Apache Tomcat 3.3.1a
====================
Release Notes
=============
$Id: RELEASE-NOTES-3.3.1.txt,v 1.49 2002/03/26 15:25:30 larryi Exp $
This document describes the changes that have been made since the
release of Tomcat 3.3 Final.
=========
Bug Fixes
=========
The release in which the fix appears is indicated in brackets.
Feature Additions:
Bug No. Description
[b1] Restored prefix attribute to InvokerInterceptor. It was available in
Tomcat 3.2.x.
[b1] Added SingleThreadModel pooling to ServletHandler. The default is to
use pooling.
[b1] Added optional checking (configured on SessionId module) to ensure
that the SSL session IDs match for each request within a Tomcat
session. This check is disabled by default.
[b1] Added org.apache.tomcat.util.net.URL class from Tomcat 4.0 so
response.encodeURL() can work under SSL without JSSE. This can occur
if you have Apache forwarding SSL requests to a Tomcat that doesn't
have JSSE installed.
[b1] Fixed logic for response.encodeURL() so that it will work correctly
if the input URL includes an anchor tag.
[b1] Improved the handling of invalid web.xml files. Now you get the same
error messages every time you parse the file.
[b1] Moved the setting of the default "*.jsp" mapping so that it is now
possible to entirely disable support for jsp files.
[b1] Fixed problem with jsp_precompile parameter to JSP files.
[b1] Context properties and ContextManager properties can now be set with
elements, i.e:
For backwards compatibility, the ContextManager "lower-case-p"
version supported by Tomcat 3.3. is still supported.
[b1] Added variable substitution handling to ContextXmlReader, allowing
variable substitution to be used in
declarations.
[b1] Added support for PureTLS as an SSL option. Also, any attribute
used to create the socket factory, such as "rootfile" (or
"keystoreType" for JSSE), is now settable on the Http10Connector
element in server.xml.
[b1] The configuration files generated by ApacheConfig, IISConfig and
NSConfig were improved for the case when the forwardAll attribute
is false. Primarily, a servlet mapping like "/foo/*" now generates
a mod_jk mapping for "/foo" as well as "/foo/*" to better match
the servlet spec.
[b1] The default log handler was updated to specify autoFlush=true for
the PrintWriter so the output doesn't just go to a buffer. Since
this logger is replaced a new logger set by the LogSetter module,
its reduction in efficiency won't affect normal operation.
[b1] ServerXmlReader now logs a warning if the modules.xml file isn't
found.
[b1] The internal test script, test-tomcat.xml, has been made more
configurable and the Admin app internal test page, test.jsp, has
been updated to make use of this. With appropriate input settings,
the tests can be run against Tomcat standalone, Apache, IIS, and
Netscape (v4.1) without any failures.
[b1] Japanese resource strings were added and StaticInterceptor and
ErrorHandler modules were updated to take advantage of them. In
addition, useAcceptLanguage and useCharset attributes were added
to the StaticInterceptor module to allow configuration of how
the locale and character set encoding of the directory listings
are derived.
[b1] Added a socketCloseDelay attribute to Http10Interceptor. The
default is -1, which disables the delay. If set > 0, a
Thread.sleep() is executed prior to reading and discarding
unread input and closing the socket. This is intended to
help diagnose problems resulting from unread input that
arrives during the closing of the socket.
[b1] Make the App-classloader configurable to allow using the 1.1
loader even when running under Java2. This should allow for better
jar reloading at the cost of not enforcing sealing etc.
[b1] The IISConf module was updated to support an isapiRedirector
attribute which specifies the name of the redirector plugin DLL.
It also now writes a "properties" file the can be used for
configuration of the redirector instead of registry settings.
[b1] The isapi_redirect.dll was enhanced to support a uri_select
configuration setting that controls which form of URL is forwarded
to Tomcat. The normalized/decoded URL used by Tomcat 3.3 is
still the default. The original URL or re-encoded normalized/decoded
URL may be forwarded instead. This was done to provide better
support for isapi_redirect.dll's use with web servers other than
Tomcat 3.3, such as Tomcat 3.2.x.
[b1] Added a useWebAppCL attribute to JspInterceptor. When true,
Java compilation using "sun.tools.javac.Main" will run in the
web application's classloader. When false (the default), Java
compilation using "sun.tools.javac.Main" runs in the container
classloader. Using a value of true may help on certain HP-UX
systems. In all other cases, useWebAppCL should be false.
Currently webWebAppCL="true" can not be used when running under a
security manager, otherwise security exceptions will prevent
JSPs from compiling.
[b1] Added "reloadable" attribute to AutoWebApp module. If true,
reloading will be enabled in all added contexts. If false, reloading
will be disabled. The default is true.
[b1] Added "defaultRedirectStatus" attribute to ErrorHandler module. It
may be set to "301" or "302". The default is "301". It determines
the status code set by the "redirect" handler if a status code has
not already been set. This primarily affects the status code used
when the StaticInterceptor module redirects a "directory" URL that
doesn't end with a '/' and redirects to welcome files.
[b1] Added shutdown support using Ajp13 and updated StopTomcat task
to support automatic or explicit use of Ajp12 or Ajp13 protocol to
shutdown Tomcat. This includes use of an optional "secret" password
with either protocol.
[rc1] Added hostChar, hostDotChar, and pathSlashChar attributes to
AutoWebApp module. These make configurable the special characters
used in the directory name to delimit a virtual host name and act
as substitution characters. Also, fixed behavior so that hostChar
isn't included in the context path name.
[rc1] Startup error output has been improved. Messages will be shown if
modules.xml or server.xml isn't present. Also, the port number is
now shown when JVM_Bind exceptions occur.
[F] Ajp12Connector and Ajp13Connector now accepts ContextMananger
properties called ajpid12 and ajpid13, respectively. This property
overrides the ajpidFile attribute of these modules, allowing the
ajpid file to be specified via command line arguments. For
consistency, the same arguments are also accepted by the StopTomcat
task to specify the file and protocol to use for shutdown.
[F] The Ajp13Connector now accepts shutdownEnable in addition to
shutDownEnable at attributes that control if shutdown is enabled
via the Ajp13 protocol. shutdownEnable was added since it uses
a more intuitive uppercase/lowercase spelling.
[F] The PasswordPrompter add-on was refactored to use introspection
and accept customizable prompt specifications. It can now set
additional passwords, such as the keystore password added to
Http10Connector and the "secret" for Ajp12Connector and
Ajp13Connector modules. It can set other types of attributes
as well.
[F] Refactored the PasswordPrompter add-on module to be configurable
and to be able to perform prompting for context local modules.
Added a "readme" file to document its use.
[F] The facade classes in org.apache.tomcat.facade are now declared
as public classes. This allows their methods to be called
using introspection from a web application.
Server:
Bug No. Description
[3.3.1a] Fixed vulnerability serving inappropriate content when encountering
certain URLs that contain null characters. URLs that contain nulls
are now considered unsafe by the DecodeInterceptor.
[3.3.1a] Reading of the web.xml has been updated so that it occurs with the
same priviledges as the web application, rather than with "trusted"
priviledges.
[b1] Fixed problem with JSP page names that match a Windows DOS device
name, such as aux.jsp. Instead of potentially hanging the thread
that services the request, these requests now return "404 Not Found".
[b1] DecodeInterceptor was updated to not convert '+' to space in the
path portion of the request URL. RFC2396 allows '+' in the path
of a URL.
[b1] Modified IntrospectionUtils.getClassPath() to add "classes"
directory to the list prior to jars.
[b1] Fixed problem in AccessInterceptor where the beginning characters
of the login or error page match the context path. Tomcat could
mistakenly think that the context path had been incorrectly included
in the login or error page setting. It can still make this mistake
if the page is under a sub-directory with the same name as the
context path.
[b1] The missing jdbcRealm.getCredentialsSQLException property string was
added.
[b1] Fixed bug with useJspServlet option in JspInterceptor. If set to true
untrusted web applications couldn't run the JspServlet because
jasper.jar and tools.jar weren't accessible.
[b1] Fixed problem with jsp_precompile parameter to JSP files.
[b1] Eliminated some hard coded '\n' line separators used by Jasper in the
translated Java file.
[b1] Fixed the position of the ;jsessionid when Tomcat generates a 401
response. Now it is before the query string instead of after.
[b1] Do not return a body with 304 responses (forbidden by HTTP/1.x and
confusing to NS < 6.x).
[b1] HttpServletRequestFacade now resets the reader when recycled.
Previously, calling getReader() on a recycled facade on which
getReader() was called, you would get the old reader rather than
a new reader for the current request.
[F] Fixed a bug in TrustedLoader with respect to reloading trusted
modules when more than one is present.
[F] Modified PoolTcpConnector checkSocketFactory() method to set the
module's socketFactory when obtaining an SSL socket factory,
instead of using a local variable. This allows the PasswordPrompter
add-on to set SSL socket attributes, such as the keystore and
certificate passwords.
[F] A couple of "off by 1" bugs were fixed in the CharChunk and
ByteChunk utility classes.
1657 JSPs with tag names that contain '-' or '.' will now compile without
[b1] an "Invalid expression" error
4382 tomcat.sh script no longer deletes the ajp12.id file which could
[b1] cause a problem shutting down if Tomcat was accidentally started
twice.
4418 Ported Tomcat 3.2.x fix for race condition in ServerSocketFactory.
[b1]
4436 Reduce log output from DecodeInterceptor if debug level is zero. This
[b1] avoids having a log entry for each request.
4564 Fix bug in Http10Interceptor where getRemoteAddr() returns 127.0.0.1
[b1] instead of correct address.
4599 ThreadPool was updated to not reset the maxThreads, maxSpareThreads
[b1] and minSpareThreads values in its start() method.
4923 Default permissions were added in PolicyInterceptor to allow direct
[b1] read access to the webapp docBase and work directories. This is
in addition to the permissions allowing access to the contents of
these directories. These new permissions allows "exists()" to be
executed on those directories without a security exception when
running under a security manager.
4955 Fixed bug in the parsing of the query string to
[b1] RequestDispatcher.include/forward wasn't handling the case where only
the parameter name was specified.
4948 Fix DependClassLoader to be a Java2 ClassLoader when running under
[b1] a Java2 JVM.
5005 If requested JSP file doesn't exist, avoid creating work directories
[b1] and version file.
5191 Fix parsing of JSP comments with extra '-' characters.
[b1]
5497 Ignore the If-Modified-Since header when including a static page.
[b1]
5724 Supress the check for WEB-INF in the "Default Servlet" (aka
[b1] StaticInterceptor). The check was redundant, and was causing
Spec problems.
5983 Fix the flushing of unread POST data on the HTTP connector. On the
[b1] reported bug, it was mostly a nuisance. In other cases (see 6143)
it was causing major problems. To avoid DOS attacks, the number
of flush attempts is configurable, with a default of 20.
5994 Fix seconds calculation problem in DateTool
[b1]
6234 Recycle the Writer in the ResponseFacade if it is the error state when
[b1] the facade is recycled.
6348 Fix problem with getNamedDispatcher() when used with a JSP mapped
[b1] in the web.xml.
6515 Block setting of Date-Headers from within an include.
[rc1]
6518 Fix an edge condition where in some cases a JSP file beginning with
[rc1] a number wouldn't get mangled correctly.
6604 Fix a problem when using the AccessLog without a "Default Context"
[rc1] defined.
6887 Fix a problem locating an error-page when using virtual hosts.
[F]
Jasper:
Bug No. Description
[F] Fixed incorrect use of '\' in the servlet mappings written by JspC on
Windows systems.
Configuration:
Bug No. Description
[b1] Updated JSSEImplemention to support a separate keystorePass
attribute as the keystore password. It will default to the keypass
attribute if not set.
[F] The conf/jk/wrapper.properties was improved. The improvements
include putting quotes around the java command portion of the
wrapper.cmd_line property. Also a wrapper.jvm.options property
was added to simplify specification of JVM arguments.
[F] PoolTcpConnector was modified to allow the PasswordPrompter add-on
module to successfully set connection attributes for secure
connections.
[F] conf/jk/wrapper.properties was updated to work with a spaces in the
JDK path and a wrapper.jvm.options property was added to make
it easier to add options.
[F] conf/jk/uriworkermap.properties and conf/jk/obj.conf example files
were updated to be more current.
4313 Bug in property substitution for server.xml and apps.xml files was
[b1] fixed.
4826 Fixed AutoWebApp so the dir attribute can be an absolute path on
[b1] Windows systems.
5365 Fixed the JasperMangler to handle Java reserved words correctly.
[b1]
5390 Fixed the behavior of LoadOnStartup servlets when the servlet is
[b1] actually a JSP page.
5958 ApacheConfig, IISConfig, and NSConfig were updated so mappings that
[b1] end with "/*" will write a mapping with and without the ending "/*".
6004 Updated Http10Connector to accept any attribute. The attributes
[b1] without predefined setters will be included with the predefined
ones that are made available when the secure socket factory is
created.
6137 Fix the admin webapp to be more careful when using the remove-context
[b1] feature. Also, the boxes were mis-labeled.
6341 Fix the "guess home" logic so that it can work on Mac OS
[rc1]
6717 Fix a problem where the Http10 Connector would fail to parse the
[rc1] HTTP headers if the headers are extremely big.
Connectors:
Bug No. Description
[b1] A bug was fixed in isapi_redirect.dll where the query string would be
lost if the URI was shortened during normalization of the URI. The
presence of escaped characters or character sequences such as "/../"
would cause this to happen.
[b1] A bug was fixed in isapi_redirect.dll where it would mistake an
encoded '?' in the URI path as the query string delimitor.
5769 A -n option has been added to jk_nt_service.exe so that the service
[rc1] display name can be different from the service name should it contain
characters not valid for the service name.
6579 Make certain that we don't dump more output than is available when
[rc1] debugging Ajp13.
Documentation:
Bug No. Description
[b1] Tomcat-on-NetWare-HowTo.html updated to fix errors related to new
functionality in Tomcat 3.3.
[b1] tomcat-ug.html updated with additional classloader information and
details on the variable substitution available in Context
declarations.
[b1] serverxml.html was updated to document features added to
Ajp13Connector, AutoWebApp, ErrorHandler, Http10Connector, IISConfig,
JspInteceptor, LoaderInterceptor11, SessionId, and StaticInterceptor.
A note was added to Ajp12Connector to document the requirement for
maxThreads to be 2 or more if it is to be used to shutdown Tomcat.
Section on variable substitution was updated.
[b1] tomcat-iis-howto.html updated to make it clearer that the "Filter Dlls"
key is used only on Win98. It was also updated to document the use
of a "properties" file instead of the registry and the new "uri_select"
parameter.
[b1] JDBCRealm-howto.html updated to name the correct class and its jar
location for digested passwords.
[b1] tomcat-ssl-howto.html was updated to document how to use PureTLS.
[b1] The faq document was updated to indicate that segmentation faults
while Tomcat is running is a JVM problem and not a Tomcat bug.
[rc1] Updated server.xml to document features added to AutoWebApp.
[rc1] Updated tomcat-ssl-howto.html to fix incorrect case for "clientauth"
attribute.
[F] serverxml.html and tomcat-ug.html were updated to document the
new ajp12id and ajp13id startup and shutdown arguments.