Catalina

49428: Re-implement the fix for bug 49428 – namespace issues for some Microsoft WebDAV clients. (kkolinko) 49669: Fix memory leak triggered by using the deprecated javax.security.auth.Policy class. (markt) 49922: Don't add filter twice to filter chain if the filter matches more than one URL pattern and/or Servlet name. Patch provided by heyoulin. (markt) 49937: Use an InstanceManager when creating an AsyncListener through the AsyncContext to ensure annotations are processed. Based on a patch by David Jencks. (markt) To avoid NoSuchMethodException, xmlValidation and xmlNamespaceAware are removed from the createStandardHost definition of mbeans-descriptors.xml. (kfujino) 49945: Continue improvements to JMX. Fix a handful of attributes that were showing as Unavailable in JConsole. Patch provided by Chamith Buddhika. (markt) 49952: Allow ServletContainerInitializers to add listeners to a web application. Patch provided by David Jencks. (markt) 49956: Handle case when @Resource annotation uses the full JNDI name for a resource. Based on a patch by Gurkan Erdogdu. (markt) 49557: Correct regression due to Lifecycle refactoring that cleared all work directories (with compiled JSPs and persisted sessions) when Tomcat was stopped. (markt) 49978: Correctly handle the case when a directory expected to be created during web application start is already present. Rather than throwing an exception and failing to start, allow the web application to start normally. (mark) 49987: Fix thread safety issue with population of servlet context initialization parameters. (markt) 49994: As per the Java EE 6 specification, return a new object instance for each JNDI look up of a resource reference. (markt) 50015: Re-factor dynamic servlet security implementation to make extensions, such as JACC implementations, simpler. Patch provided by David Jencks. (markt) 50016: Re-factor isUserInRole() and login()/logout() methods to support JACC implementations and to improve encapsulation. Patch provided by David Jencks. (markt) 50017: Code clean-up. No functional change. Patch provided by sebb. (markt) 50027: Avoid NPE on start when a Context is defined in server.xml with one or more JNDI resources. (markt) 50059: JARs should always be searched for static resources even if the web application is marked as meta-data complete. (markt) 500063: Correct regression in fix for 50059 that causes applications marked as meta-data complete to return 404s for all requests. Patch provided by heyoulin. (markt) 50087: Catch ClassFormatErrors when scanning for annotations. (markt)

Coyote

49923: Avoid using negative timeouts during acceptor unlock to ensure APR connector shuts down properly. (mturk) 49972: Fix potential thread safe issue when formatting dates for use in HTTP headers. (markt) 50003: Set not maxThreads but minSpareThreads to corePoolSize, if AbstractEndpoint.setMinSpareThreads is called. (kfujino) 50044: Fix issue when using comet where socket remained in long poll after the comet request has ended. (markt) 50054: Correctly handle the setting of minSpareThreads in AJP connector. (kfujino) 50072: Fix issues when using a non-blocking read for the request line with the NIO connector that could result in the request line being mis-read. (markt)

Jasper

49986: Fix thread safety issue for JSP reload. (timw) 49998: Make jsp:root detection work with single quoted attributes as well. (timw) Correctly handle the setting of primitve bean values via expression language. (markt) Don't swallow exceptions when processing TLD files and handle the case when there is no web.xml file. (markt) 50066: Fix building of recursive tag files when the file depends on a JAR file. Patch provided by Sylvain Laurent. (markt) 50078: Fix threading problem in EL caches. Patch provided by Takayoshi Kimura. (markt) Make EL cache sizes configurable. (markt)

Web applications

Apply filters to default home page so copyright year is correctly displayed. (markt)

Other

50013: Correctly package classes from org.apache.tomcat.util.file and add the tomcat-util.jar to the class path for the Ant tasks. Based on a patch provided by Sylvain Laurent. (markt)

Catalina

48644: Review all instances of catching Throwable and re-throw where appropriate. (markt) Allow glob patterns in the jarsToSkip configuration and add some debug logging to the jar scanner. (rjung) 48738: Workaround a couple of long standing JDK bugs to enable GZIP compressed output streams to be flushed. Based on a patch provided by Jiong Wang. (markt) 49195: Don't report an error when shutting down a Windows service for a Tomcat instance that has a disabled shutdown port. (markt) 49209: Prevent possible AccessControlException during undeployment when running with a security manager. Patch provided by Sylvain Laurent. (markt) 49657: Handle CGI executables with spaces in the path. (markt) 49667: Ensure that using the JDBC driver memory leak prevention code does not cause a one of the memory leaks it is meant to avoid. (markt) 49670: Restore SSO functionality that was broken by Lifecycle refactoring. (markt) 49698: Allow a listener to complete an asynchronous request if it times out. (markt) 49714: The annotation process of Jar doesn't influence distributable element of web.xml. (kfujino) 49721: Alls JAR in a web application should be searched for resources, not just those with a web-fragment.xml that is going to be processed. (markt) 49728: Improve PID file handling when another process is managing the PID file and Tomcat does not have write access. (markt) 49730: Fix a race condition in StandardThreadExector that can cause requests to experience large delays. Patch provided by Sylvain Laurent. (markt) 49749: Single sign on cookies should have httpOnly flag set using same rules as session cookies. (markt) 49750: Align WebappClassLoader.validate() implementation with Javadoc and ensure that javax.servlet.* classes can not be loaded by a WebappClassLoader instance. Patch provided by pid. (markt) 49757: Correct some generics warnings. Based on a patch provided by Gábor. (markt) Provide 100 Continue responses at appropriate points during FORM authentication if client indicates that they are expected. (markt) 49779: Improve handling of POST requests and FORM authentication, particularly when the user agent responds to the 302 response by repeating the POST request including a request body. Any request body provided at this point is now swallowed. (markt) CSRF prevention filter did not correctly handle URLs that used anchors. (markt) Fix memory leak on web application stopped caused by failed to de-register the web application's Servlets with the MBean server. (markt) More tweaks to the Lifecycle refactoring to ensure that when a component is being destroyed, the destroy method is only called once on each child component. (markt) 48967: Replace strings "catalina.base" and "catalina.home" by globally defined constants. Patch provided by Marc Guillemot. (rjung) Keep the MBean names for web applications consistent between Tomcat 6 and Tomcat 7. (markt) 49856: Add an executorName attribute to Connectors so it is possible to trace ThreadPool to Connector to Executor via the JMX interface. (markt) 49865: Tomcat failed to start if catalina.properties was not present. (markt) 49876: Fix the generics warnings in the copied Apache Jakarta BCEL code. Based on a patch by Gábor. (markt) 49883: Ensure that the CombinedRealm and LockOutRealm return a name for use in log messages rather than throwing an UnsupportedOperationException. (markt) 49884: Fix occassional NullPointerException on async complete(). This resulted in a major refactoring of the async implementation to address a number of threading issues. (markt) Update the version numbers in ServerInfo defaults to Tomcat 7.0.x. (markt) 49892: Correct JNDI name for method resource injections. Based on a patch by Gurkan Erdogdu. (markt) Ensure that Context elements defined in server.xml use any configClass setting specified in the parent Host element. (markt) GSOC 2010. Enable the creation of Services, Engines, Connectors, Hosts and Contexts via JMX from a minimal server.xml that contains only a Server element. Based on a patch by Chamith Buddhika. (markt) 49909: Fix a regression introduced with the fix for 47950 that prevented JSTL classes being loaded. (markt) 49915: Make error more obvious, particularly when accessed via JConsole, if StandardServer.storeConfig() is called when there is no StoreConfig implementation present. (markt) 50018: Fix some minor Javadoc errors in Jasper source. Based on a patch by sebb. (timw) 50021: Correct a regression in the fix for 46844 that may have caused additional problems during a failure at start up. (markt) 50026: Prevent serving of resources from WEB-INF and META-INF directories when DefaultServlet or WebdavServlet is mapped to a sub-path of the context. This changes DefaultServlet to always serve resources with paths relative to the root of the context regardless of where it is mapped, which is a breaking change for current servlet-mappings that map the default servlet to a subpath. (timw)

Coyote

Wait for the connectors to exit before closing them down. (mturk) Follow up to 48545. Make JSSE connectors more tolerant of a incorrect trust store password. (markt) Fix some edge cases in the NIO connector when handling requests that are not received all at the same time and the socket needs to be returned to the poller. (markt) Further work to reduce the code duplication in the HTTP connectors. (markt) Make sure acceptor threads are stopped when the connector is stopped. (markt) Make sure async timeout thread is stopped when the connector is stopped. (markt) 49625: Ensure Vary header is set if response may be compressed rather than only setting it if it is compressed. (markt) 49802: Re-factor connector pause, stop and destroy methods so that calling any of those methods has the expected results. (markt) Various refactorings to reduce code duplication and unnecessary code in the connectors. (markt) 49860: Add support for trailing headers in chunked HTTP requests. (markt)

Jasper

49665: Provide better information including JSP file name and location when a missing file is detected during TLD handling. Patch provided by Ted Leung. (markt) 49726: Specifying a default content type via a JSP property group should not prevent a page from setting some other content type. (markt) 49799: The new omit attribute for jsp:attribute elements now supports the use of expressions and expression language. (markt) 49916: Switch to using an initialisation parameter to pass JSP file information from Catalina to Jasper. This simplifies the Catalina code as well as making it easier for Geronimo and others to integrate Jasper. Patch provided by David Jencks. (markt) 49985: Fix thread safety issue in EL parser. (markt)

Cluster

Remove domainReplication attribute from ClusterManager. If you send session to only same domain, use DomainFilterInterceptor. (kfujino) Add Null check when CHANGE_SESSION_ID message received. (kfujino) Add support for LAST_ACCESS_AT_START system property to DeltaSession. (kfujino) Avoid a NPE in the DeltaManager when a parallel request invalidates the session before the current request has a chance to send the replication message. (markt) 49905: Prevent memory leak when using asynchronous session replication. (markt) 49924: When non-primary node changes into a primary node, make sure isPrimarySession is changed to true. (kfujino)

Web applications

Correct the class name of the default JAR scanner in the documentation web application. (rjung) 49585: Update JSVC documentation to reflect new packaging of Commons Daemon. (markt) Update the Servlet, JSP and EL Javadoc links to link to the specifications and the relevant part of the Java EE 6 Javadoc. (markt) Update a few places in the docs where the Manager documentation referred to the old role name of manager rather than than the new manager-script. (markt)

Extras

49861: Don't log RMI ports formatted with commas for the JMX remote listener. (markt)

Other

Correct the user names created by the Windows installer for the Manager and Host Manager applications. (mturk) Correct the Eclipse compiler dependency in the Jasper POM. (markt) Extend Checkstyle validation checks to check import order. (markt) 49758: Fix generics warnings exposed by a fix in Eclipse 3.6. Patch provided by sebb. (markt) Update commons pool to 1.5.5. (markt) 49955: Improvement and correction of Building Tomcat guide. Based on a patch from Wesley Acheson. (timw)

Catalina

Fix regression that prevented running with a security manager enabled. (markt)

Web applications

Correct Javadoc errors. (markt) Provide Javadoc for Servlet 3.0 API, JSP 2.2 API and EL 2.2 API. (markt) Remove second copy of RUNNING.txt from the full-docs distribution. Some unpacking utilities can't handle multiple copies of a file with the same name in a directory. (markt)

Other

Extend Checkstyle validation checks to check for tabs in nearly all text files. (markt) Update Commons Daemon from 1.0.2 to 1.0.3.(markt) Update Eclipse JDT Core Batch Compiler (ecj.jar) from 3.5.1 to 3.6. (markt)

Catalina

GSOC 2010. Continue work to align MBean descriptors with reality. Patch provided by Chamith Buddhika. (markt) When running under a security manager, enforce package access and package definition restrictions defined in the catalina.properties file. (markt) When using a Loader configured with searchExternalFirst="true" failure to find the class in an external repository should not prevent searching of the local repositories. (markt) Add entryPoint support to the CSRF prevention filter. (markt) 48297: Correctly initialise handler chain for web services resources. (markt) 48960: Add a new option to the SSI Servlet and SSI Filter to allow the disabling of the exec command. This is now disabled by default. Based on a patch by Yair Lenga. (markt) 48998, 49617: Add the ExpiresFilter, a port of the httpd mod_expires module. Patch provided by Cyrille Le Clerc. (markt) 49030: When initializing/starting/stopping connectors and one of them fails, do not ignore the others. (markt/kkolinko) 49128: Don't swallow exceptions unnecessarily in WebappClassLoader.start(). (markt) 49182: Align comments in setclasspath.[sh|bat] with behaviour. Based on a patch provided by sebb. (markt) 49230: Enhance JRE leak prevention listener with protection for the keep-alive thread started by sun.net.www.http.HttpClient. Based on a patch provided by Rob Kooper. (markt) 49414: When reporting threads that may have triggered a memory leak on web application stop, attempt to differentiate between request processing threads and threads started by the application. (markt) 49428: Add a work-around for the known namespace issues for some Microsoft WebDAV clients. Patch provided by Panagiotis Astithas. (markt) Add support for *.jar pattern in VirtualWebappLoader. (kkolinko) Use a LockOutRealm in the default configuration to prevent attempts to guess user passwords by brute-force. (markt) 49478: Add support for user specified character sets to the AddDefaultCharsetFilter. Based on a patch by Felix Schumacher. (markt) 49503: Make sure connectors bind to their associated ports sufficiently early to allow jsvc and the org.apache.catalina.startup.EXIT_ON_INIT_FAILURE system property to operate correctly. (markt) 49525: Ensure cookies for the ROOT context have a path of / rather than an empty string. (markt) 49528, 49567: Ensure that AsyncContext.isAsyncStarted() returns the correct value after AsyncContext.start() and that if AsyncContext.complete() is called on a separate thread that it is handled correctly. (markt) 49530: Contexts and Servlets not stopped when Tomcat is shut down. (markt) 49536: If no ROOT context is deployed, ensure a 404 rather than a 200 is returned for requests that don't map to any other context. (markt) Additional debug logging in StandardContext to provide information on Manager selection. (markt) 49550: Supress deprecation warning where deprecated code is required to be used. No functional change. Patch provided by Sebb. (markt) 49551: Allow default context.xml location to be specified using an absolute path. (markt) Improve logging of unhandled exceptions in servlets by including the path of the context where the error occurred. (markt) Include session ID in error message logged when trying to set an attribute on an invalid session. (markt) Improve the CSRF protection filter by using SecureRandom rather than Random to generate nonces. Also make the implementation class used user configurable. (markt) Avoid NullPointerException, when copyXML=true and META-INF/context.xml does not exist. (kfujino) 49598: When session is changed and the session cookie is replaced, ensure that the new Set-Cookie header overwrites the old Set-Cookie header. (markt) Create a thread to trigger asynchronous timeouts when using the BIO connector, change the default timeout to 10s (was infinite) and make the default timeout configurable using the asyncTimeout attribute on the connector. (pero/markt) 49600: Make exceptions returned by the ProxyDirContext consistent for resources that weren't found by checking the DirContext or the cache. Test case based on a patch provided by Marc Guillemot. (markt) 49613: Improve performance when using SSL for applications that make multiple class to Request.getAttributeNames(). Patch provided by Sampo Savolainen. (markt) Handle the edge cases where resources packaged in JARs have names that start with a single quote character or a double quote character. (markt) Correct copy and paste typo in web.xml parsing rules that mixed up local-ejb-ref and resource-env-ref. (markt) Refactor session managers to remove unused code and to reduce code duplication. Also, all session managers used for session replication now extend org.apache.catalina.ha.session.ClusterManagerBase. (markt)

Jasper

Remove references to Jikes since it does not support Java 6. (markt) Correct over zealous type checking for EL in attributes that broke the use of JSF converters. (markt) Correct algorithm used to identify correct method to use when a MethodExpressions is used in EL. (markt) 49217: Ensure that identifiers used in EL meet the requirements of the Java Language Specification. (markt) Improve logging of JSP exceptions by including JSP snippet (if enabled) rather than just the root cause in the host log. (markt) 49555: Correctly handled Tag Libraries where functions are defined in static inner classes. (markt)

Cluster

49127: Don't swallow exceptions unnecessarily in SimpleTcpReplicationManager.startInternal(). (markt) 49407: Change the BackupManager so it is consistent with DeltaManager and reports both primary and backup sessions when active sessions are requested. (markt) 49445: When session ID is changed after authentication, ensure the DeltaManager replicates the change in ID to the other nodes in the cluster. (kfujino)

Web applications

49112: Update the ROOT web application's index page. Patch provided by pid. (markt) 49213: Add the permissions necessary to enable the Manager application to operate currently when running with a security manager. (markt) 49436: Correct documented default for readonly attribute of the UserDatabase component. (markt) 49475: Use new role name for manager application access on the ROOT web application's index page. (markt) 49476: CSRF protection was preventing access to the session expiration features. Also switch the manager application to the generic CSRF protection filter. (markt) Better handle failure to create directories required for new hosts in the Host Manager application. (markt) Switch the Host Manager application to the generic CSRF protection for the HTML interface and prevent started hosts from being started and stopped hosts from being stopped. (markt) 49518: Fix typo in extras documentation. (markt) 49522: Fix regression due to change of name for MBeans for naming resources that broke the complete server status page in the manager application. Note these MBeans now have a new name. (markt) 49570: When using the example compression filter, set the Vary header on compressed responses. (markt) Add redirects for the root of the manager and host-manager web applications that redirect users to the html interface rather than returning a 404. (markt) Provide the HTML Manager application with the ability to differentiate between primary, backup and proxy sessions. Note that proxy sessions are only shown if enabled in web.xml. (markt)

Other

49130: Better describe the core package in the Windows installer, making it clear that the service will be installed. Patch provided by sebb. (markt) Re-factor unit tests to enable them to be run once with each of the HTTP connector implementations (BIO, NIO and APR/native). (markt) 49268: Add the necessary plumbing to include CheckStyle in the build process. Start with no checks. Additional checks will be added as they are agreed. (markt) Updated to Ant 1.8.1. The build now requires a minimum of Ant 1.8.x. (markt) Update the re-packaged version of commons-fileupload from 1.2.1 to 1.2.2. The layout of re-packaged version was also restored to the original commons-fileupload layout to make merging of future updates easier. (markt) Update the re-packaged version of Jakarta BCEL from trunk revision 880760 to trunk revision 978831. (markt)

Catalina

Update Servlet support to the Servlet 3.0 specification. (all) Improve and document VirtualWebappLoader. (rjung) 43642: Add prestartminSpareThreads attribute for Executor. (jfclere) Switch from AnnotationProcessor to InstanceManager. Patch provided by David Jecks with modifications by Remy. (remm/fhanik) r620845 and r669119. Make shutdown address configurable. (jfclere) r651977 Add some missing control checks to ThreadWithAttributes. (markt) r677640 Add a startup class that does not require any configuration files. (costin) r700532 Log if temporary file operations within the CGI servlet fail. Make sure header Reader is closed on failure. (markt) r708541 Delete references to DefaultContext which was removed in 6.0.x. (markt) r709018 Initial implementation of an asynchronous file handler for JULI. (fhanik) Give session thisAccessedTime and lastAccessedTime clear semantics. (rjung) Expose thisAccessedTime via Session interface. (rjung) Provide a log format for JULI that provides the same information as the default but on a single line. (markt) r723889 Provide the ability to configure the Executor job queue size and a timeout for adding jobs to the queue. (fhanik) Add support for aliases to StandardContext. This allows content from other directories and/or WAR files to be mapped to paths within the context. (markt) Provide clearer definition of Lifecycle interface, particularly start and stop, and align components that implement Lifecycle with this definition. (markt) 48662: Provide a new option to control the copying of context XML descriptors from web applications to the host's xmlBase. Copying of XMl descriptors is now disabled by default. (markt) Move comet classes from the org.apache.catalina package to the org.apache.catalina.comet package to allow comet to work under a security manager. (markt)

Coyote

Port SSLInsecureRenegotiation from mod_ssl. This requires to use tomcat-native 1.2.21 that have option to detect this support from OpenSSL library. (mturk) Allow bigger AJP packets also for request bodies and responses using the packetSize attribute of the Connector. (rjung) r703017 Make Java socket options consistent between NIO and JIO connector. Expose all the socket options available on java.net.Socket (fhanik) 46051: The writer returned by getWriter() now conforms to the PrintWriter specification and uses platform dependent line endings rather than always using \r\n. (markt) Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk) r724239 NIO connector now always uses an Executor. (fhanik) r724393 Implement keepAliveCount for NIO connector in a thread safe manner. (fhanik) r724849 Implement keep alive timeout for NIO connector. (fhanik)

Jasper

Update JSP support to the JSP 2.2 specification. (markt) Update EL support to the EL 2.2 specification. (markt) r787978 Use "1.6" as the default value for compilerSourceVM and compilerTargetVM options of Jasper. (kkolinko) 48358: Add support for limiting the number of JSPs that are loaded at any one time. Based on a patch by Isabel Drost. (markt) 48689: Access TLD files through a new JarResource interface to make extending Jasper simpler, particularly in OSGi environments. Patch provided by Jarek Gawor. (markt)

High Availability

Add support for UDP and secure communication to tribes. (fhanik) Add versioning to the tribes communication protocol to support future developments. (fhanik) Add a demo on how to use the payload. (fhanik) Started to add JMX support to the cluster implementation. (markt) r609778 Minor fixes to the throughput interceptor and the NIO receiver. (fhanik) r630234 Additional checks for the NIO receiver. (fhanik) r671650 Improve error message when multicast is not enabled. (fhanik)

Web applications

r631321 Update changelog to support the <rev> element in the documentation. (fhanik) A number of additional roles were added to the Manager and Host Manager applications to separate out permissions for the HTML interface, the text interface and the JMX proxy. (markt) CSRF protection was added to the Manager and Host Manager applications. (markt) List array elements in the JMX proxy output of the Manager application. (rjung)

Extras

A new JmxRemoteLifecycleListener that can be used to fix the ports used for remote JMX connections, eg when using JConsole. (markt)

Other

Numerous code clean-up changes including the use of generics and removing unused imports, fields, parameters and methods. (markt) All deprecated internal code has been removed. Warning: If you have custom components for a previous Tomcat version that extend internal Tomcat classes and override deprecated methods it is highly likely that they will no longer work. (markt) Parameterize version number throughout build scripts and source. (rjung)