Apache Tomcat 3.3.1a ==================== Release Notes ============= $Id: RELEASE-NOTES-3.3.1.txt,v 1.49 2002/03/26 15:25:30 larryi Exp $ This document describes the changes that have been made since the release of Tomcat 3.3 Final. ========= Bug Fixes ========= The release in which the fix appears is indicated in brackets. Feature Additions: Bug No. Description [b1] Restored prefix attribute to InvokerInterceptor. It was available in Tomcat 3.2.x. [b1] Added SingleThreadModel pooling to ServletHandler. The default is to use pooling. [b1] Added optional checking (configured on SessionId module) to ensure that the SSL session IDs match for each request within a Tomcat session. This check is disabled by default. [b1] Added org.apache.tomcat.util.net.URL class from Tomcat 4.0 so response.encodeURL() can work under SSL without JSSE. This can occur if you have Apache forwarding SSL requests to a Tomcat that doesn't have JSSE installed. [b1] Fixed logic for response.encodeURL() so that it will work correctly if the input URL includes an anchor tag. [b1] Improved the handling of invalid web.xml files. Now you get the same error messages every time you parse the file. [b1] Moved the setting of the default "*.jsp" mapping so that it is now possible to entirely disable support for jsp files. [b1] Fixed problem with jsp_precompile parameter to JSP files. [b1] Context properties and ContextManager properties can now be set with elements, i.e: For backwards compatibility, the ContextManager "lower-case-p" version supported by Tomcat 3.3. is still supported. [b1] Added variable substitution handling to ContextXmlReader, allowing variable substitution to be used in declarations. [b1] Added support for PureTLS as an SSL option. Also, any attribute used to create the socket factory, such as "rootfile" (or "keystoreType" for JSSE), is now settable on the Http10Connector element in server.xml. [b1] The configuration files generated by ApacheConfig, IISConfig and NSConfig were improved for the case when the forwardAll attribute is false. Primarily, a servlet mapping like "/foo/*" now generates a mod_jk mapping for "/foo" as well as "/foo/*" to better match the servlet spec. [b1] The default log handler was updated to specify autoFlush=true for the PrintWriter so the output doesn't just go to a buffer. Since this logger is replaced a new logger set by the LogSetter module, its reduction in efficiency won't affect normal operation. [b1] ServerXmlReader now logs a warning if the modules.xml file isn't found. [b1] The internal test script, test-tomcat.xml, has been made more configurable and the Admin app internal test page, test.jsp, has been updated to make use of this. With appropriate input settings, the tests can be run against Tomcat standalone, Apache, IIS, and Netscape (v4.1) without any failures. [b1] Japanese resource strings were added and StaticInterceptor and ErrorHandler modules were updated to take advantage of them. In addition, useAcceptLanguage and useCharset attributes were added to the StaticInterceptor module to allow configuration of how the locale and character set encoding of the directory listings are derived. [b1] Added a socketCloseDelay attribute to Http10Interceptor. The default is -1, which disables the delay. If set > 0, a Thread.sleep() is executed prior to reading and discarding unread input and closing the socket. This is intended to help diagnose problems resulting from unread input that arrives during the closing of the socket. [b1] Make the App-classloader configurable to allow using the 1.1 loader even when running under Java2. This should allow for better jar reloading at the cost of not enforcing sealing etc. [b1] The IISConf module was updated to support an isapiRedirector attribute which specifies the name of the redirector plugin DLL. It also now writes a "properties" file the can be used for configuration of the redirector instead of registry settings. [b1] The isapi_redirect.dll was enhanced to support a uri_select configuration setting that controls which form of URL is forwarded to Tomcat. The normalized/decoded URL used by Tomcat 3.3 is still the default. The original URL or re-encoded normalized/decoded URL may be forwarded instead. This was done to provide better support for isapi_redirect.dll's use with web servers other than Tomcat 3.3, such as Tomcat 3.2.x. [b1] Added a useWebAppCL attribute to JspInterceptor. When true, Java compilation using "sun.tools.javac.Main" will run in the web application's classloader. When false (the default), Java compilation using "sun.tools.javac.Main" runs in the container classloader. Using a value of true may help on certain HP-UX systems. In all other cases, useWebAppCL should be false. Currently webWebAppCL="true" can not be used when running under a security manager, otherwise security exceptions will prevent JSPs from compiling. [b1] Added "reloadable" attribute to AutoWebApp module. If true, reloading will be enabled in all added contexts. If false, reloading will be disabled. The default is true. [b1] Added "defaultRedirectStatus" attribute to ErrorHandler module. It may be set to "301" or "302". The default is "301". It determines the status code set by the "redirect" handler if a status code has not already been set. This primarily affects the status code used when the StaticInterceptor module redirects a "directory" URL that doesn't end with a '/' and redirects to welcome files. [b1] Added shutdown support using Ajp13 and updated StopTomcat task to support automatic or explicit use of Ajp12 or Ajp13 protocol to shutdown Tomcat. This includes use of an optional "secret" password with either protocol. [rc1] Added hostChar, hostDotChar, and pathSlashChar attributes to AutoWebApp module. These make configurable the special characters used in the directory name to delimit a virtual host name and act as substitution characters. Also, fixed behavior so that hostChar isn't included in the context path name. [rc1] Startup error output has been improved. Messages will be shown if modules.xml or server.xml isn't present. Also, the port number is now shown when JVM_Bind exceptions occur. [F] Ajp12Connector and Ajp13Connector now accepts ContextMananger properties called ajpid12 and ajpid13, respectively. This property overrides the ajpidFile attribute of these modules, allowing the ajpid file to be specified via command line arguments. For consistency, the same arguments are also accepted by the StopTomcat task to specify the file and protocol to use for shutdown. [F] The Ajp13Connector now accepts shutdownEnable in addition to shutDownEnable at attributes that control if shutdown is enabled via the Ajp13 protocol. shutdownEnable was added since it uses a more intuitive uppercase/lowercase spelling. [F] The PasswordPrompter add-on was refactored to use introspection and accept customizable prompt specifications. It can now set additional passwords, such as the keystore password added to Http10Connector and the "secret" for Ajp12Connector and Ajp13Connector modules. It can set other types of attributes as well. [F] Refactored the PasswordPrompter add-on module to be configurable and to be able to perform prompting for context local modules. Added a "readme" file to document its use. [F] The facade classes in org.apache.tomcat.facade are now declared as public classes. This allows their methods to be called using introspection from a web application. Server: Bug No. Description [3.3.1a] Fixed vulnerability serving inappropriate content when encountering certain URLs that contain null characters. URLs that contain nulls are now considered unsafe by the DecodeInterceptor. [3.3.1a] Reading of the web.xml has been updated so that it occurs with the same priviledges as the web application, rather than with "trusted" priviledges. [b1] Fixed problem with JSP page names that match a Windows DOS device name, such as aux.jsp. Instead of potentially hanging the thread that services the request, these requests now return "404 Not Found". [b1] DecodeInterceptor was updated to not convert '+' to space in the path portion of the request URL. RFC2396 allows '+' in the path of a URL. [b1] Modified IntrospectionUtils.getClassPath() to add "classes" directory to the list prior to jars. [b1] Fixed problem in AccessInterceptor where the beginning characters of the login or error page match the context path. Tomcat could mistakenly think that the context path had been incorrectly included in the login or error page setting. It can still make this mistake if the page is under a sub-directory with the same name as the context path. [b1] The missing jdbcRealm.getCredentialsSQLException property string was added. [b1] Fixed bug with useJspServlet option in JspInterceptor. If set to true untrusted web applications couldn't run the JspServlet because jasper.jar and tools.jar weren't accessible. [b1] Fixed problem with jsp_precompile parameter to JSP files. [b1] Eliminated some hard coded '\n' line separators used by Jasper in the translated Java file. [b1] Fixed the position of the ;jsessionid when Tomcat generates a 401 response. Now it is before the query string instead of after. [b1] Do not return a body with 304 responses (forbidden by HTTP/1.x and confusing to NS < 6.x). [b1] HttpServletRequestFacade now resets the reader when recycled. Previously, calling getReader() on a recycled facade on which getReader() was called, you would get the old reader rather than a new reader for the current request. [F] Fixed a bug in TrustedLoader with respect to reloading trusted modules when more than one is present. [F] Modified PoolTcpConnector checkSocketFactory() method to set the module's socketFactory when obtaining an SSL socket factory, instead of using a local variable. This allows the PasswordPrompter add-on to set SSL socket attributes, such as the keystore and certificate passwords. [F] A couple of "off by 1" bugs were fixed in the CharChunk and ByteChunk utility classes. 1657 JSPs with tag names that contain '-' or '.' will now compile without [b1] an "Invalid expression" error 4382 tomcat.sh script no longer deletes the ajp12.id file which could [b1] cause a problem shutting down if Tomcat was accidentally started twice. 4418 Ported Tomcat 3.2.x fix for race condition in ServerSocketFactory. [b1] 4436 Reduce log output from DecodeInterceptor if debug level is zero. This [b1] avoids having a log entry for each request. 4564 Fix bug in Http10Interceptor where getRemoteAddr() returns 127.0.0.1 [b1] instead of correct address. 4599 ThreadPool was updated to not reset the maxThreads, maxSpareThreads [b1] and minSpareThreads values in its start() method. 4923 Default permissions were added in PolicyInterceptor to allow direct [b1] read access to the webapp docBase and work directories. This is in addition to the permissions allowing access to the contents of these directories. These new permissions allows "exists()" to be executed on those directories without a security exception when running under a security manager. 4955 Fixed bug in the parsing of the query string to [b1] RequestDispatcher.include/forward wasn't handling the case where only the parameter name was specified. 4948 Fix DependClassLoader to be a Java2 ClassLoader when running under [b1] a Java2 JVM. 5005 If requested JSP file doesn't exist, avoid creating work directories [b1] and version file. 5191 Fix parsing of JSP comments with extra '-' characters. [b1] 5497 Ignore the If-Modified-Since header when including a static page. [b1] 5724 Supress the check for WEB-INF in the "Default Servlet" (aka [b1] StaticInterceptor). The check was redundant, and was causing Spec problems. 5983 Fix the flushing of unread POST data on the HTTP connector. On the [b1] reported bug, it was mostly a nuisance. In other cases (see 6143) it was causing major problems. To avoid DOS attacks, the number of flush attempts is configurable, with a default of 20. 5994 Fix seconds calculation problem in DateTool [b1] 6234 Recycle the Writer in the ResponseFacade if it is the error state when [b1] the facade is recycled. 6348 Fix problem with getNamedDispatcher() when used with a JSP mapped [b1] in the web.xml. 6515 Block setting of Date-Headers from within an include. [rc1] 6518 Fix an edge condition where in some cases a JSP file beginning with [rc1] a number wouldn't get mangled correctly. 6604 Fix a problem when using the AccessLog without a "Default Context" [rc1] defined. 6887 Fix a problem locating an error-page when using virtual hosts. [F] Jasper: Bug No. Description [F] Fixed incorrect use of '\' in the servlet mappings written by JspC on Windows systems. Configuration: Bug No. Description [b1] Updated JSSEImplemention to support a separate keystorePass attribute as the keystore password. It will default to the keypass attribute if not set. [F] The conf/jk/wrapper.properties was improved. The improvements include putting quotes around the java command portion of the wrapper.cmd_line property. Also a wrapper.jvm.options property was added to simplify specification of JVM arguments. [F] PoolTcpConnector was modified to allow the PasswordPrompter add-on module to successfully set connection attributes for secure connections. [F] conf/jk/wrapper.properties was updated to work with a spaces in the JDK path and a wrapper.jvm.options property was added to make it easier to add options. [F] conf/jk/uriworkermap.properties and conf/jk/obj.conf example files were updated to be more current. 4313 Bug in property substitution for server.xml and apps.xml files was [b1] fixed. 4826 Fixed AutoWebApp so the dir attribute can be an absolute path on [b1] Windows systems. 5365 Fixed the JasperMangler to handle Java reserved words correctly. [b1] 5390 Fixed the behavior of LoadOnStartup servlets when the servlet is [b1] actually a JSP page. 5958 ApacheConfig, IISConfig, and NSConfig were updated so mappings that [b1] end with "/*" will write a mapping with and without the ending "/*". 6004 Updated Http10Connector to accept any attribute. The attributes [b1] without predefined setters will be included with the predefined ones that are made available when the secure socket factory is created. 6137 Fix the admin webapp to be more careful when using the remove-context [b1] feature. Also, the boxes were mis-labeled. 6341 Fix the "guess home" logic so that it can work on Mac OS [rc1] 6717 Fix a problem where the Http10 Connector would fail to parse the [rc1] HTTP headers if the headers are extremely big. Connectors: Bug No. Description [b1] A bug was fixed in isapi_redirect.dll where the query string would be lost if the URI was shortened during normalization of the URI. The presence of escaped characters or character sequences such as "/../" would cause this to happen. [b1] A bug was fixed in isapi_redirect.dll where it would mistake an encoded '?' in the URI path as the query string delimitor. 5769 A -n option has been added to jk_nt_service.exe so that the service [rc1] display name can be different from the service name should it contain characters not valid for the service name. 6579 Make certain that we don't dump more output than is available when [rc1] debugging Ajp13. Documentation: Bug No. Description [b1] Tomcat-on-NetWare-HowTo.html updated to fix errors related to new functionality in Tomcat 3.3. [b1] tomcat-ug.html updated with additional classloader information and details on the variable substitution available in Context declarations. [b1] serverxml.html was updated to document features added to Ajp13Connector, AutoWebApp, ErrorHandler, Http10Connector, IISConfig, JspInteceptor, LoaderInterceptor11, SessionId, and StaticInterceptor. A note was added to Ajp12Connector to document the requirement for maxThreads to be 2 or more if it is to be used to shutdown Tomcat. Section on variable substitution was updated. [b1] tomcat-iis-howto.html updated to make it clearer that the "Filter Dlls" key is used only on Win98. It was also updated to document the use of a "properties" file instead of the registry and the new "uri_select" parameter. [b1] JDBCRealm-howto.html updated to name the correct class and its jar location for digested passwords. [b1] tomcat-ssl-howto.html was updated to document how to use PureTLS. [b1] The faq document was updated to indicate that segmentation faults while Tomcat is running is a JVM problem and not a Tomcat bug. [rc1] Updated server.xml to document features added to AutoWebApp. [rc1] Updated tomcat-ssl-howto.html to fix incorrect case for "clientauth" attribute. [F] serverxml.html and tomcat-ug.html were updated to document the new ajp12id and ajp13id startup and shutdown arguments.