2009-3548. When installed via the Windows installer and using defaults, don't create an administrative user with a blank password. Additionally, the administrative user is only created if the manager or host-manager web applications are selected for installation. (markt/kkolinko)
update Deprecate the jni Buffer and Thread classes. (rjung)
update Include 32-bit and 64-bit versions of Tomcat Native DLLs into the Windows installer, instead of downloading them from a web site during install, and allow it to automatically select the correct one for the current platform. (kkolinko/mturk)
update Update Windows installer to use NSIS 2.45. (kkolinko)
update Update to commons-pool 1.5.4. This fixes regressions in 1.5.2. (markt)
fix Align server.xml installed by the Windows installer with the one bundled in zip/tar.gz archives. (kkolinko)
fix Encode all property files using ascii escaped UTF-8. (rjung)
fix Correct MD5 generation in the build process. (kkolinko)
Catalina
fix 37848: Re-fix. Don't display info output when there is no terminal. (markt)
fix 39231: Call LoginModule.logout() when using JAASRealm. (markt/kkolinko)
fix 39844: Fix NPE when performing a non-HTTP forward. (billbarker)
fix 41059: Reduce the chances of errors when using ENABLE_CLEAR_REFERENCES. Patch by Curt Arnold. (markt)
add 45255: Add the ability to change session ID on authentication to protect against session fixation attacks. This is disabled by default. (markt/kkolinko)
fix 46967: Better handling of errors when trying to use Manager.randomFile. Based on a patch by Kirk Wolf. (kkolinko)
fix 47518: Correct reference in Valve Javadoc that referred to an old method. Patch provided by Christopher Schultz. (markt)
fix 47537: Return an error page rather than a zero length 200 response if the forward to the login or error page fails during FORM authentication. (markt)
fix 47718: Fix file descriptor leak on context stop/reload. Patch provided by George Sexton. (markt)
fix 47826: Correct error in debug message in org.apache.catalina.Bootstrap (markt)
fix 47963: Ensure that any HTTP status messages are compliant with RFC2616. (markt/kkolinko)
fix 47997: Enable the NamingResourcesMBean to work with non-Server (i.e. Context) containers. Patch provided by Michael Allman. (markt)
fix 48004: Allow applications to set the Server header. (markt)
fix 48007: Improve exception processing in CustomObjectInputStream. (kkolinko)
fix 48049: Fix copy and paste error so NamingContext.destroySubContext() works correctly. Patch provided by gingyang.xu (markt)
update 48097: Make WebappClassLoader to do not swallow AccessControlException. (kkolinko)
fix 48097: Avoid throwing an AccessControlException which can lead to a NoClassDefFoundError on first access of first jsp. (kkolinko/markt)
fix 48322: Single quote characters are not HTTP separators and should not be treated as such in the cookie handling. (markt)
add Provide an option to allow the use of equals characters in cookie values. (markt)
fix 48516: Prevent NPE in JNDIRealm if requested user does not exist. Patch provided by Kevin Conaway. (markt)
fix 48577: Filter URL when displaying missing included page. (markt)
fix 48760: Remove race condition that can result in multiple threads trying to use the same InputStream. (markt)
fix Add an additional permission required by JULI when running under newer JDKs and a security manager. (markt)
fix Close resource stream in WebappClassLoader after read error. (pero)
fix Do not swallow exceptions in ApplicationContextFacade.doPrivileged() (kkolinko)
fix Various related (un)deploy improvements including: better handling of failed (un)deployment; adding checking for invalid zip file entries that don't make sense in a WAR file; and improved validation of WAR file names. These changes address CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902.
Coyote
fix 43327: Allow APR/native connector to work correctly on systems when IPv6 is enabled. (markt)
fix 46950: Support SSL renegotiation with APR/native connector. Note that this requires APR/native 1.1.17 or later. (markt)
fix 47225: Fix error in calculation of a buffer length in the mapper. (markt)
fix 47744: Prevent a medium term memory leak if using SSl with the JSSE provider and also using a security manager. Based on a patch by Greg Vanore. (markt)
fix 47987: Limit size of not found resources cache. (markt)
fix 48109: Ensure InputStream is closed in WebappClassLoader on error conditions. (markt)
fix 48311: APR should not be initialised if the APR life-cycle listener is not enabled. (markt)
fix 48581: Avoid security exception on first access. (markt)
fix 48584: Prevent the APR connector logging an error if the acceptor fails during shutdown since this is expected. (mturk)
fix CVE-2009-3555. Provide option to disable legacy SSL renegotiation. (markt/costin)
fix Fix Windows installer to bundle an up-to-date version of native/APR with it. When asked to install TC-Native it was downloading some very old (1.1.4) version of it from the HEAnet site. (kkolinko)
update Update the native/APR library version bundled with Tomcat to 1.1.20. (kkolinko)
update Update recommended version for native to 1.1.19. (rjung)
fix Remove unneeded line from the method that normalizes decodedURI. (kkolinko)
Jasper
fix 38797: Fix regression in previous fix for this bug. (markt)
fix 41661: Fix thread safety issue in JspConfig.init() (markt)
fix 41824: Need to use canonical rather than binary form when writing code. (markt)
fix 46907: Don't swallow input stream when debug logging is enabled. (markt)
fix 48582: Avoid NPE on background compile. (markt)
Cluster
fix DeltaManager needs to replicate changed attributes even if session gets invalidated. Otherwise session listeners will not see the right data on the secondary nodes. (rjung)
fix Remove unnecessary Java5 dependencies. (markt)
fix 46384: Correct synchronisation issue that could lead to a cluster member disappering permanently. (markt)
fix 47554: Include httpOnly attribute when re-writing session cookie after fail over. (markt)
Webapps
fix 41564: Add some information on installing Tomcat as a service on operating systems with User Account Control, e.g. Vista. (markt)
fix 47656: Add information to documentation on system property replacement in configuration files. (markt)
fix 47769: Clarify the JNDI docs with repect to use of <resource-ref> and related elements, specifically when they are required and when they may be omitted. (markt)
fix 48381: Add information on how Tomcat treats host names to the host configuration documentation. (markt)
add 48530: Add information on the Manager Server Status page to the Manager How-To in the documentation webapp. Based on a patch by Arnaud Espy. (markt)
add 48532: Add information to the BIO/NIO SSL configuration page in the documentation web application to specify how the defaults for the various trust store attributes are determined. (markt)
fix 48686: Fix deleting a host via the Administration web application rather than failign with a HTTP 500 response. (markt)
add Make changelog.xml be directly rendered as HTML by certain browsers. (kkolinko)
Tomcat 5.5.28 (fhanik)released 2009-09-04
General
fix 39194: Make the setting of the classpath consistent for the .sh and .bat startup scripts. (markt/kkolinko)
fix 45880: Include NOTICE file in Windows installer and make sure src files are excluded. (markt)
update Update to NSIS 2.44 (kkolinko)
update Build scripts: Use different values for ${tomcat-dbcp.home} and ${jasper-compiler-jdt.home} in tomcat-deps. Fix download task checks for commons-pool and commons-dbcp. (kkolinko)
add Add the 64-bit windows service binaries to the distribution and get the Windows installer to automatically select the correct one for the current platform. (markt/kkolinko)
update Update to commons-pool 1.5.2. This includes various fixes to prevent deadlocks, reduce syncs and make object allocation occur fairly - i.e. objects are allocated to threads in the order that the threads request them. This fixes a number of issues with the version of DBCP embedded within Tomcat. (markt)
update Update Tomcat Windows service application (procrun) to version 2.0.5. It contains a fix for issue 41538 (mturk)
fix 47149: Explicitly specify encoding when performing filtering during copy, fixcrlf or replace operations in build scripts. Don't add blank lines to files when fixing line endings. Explicitly specify encoding when compiling. (kkolinko)
fix 47464: Some class files were accidentally included into the source distributions of TC 5.5.27. (kkolinko)
docs Document that building Tomcat requires Ant 1.6.2 or later. (kkolinko)
Catalina
fix 37458: Fix sync error that may lead to NPE in rare circumstances. Patch by Konstantin Kolinko. (markt)
fix 37498: Fall back to container log if application log is unavailable during context destruction. (markt)
fix 37794: Handle POSTed parameters when sent with chunked encoding. (markt)
fix 37984: Strip {MD5} as well as {SHA} if present in digest passwords in LDAP directories. (markt)
fix 38553: A lack of certificates is normal if a user doesn't have a certificate. Return a 401 rather than a 400 in this case. (markt)
fix 38570: When checking docBase against appBase, make sure we check for an exact match against the appBase. (markt)
fix 39013: When testing for an invalid docBase, use an exact match for the appBase. (markt)
fix 39396: Only include TRACE in an OPTIONS response if we know it has been enabled. (markt)
fix Remove wrong "No role found" realm debug log message, even if a role was found. (rjung)
fix 39997: Add the SSLRandomSeed option to the AprLifecycleListener to enable faster starts on development systems. (markt)
fix 40380: Fix potential synchronization issue in StandardSession.expire(). (markt)
fix 41407: JAAS Realm now works with CLIENT-CERT authentication. (markt)
add 42419: Add a system property that enables the name of the session cookie and session path parameter to be configured. (markt)
fix 42579: Support both relative and absolute search results in the JNDI Realm implementation. Patch provided by Brandon DuRette. (markt)
fix 42707: Make adding a host alias via JMX take effect immediately. (markt)
fix 43343: Correctly handle requesting a session we are in the middle of persisting. Based on a suggestion by Wade Chandler. (markt/kkolinko)
add 44382: Add support for using httpOnly for session cookies. This is disabled by default. (markt/fhanik)
fix 45576: JAAS Realm now works with DIGEST authentication. (markt)
fix 45628: JARs that do not declare any dependencies should always be considered as fulfilled. (markt)
fix 45933: Don't use a web application provided parser to process TLD files. (markt)
fix 45996: Add Accept-Ranges header to responses from the DefaultServlet with an option to disable it. (markt)
fix 46105: Correctly set URI encoding when replaying a request after FORM authentication. (markt)
fix 46408: Correct possible invalid case in SecurityUtil. (markt)
fix 46552: Return a 400 response rather than a 200 response if the request headers are too large. (markt)
fix 46597: Port all cookie handling changes from Tomcat 6.0.x. (markt)
fix 46606: Make max depth limit for WebDAV servlet configurable. (markt)
fix 46717: Fix hard to reproduce thread safety issue with session expiration. (markt)
fix 46982: Fix DST problem with AccessLogValve. (markt)
fix Improve handling of situation where web application tries to configure logging at the context level but the security policy prevents this. (markt/rjung)
fix Fix an information disclosure vulnerability in a number of the Realms that allowed user enumeration when using FORM authentication. This is CVE-2009-0580. (markt)
fix Fix various WebDAV compliance issues identified by the Litmus test suite. (markt)
fix Use a better default (webapps) for a Host's appBase. (idarwin/markt)
fix 44943: Reduce copy/paste issues caused by different engine names in server.xml. (markt, kkolinko)
fix Remove obsolete classpath entry for commons-logging from start script. It is already present in the classpath set by the manifest in bootstrap.jar. (rjung)
fix 38483: Thread safety issues in AccessLogValve classes. (kkolinko)
add Allow log file encoding to be configured for JULI FileHandler. (kkolinko)
Jasper
fix 36923: Parse deactivated EL expressions correctly. (markt)
fix 37084: Fix JspC compilation with Ant when compiling JSPs that use a custom taglib. (markt/kkolinko)
fix 37515: Add options for Java 1.6 and 1.7 to the JDT compiler. (markt)
fix 38197: Fix tag pooling when tags are used with jsp:attribute. (markt)
fix 38352: Make the directory defined by javax.servlet.context.tempdir readable for JSPs when running under a security manager as required by the specification. (markt)
fix 38797: Revert previous fix for 37933 and implement a new fix that does not have the side effects described in 38797.
fix 38897: Add uri of broken TLD to error message to aid debugging. (markt)
fix 41606: Fix double initialisation of JSPs. Patch provided by Chris Halstead. (markt)
fix 45666: Fix infinite loop on include. Patch provided by Tom Wadzinski. (markt)
fix 46354: Fix ArrayIndexOutOfBoundsException when using org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true. Patch provided by Konstantin Kolinko. (markt)
fix 46909: Only include semi-colon in type attribute for <jsp:plugin> when it is required. (markt)
Cluster
fix Fix minor memory leak found by find bugs. (markt, rjung)
fix 40551: Enable the JvmRouteBinderValve to work with PersistentManagers as well as clustering. Patch by Chris Chandler. (markt)
fix 46357: Corrected test for host's parent must be an engine. (markt, rjung)
update 45317: Properly log the value of the state transfer timeout flag. (fhanik, rjung)
fix 45279: Properly close multicast socket. (fhanik, rjung)
fix 45447: Add Spanish resource files. Patch provided by Jesus Marin. (markt, rjung)
fix 46990: Fix synchronization issues in cluster membership reported by FindBugs. Patch provided by Sebb. (markt, rjung)
fix 47389: DeltaManager doesn't do session replication if notifySessionListenersOnReplication=false. Patch by Keiichi Fujino. (fhanik, rjung)
fix Separate statistics counter lock in FastAsyncSocketSender from inherited DataSender lock to reduce blocking during failed node detection. (rjung)
fix Handle situation session ID rewriting on fail-over with parallel requests from the same client. (pero)
fix 43641: Use of bind attribute for membership element breaks multicast. (rjung)
Webapps
fix Fix CVE-2009-0781. XSS in calendar example. (markt)
fix 36574: Fix broken PDFs. (markt)
fix 39603: Admin app only showed ROOT web application when clustering was enabled. (markt)
fix 47032: Fix /status/all in Manager webapp when using the PersistentManager. (markt)
fix 47235: Remove use of autoReconnect from MySQL examples. (mark)
fix 46509: Use correct link on error page in JSP security example. Patch provided by Michael Moody. (markt)
fix 46562: Close file when reading has finished when using SSI. (markt)
Coyote
fix 37869: Correctly extract client certificates, including the full certificate chain when using the APR/native HTTP connector. (markt)
fix 39637: Correctly extract client certificates, including the full certificate chain when using the AJP connectors. Patch by Patrik Schnellmann. (markt)
update Set remote port for AJP connectors from the optional request attribute AJP_REMOTE_PORT. (rjung)
fix 45026: Never return an empty HTTP status reason phrase. mod_jk and httpd 2.x do not like that. (rjung)
fix 45528: An invalid SSL configuration could cause an infinite logging loop on startup. (markt)
fix 46984: Reject requests with invalid HTTP methods with a 400 rather than a 501. (markt)
update Update the APR/native connector to 1.1.16. (markt, kkolinko)
fix Correct potential DOS issue in Java AJP connector when processing invalid request headers. This is CVE-2009-0033. (markt)
fix Make DateTool thread safe. (fhanik)
Tomcat 5.5.27 (fhanik)released 2008-09-08
General
fix 44463: War file upload in manager webapp fails due to missing commons-io dependency. Added commons-io 1.4. (rjung)
Catalina
fix 46770: Don't send duplicate headers when using flushBuffer(). (rjung)
fix 44021, 43013: Add support for # to signify multi-level contexts for directories and wars.
fix 44494: Backport from 6.0 (rjung)
fix Add additional checks for URI normalization. (remm)
fix Don't throw an ArrayIndexOutOfBoundsException when empty URL is requested. Patch provided by Charles R Caldarale. (markt)
fix 29936: Don't use parser from a webapp to parse web.xml and possibly context.xml files. (markt)
fix 43079: Correct pattern verification for suspicious URLs. Patch provided by John Kew. (markt)
fix 43080: Log suspicious URL pattern warnings to the correct web application. (markt)
fix 43117: Setting an empty workDIR could delete all of CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt)
fix 44282: Prevent security exception in trace level logging for web application class loader when running under a security manager. (markt)
fix 44529: No roles specified (deny all) should take precedence over no auth-constraint specified (allow-all). (markt)
fix 43578: Enable start on Linux if $CATALINA_HOME contains a space. Original patch provided by Ray Sauers with improvements by Ian Ward Comfort. (markt)
fix 44673: Throw IOE if ServletInputStream is closed and a call is made to any read(), ready(), mark(), reset(), or skip() method as per javadocs for Reader. (markt)
fix Enable the CGIServlet to work with Windows Vista. (markt)
fix Add additional permission required to read JDK logging configuration when running with a security manager. (markt)
fix 44943: Reduce copy/paste issues caused by different engine names in server.xml. (markt)
fix 45195: Prevent NPE when calling Session.getAttribute(null) and Session.removeAttribute(null). The spec is unclear but this is a regression from 5.0.x. (markt)
fix 45293: Update name of commons-logging jar in security policy. (markt)
fix 45453: Fix race condition in JDBC Realm. Based on a patch provided by Santtu Hyrkk. (markt)
fix JAAS Realm did not read role information for users. (markt)
fix 46683: Fix typo in French localisation file name for the org.apache.catalina.loader package. (markt)
Coyote
update Log errors for AJP signoffs at DEBUG level, since it is harmless if mod_jk has hung up the phone. (billbarker)
fix 42727: Handle request lines that are exact multiples of 4096 in length. Patch provided by Will Pugh. (markt)
fix 43191: Compression could not be disabled for some file types. Based on a patch by Len Popp. (markt)
fix 45591: Fix NPE on shutdown failure in some cases. Based on a patch by Matt Passell. (markt)
Jasper
fix 31257: Quote endorsed dirs if they contain a space. (markt)
fix 42943: Make sure nested element is inside <jsp:text> element before throwing exception. (markt)
fix 44877: Prevent collisions in tag pool names. (markt)
fix 45015: Enfore JSP spec rules on quoting in attrbutes. This is configurable using the system property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING. (markt)
Webapps
fix 42899: When saving config from admin app, correctly handle case where the old config file does not exist. (markt)
fix 44541: Document packetSize attribute for AJP connector. (markt)
fix 44715: Document use of secret for AJP connector. (markt)
update 45323: Add note that context.xml files can only contain a single Context element. (markt)
fix Update JNDI datasource docs since maxActive setting for unlimited changed in commons-pool > 1.2. (markt)
Specification
fix Use a localised error message if a user tries to write a negative length byte array during default processing of a HEAD request. (markt)
fix 44562: HEAD requests cannot use includes. Patch provided by David Jencks. (markt)
Tomcat 5.5.26 (fhanik)released 2008-02-05
General
update Use Eclipse JDT 3.3.1. (pero)
update Use new commons download location. (markt)
update Use commons-launcher 1.1. (markt)
update Use commons-digester 1.8. (markt)
update Use Xerces 2.9.1. (markt)
update Remove usused commons-httpclient. (funkman)
update Use commons-collections 3.2. (markt)
update Use commons-fileupload 1.2. (markt)
update Use MX4J 3.0.2. (markt)
update Use JUnit 3.8.2. (markt)
update Use NSIS 2.34. (markt)
update Use Struts 1.2.9. (markt)
update Use JAF 1.1.1. (markt)
update Use JTA 1.1. (markt)
update Use JavaMail 1.4.1. (markt)
update Use PureTLS 0.9b5. (markt)
update Use commons-pool 1.4. (markt)
fix 43594: Use setenv from CATALINA_BASE (if set) in preference to the one in CATALINA_HOME. Patch provided by Shaddy Baddah. (markt)
fix Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)
Catalina
fix38131: WatchedResource doesn't work if app is outside host appbase webapps. Patch provided by Peter Lynch (pero)
fix Set correct sessionCounter at StandardManager after reload sessions. (pero)
fix Fix NPE situation at AccessLogValve (pero)
fix 30949: Improve previous fix. Ensure requests are recycled on cross-context includes and forwards when an exception occurs in the target page. (markt)
fix 43216: Set correct StandardSession#accessCount as system property STRICT_SERVLET_COMPLIANCE is true after application restart with SESSION.ser file. Patch provided by Takayuki Kaneko (pero)
add Made session createTime accessible for all SessionManager via JMX (pero)
add Support logging of all response header values at ExtendedAccessLogValve (ex. add x-O(Set-Cookie) to your pattern). (pero)
add Support logging of current thread name at AccessLogValve (ex. add %I to your pattern). Usefull to compare access logging entry later with a stacktraces. (pero)
fix o.a.juli.ClassLoaderLogManager handle more then one system property replacement at file logging.properties. (pero)
fix 43236: Reset usingWriter and associated flags when response is reset. (markt)
fix 43241: ServletContext.getResourceAsStream() not spec compliant. Patch provided by John Kew. (markt)
fix 43675: Fix a possible logging related class loader leak. (markt)
fix 43687: Remove conditional headers on Form Auth replay, since the UA (esp. FireFox) isn't expecting it. (billbarker)
fix Fix bug in CGI Servlet that caused it to fail when a CGI resource was included in another resource. (markt)
fix Cookie handling/parsing changes! The following behavior has been changed with regards to Tomcat's cookie handling:
a) Cookies containing control characters, except 0x09(HT), are rejected using an InvalidArgumentException.
b) If cookies are not quoted, they will be quoted if they contain tspecials(ver0) or tspecials2(ver1) characters.
c) Escape character '\\' is allowed and respected as a escape character, and will be unescaped during parsing.
fix 43839: URL based session tracking fails when session cookie from parent context is present. Based on a patch by Yuan Qingyun. (markt)
fix 43887: Include exception in the log message. (markt)
fix 43914: Location headers must be encoded. Patch provided by Ivan Todoroski. (markt)
fix 43957: Service.bat didn't configure logging correctly. Patch provided by Richard Fearn. (markt)
fix 44041: Fix duplicate class definition error under load. (markt)
fix 44084: JASSRealm is broken for application provided Principals. Patch provided by Noah Levitt. (markt)
Jasper
fix 43702: Reduce length of unnecessarily long class names for the inner helper class when using simple tags. (markt)
fix 43757: Rather than use string matching to work out the line in the JSP with the error, use the SMAP info and the knowledge that for a scriptlet there is a one to one line mapping. (markt)
Cluster
fix Fix FarmWarDeployer can be only configured at host subelement (pero)
fix Fix wrong && at ReplicationValve (pero)
fix DeltaManager sessionCounter must be also increment at relicated sessions. (pero)
add Made attribute createTime accessible for all DataSenders. (pero)
Webapps
fix Fix CVE-2007-5461, an important information disclosure vulnerability in the WebDAV Servlet. (markt)
fix 43611: Provide an error message when trying to upload a WAR for a context that has been defined in server.xml. (markt)
fix 44094: Add note to docs about side-effects of setting privileged on a context. (markt)
Coyote
fix 43479: Fix memory leak cleaning up sendfile connections. (markt)
fix 43622: Don't always overwrite min compression size with default. (markt)
fix 43995: No timeout for sendfile (TODO item had been forgotten). (markt)
Tomcat 5.5.25 (fhanik)released 2007-09-08
General
docs Correct j.u.l log levels in JULI docs. (rjung)
update Update to Commons Modeler 2.0.1, fix embed release starting issue. (pero)
Catalina
fix Handle special case of ROOT when re-loading webapp after ROOT.xml has been modified. In some circumstances the reloaded ROOT webapp had no associated resources. (markt)
fix Fix WebDAV Servlet so it works correctly with MS clients. (markt)
fix Remove invalid attribute "encoding" of MBean MemoryUserDatabase, which lead to errors in the manager webapp JMXProxy output. (rjung)
fix Fix XSS security vulnerability (CVE-2007-2450) in the Manager and Host Manager. Reported by Daiki Fukumori. (markt)
add 39055: Add JMXAdaptorLifecycleListener to start JMX Connector with fixed naming and data ports. This feature is needed to have stable remote access when a firewall is active. The adaptor reads all standard JMX system properties (-Dcom.sun.management.jmxremote.XXX). Currently only included at src release (uses JDK 1.5 classes). Feature provided by George Lindholm and Juergen Herrman (pero)
fix 41722: Make the role-link element optional (as required by the spec) when using a security-role-ref element. (markt)
fix 42547: Fix NPE when a ResourceLink in context.xml tries to override an env-entry in web.xml. (markt)
fix 42944: Correctly handle servlet mappings that use a '+' character as part of the url pattern. (markt)
fix Improve large-file support (more then 4 Gb) at all AccessLogValves. (pero)
update 43129: Support logging of response headers at AccessLogValve (ex. add %{Set-Cookie}o to your pattern). (pero)
Jasper
fix 2500: FileNotFoundException within a JSP pages resulted in a 404 rather than a 500. (markt)
fix 37326: No error reported when an included page does not exist. (markt)
fix 42643: Prevent creation of duplicate JSP function mapper variables. (markt)
fix 42314: Provide compilation error details in cases where the error can't be mapped back to a source file. (markt)
Webapps
fix Don't write error on System.out, use log() instead. (rjung)
fix Fix XSS security vulnerabilities (CVE-2007-2449) in the examples. Reported by Toshiharu Sugiyama. (markt)
fix 39212: Fix possible NPE in DummyCart example and remove redundant code. (markt)
fix 42979: Update sample.war to include recent security fixes in the source code. (markt)
Coyote
fix Separate sequence increment from getter in ThreadPool to avoid misleading increments during monitoring via JMX. (rjung)
Cluster
fix 40042: Recovery membership heartbeat after interface down. (pero)
fix 42691: Don't set access time after session sync. Fix that sessions after node restart better expire. Requested by Casey Lucas (pero)
fix Backport Tomcat 6 cluster socket parameter. (pero)
fix Fix typo in new MBean attribute which lead to errors in the manager webapp JMXProxy output. (rjung)
fix 42689: No way to timeout new connect attempts for replication sockets. Patch by Casey Lucas (pero)
fix Fix timeout setting on a replicated DeltaSession. Patch by Alexander Maas (fhanik,pero)
fix 42720: Don't send a message if no cluster member exists. Patch by Keiichi Fujino (pero)
Tomcat 5.5.24 (fhanik)not released
General
update Update to Commons DBCP src 1.2.2 (pero)
update Update to Commons Pool src 1.3 (pero)
Catalina
fix 33774 Retry JNDI authentiction on ServiceUnavailableException as at least one provider throws this after an idle connection has been closed. (markt)
fix 40593 Cleanup that Listener stop after Manager stop at StandardContext.stop(). Patch by Suzuki Yuichiro (pero)
fix 41747 Correct example ant script for deploy task. (markt)
fix 41752 Correct error message on exception in MemoryRealm. (markt)
fix 39875 Minor cleanup in RealmBase.init, as requested by Takayoshi Kimura. (yoavs)
fix 41477 Add commons-el.jar to bin/catalina-tasks.xml, required for jasper2 tasks using EL. Patch by Daniel Santos. (yoavs)
fix 40150 Ensure user and role classnames are validated on startup. Patch by Tom. (yoavs)
fix 42039 Log a stack trace if a servlet throws an UnavailableException. Patch provided by Kawasima Kazuh. (markt)
fix 41990 Add some additional mime-type mappings. (markt)
fix 41655 Fix message translations. Japanese translations provided by Suzuki Yuichiro. (markt)
fix 41939 Add configuration option to disable nulling of static and final fields of loaded classes when stopping a web application classloader. Setting the system property org.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES to false will stop these fields being set to null on context stop. (markt)
fix Fix a logging related memory leak in ManagerBase and ApplicationDispatcher. (markt)
fix 42354: Ensure JARs in webapps are scanned for TLDs when the Tomcat installation path contains spaces. (markt)
fix 42361: Handle multi-part forms when saving requests during FORM authentication process. Patch provided by Peter Runge. (markt)
fix 42401: Update RUNNING.txt with better JRE/JDK information. (markt)
fix 42497: Ensure ETag header is present in a 304 response. Patch provided by Len Popp. (markt)
fix Allow for a forward/include to call getAttributeNames on the Request in a sandbox. (billbarker)
add And getSession() operation to StandardManager and DeltaManager JMX Interface (pero)
Webapps
update Update host configuration document for new behaviour for directories in appBase. (markt)
update 39883 Add note to context configuration document about using antiResourceLocking on a webapp outside the Host's appBase directory. (yoavs)
update 39540 Add link to httpd 2.2 mod_proxy_ajp docs in AJP connector doc. (yoavs)
fix 41289: Create configBase, since it is no longer created elsewhere. Submitted by Shiva Kumar H R. (pero)
fix 42103: Use correct names for truststoreFile, truststoreType and truststorePass when saving server.xml in Admin webapp. Patch provided by Matheus Bastos. (markt)
fix 42025: Update valve documentation to refer to correct regular expression implementation. (markt)
fix 41956: Don't skip the connector address attribute when persisting server.xml changes via the admin webapp. (markt)
Coyote
fix 40960 Inconsistent exception type thrown on socket timeout in InternalAprInputBuffer. Patch by Christophe Pierret. (yoavs)
add 41675 Add a couple of DEBUG-level logging statements to Http11Processors when sending error responses. Patch by Ralf Hauser. (yoavs)
fix 42119 Fix return value for request.getCharacterEncoding() when Content-Type headers contain parameters other than charset. Patch by Leigh L Klotz Jr. (markt)
fix 36155 Always reset the MB when doing getBytes in the JK Connector (billbarker)
fix Improve large-file support in the AJP Connectors (billbarker)
Cluster
fix Receiver can also use tcpListenAddress with a hostname. (rjung, pero)
fix DeltaRequest synchronized getSize() and show log message as readExternal() failure. (rjung, pero)
add Add DeltaManager expireTolerance attribute to quicker auto expire long backup sessions. (rjung, pero)
add Add DeltaManager updateActiveIntervall attribute to send every 60 sec a session access message. (rjung, pero)
fix 39866 Duplicate names appended to cluster manager name. (yoavs)
Jasper
fix 39425 Add additional system property permission to catalina.policy for pre-compiled JSPs. (markt)
fix 41227 Add a bit of DEBUG-level logging to JspC so users know which file is being compiled. (yoavs)
fix 41869 TagData.getAttribute() should return TagData.REQUEST_TIME_VALUE when the attribute value is an EL expression. (markt)
fix 42071 Fix IllegalStateException on multiple requests to an unavailable JSP. Patch provided by Kawasima Kazuh. (markt)
fix After a JSP throws an UnavailableException allow it to be accessed once the unavailable period has expired. (markt)
fix 42072 Don't call destroy() if the associated init() fails. Patch provided by Kawasima Kazuh. (markt)
fix Fix a logging related memory leak in PageContextImpl. (markt)
fix 42438 Duplicate temporary variables were created when jsp:attribute was used in conjunction with custom tags. Patch provided by Brian Lenz. (markt)
Tomcat 5.5.23 (fhanik)released 2007-03-09
Catalina
fix 41608 Make log levels consistent when Servlet.service() throws an exception. (markt)
fix 41666 Correct handling of boundary conditions for If-Unmodified-Since and If-Modified-Since headers. Patch provided by Suzuki Yuichiro. (markt)
fix 41674 Fix error messages when parsing context.xml that incorrectly referred to web.xml. (markt)
fix 41739 Correct handling of servlets with a load-on-startup value of zero. These are now the first servlets to be started. (markt)
Coyote
fix Requests with multiple content-length headers are now rejected. (markt)
Tomcat 5.5.22 (fhanik)not released
General
fix Fix regression in build that prevented connectors from building. (markt)
Tomcat 5.5.21 (fhanik)not released
Catalina
fix 41401: StandardService.getConnectorNames() return array of Connector JMX objectnames. (pero)
fix 29727: If env-entry values in web.xml are changed then ensure new values are applied when context is reloaded. (markt)
fix 34956: Ensure request and response objects passed to a RequestDispatcher meet the requirements of SRV.8.2 and SRV.14.2.5.1. This is disabled by default. The Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true is required to enable this test. (markt)
fix 36274: When including static content with the DefaultServlet also treat content types ending in xml as text. (markt)
fix 36976: Don't use CATALINA_OPTS when stopping Tomcat. This allows options for starting and stopping to be set on JAVA_OPTS and options for starting only to be set on CATALINA_OPTS. Without this fix, some startup options (eg the port for remote JMX) would cause stop to fail. Based on a fix suggested by Michael Vorburger. (markt)
fix 37070: Update mbean name documentation to include the StandardWrapper. (markt)
fix 37356: Ensure sessions time out correctly. This has been fixed by removing the accessCount feature by default. This feature prevents the session from timing out whilst requests that last longer than the session time out are being processed. This feature is enabled by setting the Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true The feature is now implemented with synchronization which addresses the thread safety issues associated with the original bug report. (markt)
fix 37439: Update documentation for Engine component to add the requirement that the name must be unique. (markt)
fix 37458: Add syncs to the WebappClassloader to address rare issues when multiple threads attempt to load the same class concurrently. (markt)
fix 37509: Do not remove whitespace from the end of values defined in logging.properties files. (markt)
fix 38198: Add reference to Context documentation from Host documentation that explains how Context name is obtained from the Context filename. (markt)
fix 39088: Prevent infinte loops when an exception is thrown that returns itself for getRootCause(). Based on a patch by Wouter Zelle. (markt)
fix 39436: Correct MIME type for SVG. (markt)
fix 39627: JULI no longer ignores a ".level=XXX" directive in logging.properties. Patch provided by Roger Keays and Richard Fearn. (markt)
fix 39724: Removing the last valve from a pipeline did not return the pipeline to the original state. Patch provided by David Gagon. (markt)
fix 40367: Update JK auto configuration documentation to clarify that workers.properties must also exist. (markt)
fix 40524: HttpServletRequest.getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT for certificate authentication as per the spec. Note that web.xml continues to use CLIENT-CERT to specify the certificate authentication should be used. (markt)
fix 40526: Add support for JPDA_OPTS to catalina.bat and add a JPDA_SUSPEND environment variable to both startup scripts. Patch provided by Kurt Roy. (markt)
fix 40528: Add missing message localisations as provided by Ben Clifford. (markt)
fix 40585: Fix parameterised constructor for o.a.juli.FileHandler so parameters have an effect. (markt)
fix 40625: Stop CGIServlet swallowing the root cause of an exception. Patch provided by Takayoshi Kimura. (markt)
fix 40723: Correct table creation example in JavaDoc for JDBCAccessLogValve. (markt)
fix 40802: Add jsp-api.jar to fileset in catalina-tasks.xml as provided by Daniel Santos. (pero)
fix 40817: Correct problem where CGI scripts in the root of the ROOT context threw a StringIndexOutOfBoundsException. (markt)
update Set the SCRIPT_FILENAME environment variable required by PHP when using the CGIServlet to execute PHP. (markt)
fix 40823: Update context doc to clarify use of ROOT.xml, multi-level context paths and to further discourage use of server.xml (markt)
fix 40844: Add additional syncs to JDBCRealm to resolve NPE when two users try to authenticate using DIGEST authentication at the same time. (markt)
fix 40860: Log exceptions and other problems during parameter processing. (markt)
fix 40901: Encode directory listing output. Based on a patch provided by Chris Halstead. (markt)
fix 40929: Correct JavaDoc for StandardCalssLoader. (markt)
fix 41008: Allow POST to be used for indexed queries with CGI Servlet. Patch provided by Chris Halstead. (markt)
fix 41020: Improve error message when custom error report Valve fails to load. Also remove requirement that custom error report Valves extend ValveBase. (markt)
fix 41217: Set secure attribute on SSO cookie when cookie is created during a secure request. Patch provided by Chris Halstead. (markt)
fix Ensure Accept-Language headers conform to RFC 2616. Ignore them if they do not. (markt)
fix Make provided instances of RequestDispatcher thread safe. (markt)
fix Fix formatting of CGI variable SCRIPT_NAME. (markt)
fix 34643: Improved documentation for per-user / per-session clientAuth usage in SSL Authenticator. Docs provided by jack and Ralf Hauser. (yoavs)
fix 40668: Update release notes and readme files specific to v5.5.20 to notify users of missing MailSessionFactory in distribution, suggest workarounds, and link to relevant Bugzilla issue. (yoavs)
fix 37977: adapt BUILDING.txt and net build.xml for SVN. Patch by Christopher Sahnwaldt. (yoavs)
update 39055: Link to sample workaround code for using JSR160 JMX monitoring with a local firewall. Thanks to George Lindholm for the patch. (yoavs)
update 39476: add xml declaration to most build.xml files, as suggested by Gregory S. Hoerner Sr. (yoavs)
fix 40326: stop using File#deleteOnExit in DefaultServlet to avoid JVM memory leak, as suggested by quartz. (yoavs)
fix 40192: update setup.html notes regarding Windows tray icon. (yoavs)
fix 40177: add more warnings to documentation about RequestDumperValve character encoding. (yoavs)
fix 39255: NPE in AuthenticatorBase when logging level is set to DEBUG and no prinicpal found. (yoavs)
fix 41437: Make log messages and loglevel consistent during Context start. Patch provided by Suzuki Yuichiro. (markt)
Coyote
fix 38332: Add backlog attribute to ChannelSocket as provided by Takayoshi Kimura. (pero)
update Backport packetSize feature from Tomcat 6.0.x at standard coyote AJP Jk handler. (pero)
fix 40771: Fix implementation of SavedRequestInputFilter.doRead() so POST data may be read using a Valve or Filter. Patch provided by Michael Dufel. (markt)
fix 41017: Restore behaviour of MessageBytes.setString(null). (remm/markt)
fix 41057: Modify StringCache to add a configurable upper bound to the length of cached strings. (remm/markt)
fix 38774: Check javax.net.ssl.keyStorePassword system property as a secondary source for keystore password in JSSESocketFactory, as suggested by Ted X. Toth. (yoavs)
fix 39402: Modify existing Vary HTTP header, rather than overwrite it, if it exists when using GZip compression. Patch by Matthew Cooke. (yoavs)
fix 40241: Catch Exceptions instead of Throwables in Default and SSI servlets. Also improve relevant logging while we're at it. (yoavs)
fix 40133: Better error message when context name is not available on startup, as suggested by Andreas Plesner Jacobsen. (yoavs)
Jasper
fix 39975: don't have static Log references to prevent classloader leaks. (yoavs)
fix 40104: When displaying JSP source after an exception, handle included files. (markt)
fix 40797: This was a regression as a result of the fix for 33407. TLD validation was failing as a result of the use of the escape character (0x1b) as a temporary replacement for \$. An alternative character (0xe000) from the unicode private use range is now used. (markt)
fix 41057: Make jsp:plugin output XHTML compliant. (markt)
fix 41327: Show full URI for a 404. Patch provided by Vijay. (markt)
fix 41265: Allow JspServlet checkInterval init parameter to be explicitly set to the stated default value of zero by removing the code that resets it to 300 if explicitly specified as zero. (markt)
fix Display the JSP source when a compilation error occurs and display the correct line number rather than start of a scriptlet block. (markt)
Webapps
fix 34952: Clarify that the Windows Installer always installs a Windows service. (markt)
fix 35968: Make environment entry properties input a text area. Patch provided by Tristan Marly. (markt)
fix 37588: Fix creation of JNDI Realm in admin application. Patch provided by Terry Zhou. (markt)
fix 38048: Fix memory leak assoaciated with use of expression language in JSPs. Patch provided by Taras Tielkes. (markt)
fix 39572: Improvements to CompressionFilter example provided by Eric Hedström. (markt)
update 40507: Update host-manager and servlet-examples web-apps to use the servlet 2.4 xsd. Patch provided by Chris Halstead. (markt)
fix 40581: Add information on the use of a symbloic link as the docBase for a Context to the Context documentation. (markt)
fix 40633: Remove references to the DefaultContext from the documentation. (markt)
fix 40677: Update SSL documentation to indicate that PKCS11 keystores may be used. (markt)
fix 40714: Admin webapp no longer requires a username for a DataSource since it is not required in all cases. (markt)
fix 40720: Fix exception in admin webapp when adding a group to a user. (markt)
fix 40874: Correct log4j configuration in documentation webapp. Patch provided by Franck Borel. (markt)
fix 40999: Add trust store configuration for SSL connectors to the admin webapp. (markt)
fix 41051: Add information on keystore aliases and case sensitivity to SSL HOW-TO. (markt)
fix 41182: Update the Jasper documentation for the classpath attribute. (markt)
fix 41493: Fix handling of APR connectors in Admin webapp. (markt)
fix 41512: Version number was not inserted in release notes. (markt)
fix 40257: Update Manager webapp howto on remote deployment to reflect need for explicit path in one specific use-case. Thanks to Venkatesh Jayaraman. (yoavs)
update 40160: add reference to the Filter proposed in this Bugzilla item to the WebdavServlet. While at it, give the WebdavServlet some long-overdue TLC by cleaning up some of the old data structures in favor of modern (but still JDK 1.4-compliant) interfaces. (yoavs)
docs Add a virtual hosting how-to contributed by Hassan Schroeder. (markt)
Cluster
add Add clustered SSO code and backport feature from Tomcat 6.0.x, submitted by Fabien Carrion (pero)
add Add better recovery at FastAsyncQueueSender. Made the startegy more robust for temporary connection problems (pero)
Tomcat 5.5.20 (fhanik)released 2006-09-28
Catalina
fix Fix logic error in UserDatbaseRealm.getprincipal() that caused user roles assigned via groups to be ignored. (markt)
fix 40518: Use correct message when a RuntimeException is thrown from the requestInitialized or requestDestroyed method of a listener that implements ServletRequestListener. (markt)
Jasper
fix 31804: Unnested tags within a tag file are now configured with the Tag represented by the containing tag file as their parent tag. (markt)
fix 33356: Tag attributes that contained $ followed by 1 or more non-special characters and then a { character caused an exception. (markt)
fix 33407: The string \$ in template text was reduced to $ when the isELIgnored page directive was set to true. (markt)
fix 34509: Tag names may now use the full range of characters permitted by xsd:nmtoken. (markt)
Webapps
fix 34399: Disable undeploy for applications that have not been deployed such as those defined in server.xml (markt)
Tomcat 5.5.19 (fhanik)not released
General
update Add multi attribute setting to jmx:set JMX remote ant task. Patch contributed by Didier Donsez (pero)
Catalina
fix 30762: Re-fix this bug that was re-introduced by the fix to 37264. (markt)
fix 37588: Fix JNDI realm creation through JMX. Patch contributed by TerryZhou (fhanik)
fix 39704: The use of custom classloaders failed when the context was specified in server.xml. Correction of the fault will require setting the new loader attribute useSystemClassLoaderAsParent to false. (markt)
Coyote
fix 40418: APR Endpoint socket evaluation (remm)
Webapps
fix 31339: Admin app threw exceptions if a name other than Catalina was configured for the Engine. Patch based on a suggestion from Amila Suriarachchi. (markt)
Tomcat 5.5.18 (yoavs)not released
General
update Change MD5 release signature files to have md5 (lowercase) extension instead of MD5 (uppercase), as suggested by Henk Penning and specified in the ASF release publishing guidelines. (yoavs)
Catalina
fix Fix that ManagerBase increment expireSessions counter at background task two times. (pero)
fix 39406: Fix that StandardSession#getLastAccessedTime() uses correct exception message, suggested by Takayoshi Kimura. (pero)
add 39661: Add documentation on JULI FileHandler properties. (yoavs)
add 39657: Warn (and don't load jar) if JSP API is in webapp classloader repository, as suggested by David Sanchez Crespillo. (yoavs)
add 39674: Support JRockit JVM in service.bat script, as suggested by lizongbo. (yoavs)
fix 39711: Update Loader configuration documentation, as suggested by Stephane Bailliez. (yoavs)
fix 39865: Add Open Office mime types to conf/web.xml. (markt)
fix 38814: Align CGI handling of indexed queries, parameters and POST content with other CGI providers. The changes: only provide parameters on the command line for indexed queries; always provide the query string via the QUERY_STRING environment variable; provide POST content unmodified to stdin; and never call getParameters(). (markt)
fix 34801: Partial fix that adds handling of IOExceptions during long running CGI requests. Based on a patch by Chris Davey. (markt)
fix 39689: Allow single quotes (') and backticks (`) as well as double quotes (") to be used to delimit SSI attribute values. (markt)
fix 40053: Correct application deployment documentation so it agrees with the classloader documentation regarding shared lib and CATALINA_BASE. (markt)
fix 39592: Stop HEAD requests for resources handled by SSI servlet or filter generating stack traces in the logs. (markt)
fix Improve handling of the ';' character in the URL so that it is now allowed if properly %xx encoded. (remm)
Coyote
fix Fix APR endpoint so that the acceptor thread now only processes socket accepts. (remm)
Webapps
fix 39813: Correct handling of new line characters in JMX attributes. Patch provided by R Bramley. (markt)
fix 37781: Make sure that StoreConfig save external referenced war files at context.xml correct. (pero)
fix 39791: Use correct default for useNaming within a Context. (markt)
fix Correctly generate re-direct for admin app index.jsp to prevent login page being displayed twice when cookies are disabled. (markt)
Cluster
fix 39473: Session timeout much shorter than setting at web.xml at cluster environment, suggested by Jin Jiang. (pero)
Tomcat 5.5.17 (yoavs)released 2006-04-27
General
update Update to Xerces 2.8.0 (remm)
update Update to tcnative 1.1.3 (remm)
Catalina
fix Fix SingleSignOn Valve and add Session.getLastAccessTimeInternal() without session invalidation test. (pero)
fix 38814: CGIServlet correctly handles Shift_JIS output. (markt)
fix Add missing REQUEST_URI environment variable to CGI environment. (markt)
fix 27617: Sync existing mime types with httpd. (keith)
fix 38761: Handle relative symlinks to shell scripts as suggested by Adam Murray (keith)
fix 38795: Associate more closely bind with a finally unbind in StandardContext start and stop, based on a patch by Darryl Miles (remm)
fix Improve undeployment robustness (remm)
update Expand the semaphore valve (remm)
fix 39021: Add back support for authentication only, submitted by Scott Stark (remm)
fix Revert fix for 38113, which does not seem a legitimate problem, and causes regressions (remm)
fix Correctly reset listeners when reloading a webapp (remm)
fix 38194: Don't fail silently if -force is used without CATALINA_PID, submitted by Matthew Buckett. (yoavs)
fix 38154: Avoid NPE in FileDirContext after webapp undeploy, reported by Jamie Maher. (yoavs)
fix 38217: Added cautionary note about keystore password to SSL HowTo, as suggested by Ralf Hauser. (yoavs)
fix 38262: Cleared ambiguity in host documentation, as suggested by Jeffrey Bennett. (yoavs)
fix 38476: Modified check for null TLD stream, as suggested by Fabrizio Giustina. (yoavs)
fix 38052: Use userName as userField default. User is at many databases a reserved keyword, as suggested by rik. (pero)
fix Fix handling of non matching if-range header (remm)
fix 37848: Only output catalina.sh diagnostic messages if we have a TTY, submitted by David Shaw. (yoavs)
fix 38596: Minor performance optimization in DataSourceRealm, suggested by Sandy McArthur. (yoavs)
Coyote
fix Make the default cipher suites available for SSL the same as the set of cipher suites enabled by default rather than the set of all cipher suites. This prevents ciphers suites that do not provide confidentiality protection and/or server authentication being used by default. (markt)
fix Move AprEndpoint.getWorkerThread inside the try/catch for the main accept loop, to guard about an OOM (which would most likely doom the server anyway) (remm)
fix As exhibited in the ASF's JIRA installation, it seems EINTR is a status code that should be ignored as a result to a poll call (remm)
update New APR connectors defaults (remm)
update Add multiple threads for APR pollers, to work around Windows limitations (performance degrades very rapidly if poller sizes over 1024 are allowed when compiling APR) (remm)
update New modes for firstReadTimeout (-1 being the new default) (remm)
update Replace java.util.Stack usage with a simple array in the APR endpoint (remm)
fix tcnative jnilib.c now report correct compile flags for runtime Library.java checks like sendfile support default true/false (pero)
Jasper
fix 38015: Remove misleading warnings logged in TagLibraryInfoImpl, as suggested by Andrew Houghton. (yoavs)
fix 38376: Make sure body content stack is always properly aligned, as submitted by Tony Deigh. (yoavs)
fix Compatibility with JDT 3.2 (remm)
Webapps
fix 39292: Update catalina.policy at demo balancer app. Fix provided by Kerry Sainsbury (pero)
fix 36847: Fixed the manager app copy function to not overwrite fileA with fileB when fileA==fileB. Fix provided by Haroon Rafique (fhanik)
fix 38508: Several enhancements to Host Manager application, including configurable manager app support and dialog box enhancements. Thanks to George Sexton for the patch. (yoavs)
fix 37781: Make sure context config file is writeable, suggested by George Sexton. (yoavs,pero)
Cluster
update Add at PooledSocketSender the jmx attributes inPoolSize and inUsePoolSize. (pero)
fix DeltaManager set session creationTime at backup node. (pero)
update Add JvmRouteBinderValve documentation at cluster-howto.xml. (pero)
add JvmRouteBinderValve now supports now sessionid's from request and cookies. Thanks to Brian Stansberry for reporting it. (pero)
fix 38779 Fix wrong jmx message arg at SimpleTcpCluster at o.a.c.cluster.tcp.mbeans-descriptors.xml, submitted by Pawel Tucholski (pero)
fix Fix that not after every "Keep Alive Socket close" a log warning is generated at TcpReplicationThread (pero)
fix 39178: Now ROOT.war deployment with FarmWarDeployer is possible (pero)
fix ReplicationValve not set primarySession flag when all backup nodes gone (pero)
update Add DeltaSession.getLastAccessTimeInternal() without session invalidation test. (pero)
Tomcat 5.5.16 (yoavs)released 2006-03-15
General
update Updated / enhanced docs to remove old FIXME references. (yoavs)
update Required tcnative library version upgraded to 1.1.2 (remm)
update Update to Eclipse JDT 3.1.2 (remm)
Catalina
fix 23950: Context.listBindings() should return objects not references. (markt)
fix 38124: Add support for Windows 20xx when reading environment variables in CGIServlet. (markt)
fix 29214: response.containsHeader() now returns the correct value for Content-Type and Content-Length headers. (markt)
fix Allow using a custom ContextConfig when using JMX embedding of Tomcat, as is done by the regular deployer. (remm)
add Add JMX serverInfo attribute to Server MBean, that we can identify the tomcat release remotely. (pero)
fix Fix the JMX MBeanFactory.createStandardHost signature at mbean-descriptors.xml (pero)
fix Fix some cases (for example with realm usage) where the container logger for a context would be retrieved using the wrong classloader (remm)
fix HttpSession.getId will no longer throw an ISE when the session is invalid (remm)
fix More detailed errors for naming issues (remm)
docs Add documentation for the Transaction element (remm)
update Add getContextPath to the internal servlet context implementation (remm)
fix Only null instances loaded by the webapp CL, submitted by Matt Jensen (remm)
update Deploy folders which don't have a WEB-INF, and return an error when a context file does not contain a Context element (remm)
fix 38653: Fix property name (remm)
fix Slightly modify the timing of the manager start, so that it is not started by a listener (remm)
fix Refresh loggers used by the digester (remm)
fix Use sendError instead of setStatus to send the 401 code. (billbarker)
fix Don't append the port for an SSL redirect if it is the default port. (billbarker)
Coyote
fix Log errors when setting socket options with debug priority rather than error. (remm)
fix 38100: Make certain that a valid Host name is set, or none at all. (billbarker)
fix 38485: Fix minor regression setting connection timeout (as well as linger and no delay) where the default value was always used when using the regular HTTP connector (remm)
update Pass along more of the SSL related fields to OpenSSL (remm)
update CharChunk now implements CharSequence (remm)
fix Fix coding error which could cause a rare crash when a poller error occurred and sockets where pending being added to the keepalive poller (remm)
fix Fix potential sync issues when restarting a poller (remm)
fix Update APR error reports, including the error codes (remm)
fix 38726: Remove duplicate request group field causing blank statistics for the HTTP connector (remm)
fix Fix invalid length used by some AJP packets for the AJP APR connector, which could cause corruption, submitted by Rudiger Plum (jim)
fix 38346: Fix problems with request.getReader().readLine(). Patch by Rainer Jung (billbarker)
update Local address reuse for APR Endpoints (via APR_SO_REUSEADDR) now enabled (jim)
fix Don't write out the shutdown secret file if shutdown is disabled (the default) (billbarker)
fix Fix NPE when no sink is supplied. (billbarker)
update APR Endpoints now IPv6 aware (jim)
update Downgrade "Response already committed" logging entry to DEBUG. (billbarker)
fix 38113: Return the empty String for an empty query-string instead of null. (billbarker)
Jasper
fix 38389: Set correct JDT Compiler option to java 1.5 compliance. Patch from Olivier Thomann and Paul Hamer (pero)
update Add some useful hints to jasper-howto. (pero).
fix 38776: Fix source file attribute, submitted by Olivier Thomann (remm)
Cluster
fix Update DeltaManager session access stats (pero)
fix DeltaSession getId will no longer throw an ISE when the session is invalid (pero)
update Resurrected the "suspect" property so that the logs don't fill up with errors when member disappears or a connection is lost. Only useful for pooled mode (fhanik)
add 35710: Add session replication for cross context session changes. The portlet api need this support, see refactored ReplicationValve. (pero)
update ReplicationValve reset DeltaSession when cluster node has no backup node. (pero)
update DataSender close connection and throw exception also even if waitForAck is false. (pero)
fix Active cluster junit test again. (pero)
Webapps
fix Fix some XSS issues in the JSP examples. (markt)
fix Fix logos in the manager webapp (remm)
Tomcat 5.5.15 (yoavs)released 2006-01-21
General
fix 32081: Remove the JDK requirement from the Win32 scripts. (keith)
Catalina
fix 37852: Fix regression where the magic role '*' was denying all access. Patch by xrcat (billbarker)
fix 37934: Don't ask for authentication if deny-from-all is in effect. (billbarker)
fix 15570: auth-constraint of * was interpretted as all authenticated users rather than as all roles defined in web.xml. (markt)
fix Remove leftover static logger which was used to log application level messages in ApplicationContextFacade (remm)
fix 38012: Where a CGI script sets a response code, use it. (markt)
fix 37854: Extension-List checking was too strict. (markt)
Coyote
fix Report binding errors in the APR endpoint as strings rather than platform specific status codes (remm)
fix 37934: Don't ask for authentication if deny-from-all is in effect. (billbarker)
fix38047: Handle the case where the Servlet attempts to read the Request body from the AJP/1.3 Connector, in the case that no body was sent. (billbarker)
fix38030: Unconditionally return EOS for an attempt to read the body of any request that doesn't send CL or TE. (remm, billbarker).
Jasper
fix 35351: Fix problem using an inner class for a <jsp:useBean />. (kinman).
fix 37929: Don't stop on the generic attribute methods just because the session is invalid. Patch by Pierre Delisle. (billbarker)
update Add system properties org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER and org.apache.jasper.runtime.JspFactoryImpl.USE_POOL to allow configuring Jasper memory usage (remm)
fix 37933: Restrict <jsp:getAttribute /> to only look in PAGE_SCOPE. (billbarker)
Cluster
fix 37808: Fix ArrayIndexOutOfBoundsException inside XByteBuffer. Reported by Dietmar Mueller (pero)
update 37896DataSender starts new Socket after IOException. (pero)
update Reduce memory usage at membership service. (pero)
Tomcat 5.5.14 (yoavs)
General
update Update optional native APR connector version to 1.1.1. (mturk)
update Update build.properties.default to get native connector from new location. (yoavs)
Catalina
fix 13040: Fix getContext() when used to obtain a context that is a sub-context of the current context. Ported from TC4. (markt)
Jasper
fix 37746: Remove extra space from StringTokenizer pattern in JspC, as suggested by Eric Hedstrom. (yoavs)
Coyote
fix 36863: Strip quotes when parsing Cookie values, even for v0 Cookies. (billbarker)
fix 37803: Don't claim that we have a string value in MessageBytes until we actually do. Patch by Doug Rand (billbarker)
Tomcat 5.5.13 (yoavs)
General
fix 36711: Unused line of code. (yoavs)
update Removed unused SAXPath, Jaxen dependencies. (yoavs)
update Update log4j dependency to version 1.2.12, Struts to 1.2.7. (yoavs)
update Removed JDBC 2.0 StdExt dependency (only class from there is javax.sql.XADataSource, which is present in JDK 1.4 and later. (yoavs)
fix 37039: typo on JK Quick configuration how-to. (yoavs)
add 37035: Add a placeholder file in the temp directory for WinZip tar.gz handling. (yoavs)
update Update JAF dependency to 1.0.2, JTA to 1.0.1b and JavaMail to 1.3.3_01. (markt)
add Added Eclipse .project, .classpath, and associated files to make building Tomcat from Eclipse significantly easier. (markt)
add 37284: Guess JSE 5.0 location on Mac OS X, patch by Stepan Koltsov. (yoavs)
fix Wrong class name in antlib.xml for JkStatusUpdateTask. (yoavs)
Catalina
fix 36802: Fix problem of double-init when JMX-deploying a Context into a started Host. (billbarker)
fix 36840: Provide information as to which web.xml is being processed on startup to help debug parsing errors. (yoavs)
add 34724: Ability to set domain for Single-Sign-On cookie. Patch by Oliver Rossmueller. (yoavs)
fix 37044: RealmBase.hasResourcePermission needs to access the GenericPrincipal as set by the realm unless hasRole is overriden, which was no longer being done properly for the JAAS realm (remm)
fix 37264: JNDI resources were no longer available when stopping listeners, submitted by Bogdan Calmac (remm)
fix 37150: Turn off directory listing by default and add a warning regarding enabling listing of directories with many entries. (markt)
update Add configurability for the amount of time that the container will wait for requests to complete when unloading servlets, using the unloadDelay property. (remm)
update Add code to set to null fields in loaded classes when stopping a web application, as a possible workaround for suspicious garbage collection behavior. (remm)
update Update messages and stack traces for classloading errors which may occur when removing a web application, and for stopped web applications. (remm)
fix 37319: Fix catalina.bat reference to CATALINA_BASE for logging.properties. Thanks to Pierre-Yves Benzaken. (yoavs)
fix 36852: Custom classloaders don't honor Contet privileged attribute. Thanks to Matt Brinkley for the analysis and patch. (yoavs)
fixFix for a couple of (mostly silly) edge-cases in testing auth. Thanks to Nam T. Nguyen for the report. (billbarker)
fix 37060: Actually copy the Request headers when replaying after Form auth. (billbarker)
fix 37591: Typo in Engine configuration reference. (yoavs)
fix 37668: Added note about JSP recompilation to Context configuration documentation. (yoavs)
fix 37132: Have DigestAuthenticator Handle user names with commas. Thanks to Robert Wille for the patch. (yoavs)
fix 37212: Better error reporting in Connector.java. Thanks to Ralf Hauser for the patch. (yoavs)
Coyote
fix Gracefully handle the case where some Socket options are disabled at the OS level for the AJP/1.3 Connector. (billbarker)
fix 36366: Use rewritten deployer-howto page by Allistair Crossley. (remm)
add 36630: Added extra log output for class instantiation failure. (yoavs)
fix 37121: Sendfile always needs to be given the length of data to write, which fixes ranged requests. (remm)
fix Optimized direct byte buffers association with the socket for APR connectors. (mturk)
fix Fix hidden NPEs when using the APR connectors and there's no host header. (pero, remm)
fix Http11Protocol now register RequestProcessor at JMX and show current usage inside manager app. (pero)
add JkStatus Ant tasks for mod_jk 1.2.15. (pero)
updateConnection Timeout is normal, so reduce logging to DEBUG (billbarker)
fix Fix crash which could occur with the HTTP APR connector when accessing request JMX objects outside of the processing of the said request (remm)
fix 37627: Fix buffering issue in the HTTP APR connector when a large buffer size was used for servlets (remm)
fix 37673: Fix implementation of getLocalPort and getLocalAddr in the HTTP APR connector (remm)
Jasper
fix 35252: Jasper PageDataImpl outputs malformed XML. Patch by Rahul Akolkar. (yoavs)
add 37062: Helpful JSP exception message containing file, line numbers. Patch by Tim Fennell at http://www.tfenne.com/jasper/. (yoavs)
fix 37407: File descriptor leak in JspReader. Thanks to Fred for the patch. I also did some minor cleanup in the class. (yoavs)
add 37612: Add file location to JSP Validator error message. Thanks to Renaud Bruyeron for the patch. (yoavs)
Cluster
fix Fix that session replace messages are logged after node recovery get all session from master node. (pero)
fix 37896 Fix that sendMessage signature at all DataSender subclasses must be changed. Now pooled and async modes working as expected. (pero)
fix Fix that socket at o.a.c.cluster.tcp.FastAsyncSocketSender can be disconnect/connect. (pero)
fix Fix cluster module build.xml script for new svn repository structure (pero)
fix Fix closed socket exceptions at normal server shutdown, reported by Olve Hansen (pero)
fix Fix closed socket exceptions inside async message transfer modes (pero)
fix 34984: HttpSessionBindingEvent.getValue() get correct value (pero)
fix 35916: send sessionCreated to SessionListener after cluster node recovery (pero)
fix 36541: Used also Hashtable at DeltaSession (pero)
fix Better support cluster at engine level. (pero)
fix 36866: Correct attribute name in conf/server.xml documentation for Cluster element. (yoavs)
fix 37261: Allow xerces to know where the web.xml file is so that relative entities can be resolved.
fix 37529: Fixed race condition in ReplicationLister#stopListening. Thanks to Chris Walker for the patch. (yoavs)
Webapps
fixRemove obsolete TagPlugin file from JSP examples (billbarker)
fix 36019: Made clear the Host-Manager HowTo is coming soon, not ready yet. (yoavs)
fix 36336: Check WAR extension in both upper and lower case, as suggested by A. Grasoff. (yoavs)
fix 35982: Can't delete mail sessions in admin webapp. (yoavs)
fix 36673: Similar to the one above, for data sources. (yoavs)
Tomcat 5.5.12 (yoavs)
General
fix Remove uneeded files in conf. (remm)
update Change distribution file names from jakarta-* to apache-*. (remm)
Catalina
add Add JMX Remote create and unregister ant tasks (pero)
fix 36343: Only normalize out backslash on Windows platforms. (billbarker)
fix Allow configuring standard stream redirection. (remm)
add 36088: Add RUNNING.txt and RELEASE-NOTES.txt to fulldocs distro. (yoavs)
fix 36534: fix equals for URLs returned by ServletContext.getResource() (luehe)
fix 36558: Clear IntrospectionUtils cache when stopping a webapp, as it could leak to keeping a reference to the classloader (remm)
fix 36113: Session persistence for objects with primitive types could fail in some rare cases (remm)
fix 36541: Full synchronization for session objects attributes collections (remm)
fix 35609: service.bat echo command when wrong arguments given [patch by Robert Longson] (yoavs)
fix 34749: jsessionid dropped on trailing slash (/) redirect (remm)
Coyote
update Add support for secret for AJP APR (remm)
Jasper
fix Fix NPE with an error message when no Java compiler is available (remm)
fix Restrict System err stream capture to the Ant compiler, as the Eclipse compiler does not need it (remm)
update JSP compilation speed improvement using tag library information caching, submitted by Xingbo Gao (remm)
add Initial contribution of JSTL tag plugins supporting the core tag library of JSTL, submitted by Jing Li (remm)
Cluster
fix 36541: Sync all session attribute access (read and write) at DeltaSession (pero)
fix 36518: Classname typos for senders, submitted by Christoph Bachhuber-Haller (remm)
add 35613: Added FAQ question and answer about tcpListenAddress="auto" and /etc/hosts (yoavs)
update Moved FAQ section for Clustering from Clustering HowTo page to its own FAQ page. (yoavs)
Webapps
docs 36319: Fix broken link to DBCP docs, submitted by Xavier Poinsard (remm)
docs Brand new deployer specs, submitted by Allistair Crossley (remm)
Tomcat 5.5.11 (yoavs)
General
update Update to Xerces 2.7.1 (remm)
add Add ready to build bin/tomcat-native.tar.gz for the APR JNI wrapper library (remm)
fix 35930: Bad logging config used by the Tomcat Windows service (remm)
add 33261: Windows installer now checks the user type and warns non-admins as needed. (yoavs)
update The Windows installer will now optionally download a (32bit) Windows .dll for Tomcat native from HEAnet (remm)
fix Declaration of jspc Ant task to fix the deployer package (remm)
Catalina
add Add concurrency control valve (o.a.c.valves.SemaphoreValve). As the Tomcat distribution is not built for Java 5, the valve will have to be compiled from the sources using Java 5 (remm)
fix 35880: Ignore JSSE15SocketFactory when generating JavaDoc, as it breaks the JDK 1.4 JavaDoc tool. (yoavs)
fix 35865: setclasspath.sh cannot be excutive under cygwin. (funkman)
fix 33267: Set working path in service installer, as suggested by Dominik Drzewiecki. (yoavs)
update 34794: Update connector documentation to include clientAuth attribute. (yoavs)
fix 35894, 36228: Fix CNFE when starting in a sandbox. (billbarker, remm)
fix Add version check for Tomcat native so that incompatible API changes are detected early (remm)
fix 36020: Allow MemoryUserDatabase to work better on write protected mediums, submitted by Rainer Jung (remm)
fix 35978: Bad handling of single range requests greater than 2GB in the DefaultServlet (remm)
fix 35984: Client abort exceptions will now use getCause (remm)
fix Fix handling of non-file based includes with SSI, submitted by David Becker (markt)
Coyote
fix Fix default ports for http and https which are set in the request when the parsed hostname does not specify the port, and which were inverted (https was set as 80 and http as 443). (remm)
fix Add missing tomcatAuthentication attribute to the AJP APR implementation. (remm)
fix Check filename sendfile attribute only if sendfile is enabled. (remm)
fix Fix output buffering for APR AJP implementation. (remm)
fix 35941: Fix getRemoteAddr for APR AJP implementation. (remm)
fix 35942: Fix NPE retriving cipher suite attribute when no certificate was submitted (for example with no SSL). (remm)
fix Internationalization and code cleanups for APR AJP implementation. (remm)
fix Security exception in APR AJP implementation when running with the security manager enabled. (remm)
fix 36173: Add missing sync in FastHttpDateFormat.formatDate, submitted by Alexei Krainiouk (remm)
fix Disable HTTP compression when sendfile is used for a resource (remm)
fix AJP secret attribute report only at trace level. (pero)
Jasper
fix 36127: Validation compatibility with Xerces 2.7.1, submitted by Florent Benoit (remm)
Cluster
fix Fix NPE when cluster stops (pero)
fix 36218: MemoryRealm now support also GenericPrincipal, but JAASRealm with cluster replication still has a problem, detected by Dirk Dekok (pero)
Webapps
Tomcat 5.5.10 (yoavs)
General
add Add JMX remote ant task to control tomcat MBeanserver via ant scripts. Ant lib is included at "server/lib/catalina-ant-jmx.jar" and documentation is added to Monitoring and Managing Tomcat How-To (pero)
fix 34361: Integrate better antlib and import support for catalina manager tasks [Modified patch from Daniel Santos] (pero)
fix StoreConfig save now the Connector.sslProtocol attribute. (pero)
update Change log dir at service.bat to "$CATALINA_BASE/logs" for better multi instance support. (pero)
update 34237: Added note and links to context and host configuration references in JNDI DataSources HowTo to aid the clueless. (yoavs)
update 34248: Update JavaMail download instructions to include JAF. (yoavs)
update Update to JDT from Eclipse 3.1, with support for Java 5 (remm)
update Refactoring, redesign and extend the cluster module - Cluster can be configured as subelement from Engine and Host. - Optimized performance and reduce memory usage - Better JMX support - add a lot of JMX stats attribute for better monitoring - add a single element default cluster configuration - more config options LifecycleListener ClusterListener more than one cluster valves - better subclass support - change a lot of existing cluster API's (pero)
add Add Apache Portable Runtime JNI wrapper and helper API (mturk)
update Update JULI to provide support for taking over java.util.logging bootstrap configuration, and move the default properties file to ${catalina.base}/conf/logging.properties (remm)
fix 34746: Updated catalina.properties instructions per Bill Edwards' suggestion. (yoavs)
fix 35090: Minor documentation typo fix. (yoavs)
fix 34931: Rewrote ROOT/index.jsp to be XHTML strict compliant, per Richard Beton's patch. (yoavs)
Catalina
fix 20380: Access log timestamps now take account of Daylight Saving Time (DST). (markt)
add 34220: Provide better error message when server.xml can't be located. [Modified patch from Ralf Hauser] (yoavs)
add Add MessageListener and LifecylceListener cluster saving to storeconfig module (<Cluster ... ><ClusterListener className="org.apache.catalina.cluster.session.JvmRouteSessionIDBinderListener" >) (pero)
fix 33743: Add additional synchronization in webapp classloader to avoid possible race condition when defining a class (remm)
fix 33711: Add events on passivate and activate to cleanup SSO, and recycle session objects when removing them from a manager (so that anyone keeping references to it would leak a minimal amount of memory) (remm)
update Re-add patch causing Session.getId to throw an ISE, and make all internal components use a safe getIdInternal method (remm)
update Store principal to be exposed for Request.getUserPrincipal inside the GenericPrincipal, to remove hacks from the JAAS realm (remm)
fix 10385: SSI Servlet now includes better support for files that use character encodings other than the platform default.(markt)
fix Remove CopyParentClassLoader rule, which doesn't seem to be doing anything useful anymore. (remm)
add Provide an ServletFilter implementation of Server Side Includes (SSI). This was submitted by David Becker under 33106. (markt)
add Add sendfile support to default servlet, with a sendfileSize configuration attribute. (remm)
update If APR as well as Tomcat's JNI wrapper for APR are present, use APRized protocol handlers instead of the regular ones (remm)
fix 22617: When used with an EJB container and a realm that supports the concept of an unauthenticated user (J2EE.3.4.3) BASIC authentication was always authenticating users as the unauthenticated user without giving them a chance to supply a username and password. (markt)
fix Prevent facade objects cloning (remm)
update Add missing CGI variables to SSI servlet. Patch submitted by Fritz Schneider. (markt)
fix 34578: Updated JNDIRealm comment. (yoavs)
fix 34273: Better Bootstrap warning message. [Path from Ralf Hauser] (yoavs)
update 34675: Updated Proxy-HowTo page with Servlet API calls. (yoavs)
fix 34546: Fix problem where the "first" Valve couldn't be removed from a Pipeline. (billbarker)
fix Fix NPE when POST size exceeds limit defined by maxPostSize. (markt)
fix Fix FORM authentication so POSTed parameters are not assumed to be encoded with platform default encoding. A side effect of this fix is that the bodies of POST requests that require FORM authentication are now buffered and made available after a sucessful login. (markt)
fix 34840: Better handling of external WARs redeployment, and ignore docBase specified in context file if within the Host appBase (remm)
fix Fix handling of symbolic links when the DefaultServlet is generating directory listings. (markt)
fix 35769: Correct implementation of javax.naming.Context.composeName( Name, Name) in multiple places. Patch provided by Laurent Simon. (markt)
add 34805: Add warning for suspicious security patterns, as suggested by Ralf Hauser. (yoavs)
fix 35819: Use getWorkPath for deleting work directory on context destroy, as suggested by Rob Steele. (yoavs)
Coyote
update Add support for using "Smart Cards" as trust/keyStore. (billbarker)
update Add some Mbean attributes and operations to ChannelSocket (pero)
add Apache Portable Runtime based HTTP/1.1 protocol handler, with SSL support (remm)
add Add support for simple file-based CRLs under JDK 1.5 (billbarker)
add Add experimental NIO-Socket channel for the AJP/1.3 Connector (billbarker)
add 34648: Add configuration option to enable IP-based Virtual Hosts. (billbarker)
update Refactor the AJP/1.3 Connector to be able to handle more advanced Actions. (billbarker)
fix Fix connector initialisation so sslProtocol is not required for SSL. (markt)
add Add bufferSize option to the AJP/1.3 Java connector to control output buffering. (billbarker)
add Apache Portable Runtime based AJP/1.3 protocol handler (remm)
fix Delay reading the inital request body packet by default for the AJP/1.3 Java connector. (billbarker)
Jasper
fix 18477: Allow symbolic links when precompiling JSPs (markt)
add 34272: Allow specifying the Option class used by the Jasper engine, submitted by Scott Stark (remm)
add Support for Java 5.0 in JSPs (remm)
update Java 5 will be the source and target for JSPs when running on Java 5 (remm)
update 34652: Add the ability to get SMAPs when precompiling, submitted by Daryl Robbins (remm)
fix 34465: Jspc failure if there is no web.xml (remm)
fix 35696: Make certain that release is called for custom tags when tag-pooling is disabled. (billbarker)
fix 35386: Make useBean resources use consistent spelling, from Kurt Huwig. (yoavs)
update 33522: Update jasper-howto to reflect use of javac switch. (yoavs)
add 35114: Add failOnError flag to JspC, by ziweth. (yoavs)
fix 35410: Fixed NPE in JspWriterImpl. (yoavs)
add 35571: JspC resolved uriRoot relative to Ant project basedir, if any, as suggested by Jason Pettiss. (yoavs)
Cluster
add Add that cluster can configure as Engine and Host element. (pero)
add Add single cluster default configuration element - discussed at JAX 2005 conference Cluster Workshop. (pero)
fix Fix resend GET_ALL_SESSIONS when wait ACK failed at receiver side (pero)
fix ClusterValve now remove from container element when cluster stops and added with next start again. (pero)
add Set timestamp only at first time inside SessionMessageImpl (pero)
add Set timestamp from findsessions method call, when handling GET_ALL_SESSION to all SEND_SESSION_DATA and TRANSFER complete messages. (pero>
add Drop all received message inside GET_ALL_SESSION message queue before state transfer message timestamp. (pero)
add Cluster ping now transfer cluster domain information and DeltaManager only send and receive message from same domain members (pero)
add JMX Support for McastService (Membership) (pero)
add Redesign SimpleTcpCluster message receiving to ClusterReceiverBase (pero)
add Cluster transfer all attributes to the generate session manager at addManager. Remove some unused attributes at SimpleTcpCluster and ReplicationTransmitter (pero)
update Refactor DeltaManager: - createSession call now ManagerBase super class method - extract some long methods - send GET_ALL_SESSION with session blocks - don't sync sessions map when send all sessions (pero)
update Add developer actions at to-do.txt (Proposal of changes) (pero)
update Small refactorings at FastAsyncSocketSender (pero)
update Redesign cluster message sending to lesser cpu and memory usage. Set at ReplicationTransmitter#compress=false as default. Change API from ClusterSender, ReplicaitonTransmitter, DataSender, SimpleTcpCluster (pero)
add DeltaManager has now JMX expireAllLocalSessions and processExipre operation for better cluster node shutdown handling (usefull for testing only) (pero)
add DataSender doWaitAckStats for better understanding wait ack problems (pero)
update Refactor DeltaManager and add counter for cluster message send/receive message (pero)
fix 34389:Porting Clustering fix pack to 5.5.10 code base. Remove synchonized from DataSender.pushMessage(). Very offen the complete cluster blocking after replicated a bulk of new session messages under heavy load. All cluster node standing for a lot of time and made nothing. Fix it for pooled, asynchronous and fastasyncqueue replication mode. Very bad thing, sorry! (pero)
add Add notifySessionListenersOnReplication attribute to SimpleTcpCluster to stop notify event to SessionListener at backup nodes from create and destroy replicated session (pero)
add Add compress attribute to ClusterSender and ClusterReceiver interface. Now compress config transfer from sender to receiver at SimpleTcpCluster. (pero)
add Add ClusterValve interface and implement it as ReplicationValve and JvmRouteBinderValve. Now both Valves can be directly configured at server.xml Host/Cluster/Valve subelements. Also this configuration are correctly handled with the StoreConfig module. (pero)
update Deactivate DataSender keepAliveMaxRequestCount change default to -1. Cluster replication sockets are fast and very stable! (pero)
update Setup JvmRouteBinderValve as host valve instead context valve. Refactor the API a little bit. (pero)
fix Don't increment open socket counter before socket is really open. Add socket open failures counter (pero)
add Add MessageListener support to cluster server.xml element (ClusterListener) to register your own cluster message receiver (pero)
add Add LifecycleListener support to cluster server.xml element (Listener) and notify those listener from start/stop cluster, add/remove session manager, sending fault and start/stop member (pero)
add Add active backgroundProcess keepAlive timeout and request count socket close check at ReplicationTransmitter. Check frequency can be change with attribute processSenderFrequency (default 2). (pero)
add Remove useless Jdk13ReplicationListener,Jdk13ObjectReader. Add SocketReplicationListener and SocketObjectReader to have nativ socket ClusterReceiver. Also extract ClusterReceiverBase superclass for SocketReplicationListener and ReplicationListener (pero)
update Add and update some API and the cluster howto documentation (pero)
update Refactor ReplicationValve for better understanding and small optimization (pero)
add Starting a unit test suite for cluster module - very much todo (pero)
fix Fix ant build.xml to direct compile at cluster module directory (pero)
fix Fix some I18N messages, but a lot of work is waiting for fix (pero)
add Add ReplicationValve Mbeans stats attribute getter and resetStatistics operation (pero)
Webapps
fix 35758: Admin webapp mishandling digest attribute of JDBCDataSourceRealm. (yoavs)
add 34250: Admin webapp Commit Changes button now asks for confirmation. (yoavs)
add 34818: Alternating row for apps in HTML manager, as suggested by Jeff Domeyer. (yoavs)
add 35379: Added commons-logging to build path of manager and host-manager apps, to make them build with Jikes, as suggested by Aaron Isotton. (yoavs)
Tomcat 5.5.9 (yoavs)
General
add Add JULI, a java.util.logging implementation, used to provide sane defaults and configurability equivalent to Tomcat 4.0 for Tomcat 5.5 logging (remm)
docs Add JULI documentation to the logging page (remm)
add Add host manager webapp (remm)
add Add ant JkStatusUpdateTask for remote status worker handling ( >=mod_jk 1.2.9) (pero)
add 33739: Add reference to RUNNING.txt in setup.html. (yoavs)
fix 33719: Update reference to Ant download page. (yoavs)
fix 33883: Bad options in SSL-HowTo. (yoavs)
update Update to MX4J 3.0.1 (pero)
update 34139: Updated Realm-HowTo to specify JMX, Commons-Logging jars for RealmBase. (yoavs)
add 33325: Added top-level clean target to Netbuild build.xml file. (yoavs)
update 33755: Clarified Postgresql JNDI datasource example. [patch submitted by Tom Witmer] (yoavs)
Catalina
fix Remove some instances of expanded folder removal (remm)
fix Don't call mkdirs if we're not going to save the configuration in StandardContext (remm)
fix Fix context classloader binding during loader initialization (it was set to null before) (remm)
fix The webapp logger should only be retrieved when the context classloader is set to the webapp's classloader (remm)
fix 34170: Add back retry logic in JDBC realm in case of a connection failure (remm)
fix 22041: Support dynamic proxies as session objects. (markt)
fix Fix logger names for wrappers (remm)
fix 34006: If antiResourceLocking was used, HostConfig considered the path as external, and web application resources were not correctly removed or tacked; also simplify the code a lot (remm)
fix 34016: Save and restore docBase when using antiResourceLocking, for compatibility with the admin webapp (remm)
add 33636: Set lastModified attribute when expanding WAR files. (yoavs)
add 32938: Allow Salted SHA (SSHA) passwords in JNDIRealm. (yoavs)
add 31288: Allow SMTP authentication for JNDI MailSessionFactory. (yoavs)
update Harmonize processing of the context.xml defaults with the way web.xml is processed (remm)
fix Ignore ';' if it is in the query string (remm)
fix private to protected for the webapp classloader (remm)
fix Improve logging of filters and listeners startup errors (remm)
fix 33774: Retry once in JNDI realm authenticate failure regardless of the exception message (remm)
fix 33961: Don't encode '~' in context paths (remm)
fix 32866: Propagate distributable property from context to manager (yoavs)
fix 32867: Reset distributable attribute in context for clean reload handling (yoavs)
update Fix some RealmBase/JNDIRealm log.isXXXEnabled (pero)
fix 34161: Harmonize StandardContext.stop with ContainerBase.stop (remm)
Coyote
fix 33971: Set remoteHost to null when Apache doesn't send one. (billbarker)
fix Fix calculation of threadRatio for the ms thread pool, and fix setting the updated timeout value (remm)
update Update the ms thread pool so that we allocate a worker before accepting a new socket, and wait a little if the pool is exhausted; this should make low maxThreads values work a lot better (remm)
update 33857: Update information on automatic mod_jk configuration in Apache-HowTo (yoavs)
fix Fix sync block placement in Mapper.addContext (remm)
fix 32741: Fix spelling of "committed" [patch from Ben Souther] (yoavs)
fix 34133: Make setHeader clear multi-valued headers (billbarker)
Jasper
fix 34034: Jasper does not respect external entities (billbarker)
fix 33810: Incorrect recycling of BodyContent if close is called (remm)
update Per instance loggers in Jasper (remm)
Cluster
fix Fix JvmRouteBinderValve primary failover attribute to org.apache.catalina.cluster.session.JvmRouteOrignalSessionID (pero)
fix Change attribute name waitForAck to sendAck at ReplicationListener (pero)
add Integrate new fastasyncqueue cluster sender mode. Support queue size limitation, get all queued objects and send it to the backup node, no queue thread lock contention under high replication load, submitted by Rainer Jung (pero)
add Add compress attribute to Sender and Receiver to transfer data uncompressed. At high cluster load this option consume lesser cpu and memory. Implement the compress handling to ReplicationTransmitter, ReplicationListener, XByteBuffer and Jdk13ReplicationListener (pero)
add Add doProcessingStats to synchronous, asynchronous and fastqueueasync sender modes to get min, avg, max processing times as IDataSender JMX MBeans (pero)
fix TcpThreadPool use constant ACK byte array instead create new 3 byte buffer for every message ack (pero)
update Refactor ReplicationTransmitter and ReplicationListener (pero)
update add getCatalinaCluster() to ClusterReceiver and SimpleTcpCluster (pero)
update Update the Api documentation (pero)
Webapps
update Use the standard struts taglib URIs in admin JSPs. (billbarker)
add Add more host parameters to create new host with host-manager (pero)
fix 34033: Fix quoting related bugs (remm)
fix 33713: Add Struts init code in frameset.jsp as well (remm)
Tomcat 5.5.8 (yoavs)
General
fix 33204: Fixed SSL HowTo page. (yoavs)
fix 33351: Fix silent uninstallation. (remm)
fix 33489: Missing space in uninstaller message. (yoavs)
Catalina
fix Unregister host mbean and all context mbeans at remove a host, s. StandardHost.destroy() and MBeanFactory.createStandardHost/removeHost(,) detected by Thorsten Kamann (pero)
fix make it possible to restart connector, now serversocket recreated after stop,start (pero)
fix change mbean names from Mapper and ProtocolHandler to connector naming style (pero)
update Add some log.isXXXEnabled (pero)
fix Deregister MapperListener after remove connector (pero)
fix Remove host only at own domain with same name at all services, detected by Thorsten Kamann (pero)
fix 33187: Remove any logging of the password in the JAAS realm, submitted by Andrew Jaquith (remm)
fix 33033: Don't do anything to the response in the ErrorReportValve if data has already been written (remm)
update Add charset support for the URLs used by the tasks, to remove deprecation (remm)
fix 26135: Workaround for memory leak when reloading Struts based web applications by clearing the bean instrospector cache of the JVM on classloader stop, submitted by Tobias Lofstrand. (remm)
fix Ensure that if CLASSPATH is declared on startup - it is not used. (funkman)
fix Add back use of deployOnStartup in HostConfig (remm)
docs Ant tasks docs patches, submitted by Gabriele Garuglieri. (remm)
update Use NIO for the raw copying operation, as it is faster (a little under 30%), and decreases a little the impact of antiResourceLocking. (remm)
fix 33357: Fix connection leaks with the DataSourceRealm, as well as improve efficiency, submitted by Dominik Drzewiecki. (remm)
update Improve a little logging of servlet exceptions, which should all log the root cause. (remm)
update Add new Manager.createSession(sessionId) method, allowing the client to "specify" the session id which should be used using a cookie when using emptySessionPath="true". This fixes session tracking in this case. (remm)
fix 33368: Fix memory leak in swallowOutput feature which occurred when the thread pool size is reduced, submitted by Rainer Jung. (remm)
fix StoreConfig: can't save cluster Membership element (pero)
add StoreConfig: suppress default jkHome attribute at connector (pero)
add StoreConfig: Save new dymanic properties from ReplicationTransmitter (pero)
fix 33463: Remove attributes after context destroy. (remm)
fix 33572: context.xml should be a redeploy resource, and add prioritization for redeploy resources. (remm)
Coyote
fix PoolTcpEndpoint recreate ServerSocket after start,stop,start connector (pero)
update Add some log.isXXXEnabled (pero)
add JkMX: make log4j mbean configurable with attribute log4jEnabled (pero)
fix When Tomcat runs on Windows and IE is uploading data to the server, the first read must be at least 8KB, otherwise upload speed is extremely low, submitted by Noel Rocher (remm)
Jasper
fix 33223: pageContext.forward and jsp:include result in StringIndexOutOfBoundsException (luehe)
fix 33373: Fix handling of context classloader in jspc (remm)
fix 33538: Ignore example and tag-extension elements in TagLibraryInfoImpl. (yoavs)
fix 33539: Better error message when an unknown element is encountered in the tag file. (yoavs)
fix 33219: Minor JspServletWrapper code cleanup. (yoavs)
Cluster
fix Add instance based ReplicationValve statistics to Mbean descriptor (pero)
fix Better I18N support to cluster session and tcp classes (pero)
add Support optional primaryIndicator at ReplicationValve to mark that request processing to existing session is at primary cluster node. Easy failover detection, when mark is not at configurable primaryIndicator attribute, submitted by Rainer Jung (pero)
update Refactor all implementation from interface IDataSenders (pero)
add Add some usefull attributes and operations to the all sender MBeans. (pero)
add Add keepAlive and waitForAck handling to AsyncSocketSender and factor out a DataSender base class.(pero)
add ReplicationTransmitter: Enable and Disable autoreconnect sender and waitForAck. (pero)
add ReplicationTransmitter: transfer all properties to socket sender from server.xml configuration. (pero)
Webapps
fix Fix create and remove Host for Admin app. (pero)
Tomcat 5.5.7 (remm)
General
add Add installer for mod_jk on IIS. (mturk)
add New store config module for better server.xml saving support.
Add <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener" /> to your server.xml (pero)
update 32081: Remove the JDK requirement from the Unix scripts, submitted by Ben Souther (remm)
fix 32953: SERVLETAPI: XSS Issues, submitted by Mark Thomas (jfarcand)
update Update to commons-digester 1.6, JDT 3.0.1, MX4J 2.1.0, Struts 1.2.6 (remm)
Catalina
update First integration at StoreConfig to StandardServer (pero)
fix 32714 : Don't make the AccessLogValve final (funkman)
fix 32694: Fix bad code to make docBase path aboslute in antiLocking method. (remm)
fix 32713: Fix resource-env-ref handling. (remm)
fix 31201: Improve i18n support in DefaultServlet. This was causing problems with JSP include actions and static files. (markt)
fix Add some log.isXXXEnabled to o.a.c.core.StandardHost StandardEngine, StandardService (pero)
add Feature addition to add Redirector and failOnError support for all Catalina Ant tasks, submitted by Gabriele Garuglieri (remm)
fix 31198: Fix FORM and DIGEST authentication for non-ASCII usernames and passwords. (markt)
fix Reimplement charset mapper (remm)
fix Add logging of exception which could occur when retrieving the password in JDBCRealm (remm)
fix 25889: Don't execute queries twice, submitted by Tom Anderson (remm)
fix 32832: request.getSession(false) fails to return null (luehe)
fix 28222: request.getRequestURL() in forwarded jsp/servlet returns original url rather than new url as per SRV8.4 (markt)
fix 33157: Fix handling of the buffer length for basic authentication parsing (remm)
Coyote
fix 32708: Better handling of bad encoding with the string cache. (remm)
fix 32781: Fix bad initialization of the "scheme" field of the request object, which would cause getScheme to return "http" for the first request. (remm)
fix Content length should be ignored if there is chunking (remm)
fix Remove most deprecation problems for the AJP connector (remm)
Jasper
fix 32746: Avoid JAR locking when loading classes and improve loading performance by taking advantage of caching, submitted by Dominik Drzewiecki. (remm)
Cluster
fix correct JvmRouteSessionIDBinderListener MBean name to <domain>:type=Listener,name=JvmRouteSessionIDBinderListener,host=<host> (pero)
add JMX support to SimpleTcpCluster, ReplicationTransmitter and all senders (pero)
Webapps
fix Fix the webDAV servlet so it can be used via any arbitrary mapping (eg /webdav/*) to edit the contents of a web application. (markt)
fix 32729: Stop is optional and may fail, so it needs to be in a separate try/catch (remm)
update Remove the remove method of the manager servlet, and use the undeploy method instead (remm)
fix 32777: Fail if application isn't configured properly, submitted by Gabriele Garuglieri (remm)
fix 32771: Cannot undeploy/deploy misconfigured app after tomcat startup, submitted by Gabriele Garuglieri (remm)
fix 28867: Correct manager documentation to document correct way to reference the ROOT context. Submitted by Stephane Bailliez. (markt)
fix 33085: Add support for setting privileged attribute of context to admin webapp. (markt)
fix 33117: Fix Open bugs link broken on default homepage. Patch supplied by Sander Temme. (markt)
fix Improve javadoc generation for Catalina. (remm)
Tomcat 5.5.6 (yoavs)
General
update 32532: updated logging documentation. (yoavs)
update 32382: Index page and packaed WAR for sample webapp. (yoavs)
fix 32603: Updated host.xml to reflect appBase resolution. (yoavs)
Catalina
fix Add child to the map of the parent before starting it. (remm)
fix Decouple usage of the scheme and secure attributes from enabling SSL. (remm)
fix 32502: memory leak in DigestAuthenticator. (yoavs)
fix 28709: javax.servlet.http.HttpServletRequest.isRequestedSessionIdValid() returns true for an invalidated session. (luehe)
fix 32137: Possible thread-safety issue in RealmBase. (yoavs)
Coyote
fix 32585: Better handling for content length greater than Integer.MAX_VALUE in response. (markt)
update Allow ApacheConfig and friends to live under an Engine. (billbarker)
update Syncronize access to the Jk Request registration count. (billbarker)
update Speed the MsgContext on its way to GC. (billbarker)
fix Keep correct thread counts in Thread pool when thread ends in an exception (billbarker)
Jasper
update Updated Jasper-HowTo section on using Jikes, changed conf/web.xml JSPServlet to refer people to Jasper-HowTo so that we don't have these instructions in two places. (yoavs)
Webapps
fix 32505: Fix handling of an empty context parameter (which occurred every time the HTML manager was used to deploy a local war without specifying also a context file). (remm)
Tomcat 5.5.5 (yoavs)
General
update 32235: Sync conf/web.xml MIME types with Apache httpd. (yoavs)
fix 31132: Better -x/-r support for OS/400 in startup scripts. (yoavs)
update 22679: Added misc note on accessing session ID to SSL-HowTo. (yoavs)
update 32249: Updated logging documentation. (yoavs)
update 32282: Modify Windows Uninstaller to only remove webapps/ROOT and webapps if user asks to remove everything. (yoavs)
fix 32371: outdated introduction.xml page. (yoavs)
fix 32373: outdated installation.xml page. (yoavs)
update 32454: amended JNDI documentation for JavaMail/JavaActivationFramework usage. (yoavs)
Catalina
fix 32130: Add safety check to FileStore#keys method. (yoavs)
update 32276: Add developer info to Realm How-To. (yoavs)
fix 32082: Added protected getPrincipals method to MemoryRealm for easier extension. (yoavs)
fix 32023: CGIServlet fails to handle post message with multipart/form data. (yoavs)
fix 32269: JNDIRealm fails with InvalidNameException to authenticate users if LDAP distinguished name (DN) contains slash or double quote character(s). (yoavs)
fix Move processExpiresFrequency check to ManagerBase and reflect change to all subclasses (StandardManager, PersientManagerBase, DeltaManager). (pero)
update Add DIGEST authentication support to the JDBC and DataSource realms. Supports both digested and cleartext passwords. (markt)
fix 32429: CGIServlet calculates number of lines received on stderr incorrectly. (markt)
fix 32431: Fix typo in code that passes data to CGI script. (markt)
fix 32430: Class cast exception in toString() method within CGI servlet. (markt)
fix Add some log.isXXXEnabled checks at StandardContext and HostConfig (pero)
fix Remove the last DefaultContext artifacts (pero)
fix 32031: using createConnector with "http" protocol (remm)
fix Add configFile attribute in JMX descriptors (remm)
fix Fix autodeployer handling of a war which includes a /META-INF/context.xml, so that it is correctly registered and can be reloaded correctly (remm)
fix 32137: Use of MessageDigest should be synced in DIGEST (remm)
fix Add info log when the autodeployer reloads a context (remm)
Coyote
update Small HTTP/1.1 optimizations: replace usage of Strings with constant byte arrays, and simplify the code converting Strings to bytes (remm)
update Greatly reduce the amount of recycle method calls on the buffers (remm)
fixAdd null OName check for Request unregistration in Jk, to remove exception under JDK 1.5. (billbarker)
fix32292: Don't send keep-alive header when the protocol can't be parsed. (billbarker)
Jasper
update Updated JspC usage messages to include recently added configurable parameters. (yoavs)
fix 32330: JspC changes context classloader. (yoavs)
Cluster
add JvmRouteBinderValve/JvmRouteSessionIDBinderListener to bind cluster session after primary node failure at first calling backup node. This was an option to have session stickyness after cluster node crashed. Work only with JESSIONID cookies. (pero)
add Better log support to DeltaManager to see detail information at debug level. (pero)
fix Fix FarmWarDeployer based on new HostConfig deployer. (pero)
fix FarmWarDeployer controlled WarWatcher with engine backgroundProcess call. Added processDeployFrequency attribute to Deployer server.xml element. (pero)
Webapps
update 32019: Remove maxlength=64 restriction on env entry values in admin webapp. (yoavs)
fix Fix various problems in realm docs, submitted by Phil Mocek. (remm)
update Add log4j docs submitted by Allistair Crossley. (remm)
fix32381: Fix problem where EL expression is used as a place holder in the admin webapp. Submitted by Allistair Crossley. (billbarker)
Tomcat 5.5.4 (yoavs)
General
update 31671: Update web.xml files to 2.4 schema where applicable. (yoavs)
update 31912: Add PNG and CSS file types to replication filter default. (yoavs)
Catalina
fix Add processExpiresFrequency to PersistentManagerBase and made some small JDBCStore optimizations (pero)
fix Register JSP monitoring mbean for each servlet that declares a jsp-file in web.xml. (luehe)
fix 31578: Update Manager configuration documentation. (yoavs)
fix 31273: Add support for derefaliases in JNDIRealm. (markt)
fix 31623: Better OS400 support in setclasspath.sh. (yoavs)
add Extend background processing to most container components. (remm)
fix Remove all MX4J related code. (remm)
fix Update JAR list in TldConfig. (remm)
add Register datasources with JMX. With DBCP, this is enough to provide JMX management and monitoring. It might work well with many other data sources which might not register themselves in JMX but do expose their stuff in a java bean fashion. (remm)
update Add the ability to force session cookies to be set to the root path "/". This should not be used on large servers, otherwise tons of cookies may be sent. (remm)
fix Workaround for client socket exceptions occurring while running a CGI, which could cause the external process to hang. (remm)
update Optimize session cookie IDs conversion to String, since this is an unavoidable and uncacheable operation. (remm)
fix Add explicit error message if temp dir does not exist, and remove useless calls to initDirs. (remm)
add Add an optimized access log valve, supporting hardcoded support for the common and combined patterns, and doing a majority of its write-to-logfile operations asynchronously. (remm)
update Register an MBean to monitor and manage the StringCache, and allow invoking the reset operation. (remm)
fix 31677: Log warning if work dir for context can't be determined. (yoavs)
fix 31903: Fix condition which seems to not have been properly updated after adding entry.binaryContent = null a little below, submitted by Joe Zhou. (remm)
fix Prevent silent NPEs during StandardContext.start dealing with JMX registration of realm, submitted by Keith Wannamaker. (remm)
fix 31592: Support other encodings for digests. (yoavs)
update 31739: Minor realm-howto and AJP connector doc updates. (yoavs)
fix 31753: Minor inconsistency between JDBC and DataSourceRealm#authenticate. (yoavs)
update 31683: Minor clarifications to realm documentation. (yoavs)
Coyote
fix Improve i18n in TCP endpoint, and add a better error message when an exception occurs in setSocketOptions. (remm)
fix 31663: Use interval field as the delay for monitor thread. (remm)
fix Remove bad shutdown logic for ms pool strategy. (remm)
fix Sync with Cookie, by adding ' ' as a special char. If a special char is present, the string will be quoted. If the client doesn't support it, the String will no be quoted anyway and no IAE will be thrown. (remm)
add Add an optional String cache for ByteChunk.toString and CharChunk.toString. The cache is unsynchronized during most of its operation, and is static after a training period. An operation is provided to allow resetting the cache. (remm)
update String caching is enabled by default for ByteChunk. (remm)
fix 31090: Use a URL encoded path when setting session cookies. (remm)
add Add getAttributeName() to ProtocolHandler to get all attributes at runtime (pero)
Jasper
update Exposed compilerSourceVM and compilerTargetVM options to JspC. (yoavs)
Cluster
fix DeltaManager and SimpleTcpReplicationManager generate double jvmRoute (pero)
add Add some missing Getters and log.isXXXEnableds (pero)
Webapps
fix 31707: Broken JavaScript confirmation in HTML manager. (yoavs)
fix Remove hard-coded admin context path from admin's banner.jsp. (yoavs)
update Major connector docs update. (remm)
fix 31732: Fix Japanese localization of Manager's list output. (yoavs)
Tomcat 5.5.3 (yoavs)
General
fix 30568: Incomplete setup.html documentation for launching jsvc. (yoavs)
update Repackage naming features. (remm)
fix Fix deployer packaging. (remm)
fix Fix embed packaging. (remm)
Catalina
fix Fix memory leak when Security Manager is turned on. (jfarcand)
fix When checking status codes for error handling, only check if Response.isError() is true. This way, users may use setStatus() to set their own error status without having the error page invoked. (in which case, the user should've use sendError()) (funkman)
update Remove Digester code for Xerces workaround. (jfarcand)
fix Give proper permission to the balancer app when running under the security manager. (jfarcand)
fix 30869: Make sure JAAS realm name is legal. (yoavs)
update md5Helper, md5Encoder, and normalize are used by WebdavServlet, not DefaultServelt so move them into WebdavServlet.
fix 31277: Clarified automatic application deployment section of Host configuration page. (yoavs)
fix 28631: JAASRealm enhancements to support custom user and role classes use Commons-Logging. (yoavs)
fix 31364: Missing resource in org.apache.catalina.core.LocalString.properties. (yoavs)
fix 31362: Missing -Xdebug in catalina.bat when launching with JPDA and Security. (yoavs)
fix 31356: Duplicates not counted in session generation. (yoavs)
fix 30949: Make sure ApplicationDispatcher unwraps request/response even if include error occurs. (yoavs)
fix Fixed StandardContext.getStartTime() to return actual start time/date instead of time (startupTime) it took to start context. (luehe)
update getRequest/getResponse should return the most relevant interface, to avoid casts. (remm)
update Add check for directory before considering something is a compressed WAR. (remm)
docs Update the connector documentation. (remm)
fix When parsing a context file, ignore the "path" attribute: the only place where it is acceptable is in server.xml. (remm)
fix Digester handling fixes: always call reset in a finally block after using a digester. (remm)
update Remove many fields from Connector, and tie the creation of the Connector to the creation of the protocol handler. (remm)
update Remove package triggers from the classloader, which seem useless when using Java 5. (remm)
fix Realms will now use set attribute to set themselves in their container when using JMX. (remm)
fix Fix JMX related operations with the Connector. (remm)
fix Fix save-to-XML for naming resources. (remm)
fix Remove authenticator "debug" attributes from the descriptors. (remm)
update Refactor org.apache.catalina.deploy.ContextXXX to use new super class ResourceBase. (pero)
fix Enable Connector.findLifecycleListener that we can listen start/stop Connector events and save the listener to xml. (pero)
update Remove Watchdog references, as it is no longer used. (yoavs)
fix 31511: Don't call setenv.bat if not found, in *using-launcher scripts. (yoavs)
fix 31549: Add name to WebappClassLoader's stopped message. (yoavs)
Coyote
update Allow customized server header for Standalone. (funkman)
fix Digester.reset now removes the error handler, the root and calls clear, to prevent any memory leak. (remm)
update Remove useless stuff in digester. (remm)
update In HTTP, add a utility method to convert strings to byte arrays, and output the server header directly as bytes. (remm)
add Add a master slave thread pool based on the code from Tomcat 4.0. It is less exotic than the default one, and might fare better on some picky systems, such as Redhat 9. The two threadpools will likely be removed once we use the Java 5 API, although more investigation is needed. (remm)
fix Fix issue with getProperty in IntrospectionUtils. (remm)
update Remove attribute translation for SSL in the HTTP protocol handler: it will now be done in the Catalina Connector class. (remm)
fix Fix handling of the "timeout" attribute of the HTTP protocol handler. (remm)
Jasper
fix 31171: Wrap to avoid ClassCastException in PageContextImpl. (yoavs)
fix 31257: Added specification of endorsed dirs if forking. Note that this is fairly useless for now in 5.5 since it uses JDT and not javac by default. (yoavs)
docs Document new Jasper defaults, and update the production configuration. (remm)
fix Copied XML encoding detection logic into JASPER, so we're no longer dependent on Xerces. (luehe)
fix Fix cosmetic issue where extra CRLF would be inserted during each precompilation in web.xml. (remm)
update Allow configuring the interval following a compilation during which a JSP will not be checked for modifications. (remm)
fix 31465: Ensure that the compiler reads the .java file using the same encoding as that with which it was written. (markt)
fix 31510: Null out response in JspWriterImpl#recycle to aid in JBoss memory leak. (yoavs)
Cluster
update Added flag to the cluster (notifyListenersOnReplication) to enable/disable the notifications of attribute/context listeners upon replication of a session delta Works only with the DeltaManager (fhanik)
update Added flag to the cluster (Cluster/Sender/ackTimeout) to set the timeout in milliseconds for a synchronous request to go through, defaults to 15000ms (fhanik)
Webapps
fix 29485: I broke the HTML manager when adding JavaScript confirmation, fixed now ;) (yoavs)
fix 31058: Ensure StatusTransformer escapes query string for XML. (yoavs)
update Added contexts' start time (available from 'startTime' MBean attribute of StandardContext) to status page (luehe)
fix 31264: the deploy task should now behave correctly. (remm)
update Refactor the manager servlet to make calls to the deployer more robust. (remm)
fix Use the more robust String.valueOf in the form edit action of the connector. (remm)
Tomcat 5.5.2 (yoavs)
General
fix The installer will now use the system's JRE. (remm)
Catalina
fix Fix URL generation for classloaders on Windows, causing common/classes and shared/classes to be unusable (remm)
fix 31110: Fix resource packaging bug for servlets (remm)
fix Fix 5.5 regression where going through the authenticator would create a session each time. (remm)
fix Fix classname of the connector in Embedded, and remove the socket factory. (remm)
Coyote
fix Redo server header handling again. (remm)
update Cleanup a little access to the headers using a local variable and use setValue for Server and Date headers. (remm)
Jasper
fix Remove maxTagNesting and curTagNesting since they are unused. (funkman)
fix Fix tag files handling with JDT, which were ususable, and refactor the lifecycle handling of the page loader. (remm)
Cluster
Webapps
Tomcat 5.5.1 (yoavs)
General
update Tomcat 5.5 can be built on JDK 5.0. (yoavs)
fix Windows installer polish. (mladen, remm)
update Remove dependency on Jakarta regexp. (remm)
Catalina
fix Allow overriding the location of the default context file, similar to the default web.xml. (remm)
update Backport if-else logic for SSI servlet from 4.1 (funkman)
fix Remove DefaultContext elements from the digester rules. (remm)
fix Fix ResourceLink handling. (remm)
fix Modify the auto deployer to get along with contexts which are statically defined in server.xml. (remm)
fix Externalize constant strings defining the location of deployment related resources. (remm)
fix 31052: BeanFactory swallows root cause of exception. (yoavs)
fix Allow using deploy Ant task with just config attribute, submitted by Michael Schuerig. (remm)
add Added longest time an expired session had been alive to set of monitorable session manager attributes. (luehe)
add Added average time an expired session had been alive to set of monitorable session manager attributes. (luehe)
fix Clear a reference in the digester where a context would be referenced for more time than it needed, until the next context deployment operation. (remm)
Coyote
fix 31018: Race condition in SystemLogHandler. (yoavs)
Jasper
fix Use the "compiler" parameter to allow specifying that Ant should be used. (remm)
fix Ignore JDT compiler warnings. (remm)
add Added compilerTargetVM option support, "1.4" default. (yoavs)
Cluster
fix Fix adding the clustering valve, so that session replication actually occurs. (fhanik)
Webapps
update Major documentation update with current Tomcat 5.5 changes. (remm)
update Added JavaScript confirmation dialog to "dangerous" Manager servler links. (yoavs)
Tomcat 5.5.0 (yoavs)
General
update Many updated and fixed JavaDocs. (yoavs)
update Designed and tested Tomcat on J2SE 5.0 (aka JDK 1.5). (everyone)
update Bundled Eclipse JDT (new dependency) to allow Tomcat to run on a JRE only, i.e. no JDK required. (remm)
update Repackage commons-dbcp and its dependencies as a sigle smaller WAR, with renamed packages. (remm)
update Removed dependencies on commons-digester, commons-beanutils, and commons-collections. The relevant digester functionality is now merged in tomcat-util. (remm)
Catalina
update Removed usage of org.apache.catalina.Logger, increased usage of commons-logging everywhere. (remm)
update Refactored classloader code to better handle JAR and general resource locking. (remm)
update Written JMX-related code to play nicely with J2SE 5.0 built-in JMX abilities. (remm, costin)
update Extensively profiled and optimized the server startup performance as well as the request mapping and processing pipeline. (remm)
update The container will now always process a /META-INF/context.xml resource, unless the webapp has a specified external context file. (remm)
update New default configuration mechanism for web applications, replacing DefaultContext. This uses a shared context file located in conf/context.xml. (remm)
update Revamped deployer, alloying full hotdeploy (note: on Windows, this requires the anti file locking features). (remm)
update Remove verbosity from the JNDI resources configuration, by allowing arbitrary attributes on the Resource element. (remm)
update Simpler Valve interface, to allow smaller stack traces and reducing the amount of method calls. (remm)
Coyote
Jasper
update Eclipse JDT is now the default Java compiler in Jasper. Source dependencies are now loaded from the container classloader, and compilation times are much faster. (remm)
update Jasper development mode should now have acceptable performance for heavily accessed pages. Precompiling JSPs is still significantly more efficient, however. (remm)
Cluster
Webapps

Copyright © 1999-2012, Apache Software Foundation