Catalina

Fix repgrssion that prevented running with a security manager enabled. (markt)

Web applications

Correct Javadoc errors. (markt) Provide Javadoc for Servlet 3.0 API, JSP 2.2 API and EL 2.2 API. (markt) Remove second copy of RUNNING.txt from the full-docs distribution. Some unpacking utilities can't handle multiple copies of a file with the same name in a directory. (markt)

Other

Extend Checkstyle validation checks to check for tabs in nearly all text files. (markt) Update Commons Daemon from 1.0.2 to 1.0.3.(markt) UPdate Eclipse JDT Core Batch Compiler (ecj.jar) from 3.5.1 to 3.6. (markt)

Catalina

GSOC 2010. Continue work to align MBean descriptors with reality. Patch provided by Chamith Buddhika. (markt) When running under a security manager, enforce package access and package definition restrictions defined in the catalina.properties file. (markt) When using a Loader configured with searchExternalFirst="true" failure to find the class in an external repository should not prevent searching of the local repositories. (markt) Add entryPoint support to the CSRF prevention filter. (markt) 48297: Correctly initialise handler chain for web services resources. (markt) 48960: Add a new option to the SSI Servlet and SSI Filter to allow the disabling of the exec command. This is now disabled by default. Based on a patch by Yair Lenga. (markt) 48998, 49617: Add the ExpiresFilter, a port of the httpd mod_expires module. Patch provided by Cyrille Le Clerc. (markt) 49030: When initializing/starting/stopping connectors and one of them fails, do not ignore the others. (markt/kkolinko) 49128: Don't swallow exceptions unnecessarily in WebappClassLoader.start(). (markt) 49182: Align comments in setclasspath.[sh|bat] with behaviour. Based on a patch provided by sebb. (markt) 49230: Enhance JRE leak prevention listener with protection for the keep-alive thread started by sun.net.www.http.HttpClient. Based on a patch provided by Rob Kooper. (markt) 49414: When reporting threads that may have triggered a memory leak on web application stop, attempt to differentiate between request processing threads and threads started by the application. (markt) 49428: Add a work-around for the known namespace issues for some Microsoft WebDAV clients. Patch provided by Panagiotis Astithas. (markt) Add support for *.jar pattern in VirtualWebappLoader. (kkolinko) Use a LockOutRealm in the default configuration to prevent attempts to guess user passwords by brute-force. (markt) 49478: Add support for user specified character sets to the AddDefaultCharsetFilter. Based on a patch by Felix Schumacher. (markt) 49503: Make sure connectors bind to their associated ports sufficiently early to allow jsvc and the org.apache.catalina.startup.EXIT_ON_INIT_FAILURE system property to operate correctly. (markt) 49525: Ensure cookies for the ROOT context have a path of / rather than an empty string. (markt) 49528, 49567: Ensure that AsyncContext.isAsyncStarted() returns the correct value after AsyncContext.start() and that if AsyncContext.complete() is called on a separate thread that it is handled correctly. (markt) 49530: Contexts and Servlets not stopped when Tomcat is shut down. (markt) 49536: If no ROOT context is deployed, ensure a 404 rather than a 200 is returned for requests that don't map to any other context. (markt) Additional debug logging in StandardContext to provide information on Manager selection. (markt) 49550: Supress deprecation warning where deprecated code is required to be used. No functional change. Patch provided by Sebb. (markt) 49551: Allow default context.xml location to be specified using an absolute path. (markt) Improve logging of unhandled exceptions in servlets by including the path of the context where the error occurred. (markt) Include session ID in error message logged when trying to set an attribute on an invalid session. (markt) Improve the CSRF protection filter by using SecureRandom rather than Random to generate nonces. Also make the implementation class used user configurable. (markt) Avoid NullPointerException, when copyXML=true and META-INF/context.xml does not exist. (kfujino) 49598: When session is changed and the session cookie is replaced, ensure that the new Set-Cookie header overwrites the old Set-Cookie header. (markt) Create a thread to trigger asynchronous timeouts when using the BIO connector, change the default timeout to 10s (was infinite) and make the default timeout configurable using the asyncTimeout attribute on the connector. (pero/markt) 49600: Make exceptions returned by the ProxyDirContext consistent for resources that weren't found by checking the DirContext or the cache. Test case based on a patch provided by Marc Guillemot. (markt) 49613: Improve performance when using SSL for applications that make multiple class to Request.getAttributeNames(). Patch provided by Sampo Savolainen. (markt) Handle the edge cases where resources packaged in JARs have names that start with a single quote character or a double quote character. (markt) Correct copy and paste typo in web.xml parsing rules that mixed up local-ejb-ref and resource-env-ref. (markt) Refactor session managers to remove unused code and to reduce code duplication. Also, all session managers used for session replication now extend org.apache.catalina.ha.session.ClusterManagerBase. (markt)

Jasper

Remove references to Jikes since it does not support Java 6. (markt) Correct over zealous type checking for EL in attributes that broke the use of JSF converters. (markt) Correct algorithm used to identify correct method to use when a MethodExpressions is used in EL. (markt) 49217: Ensure that identifiers used in EL meet the requirements of the Java Language Specification. (markt) Improve logging of JSP exceptions by including JSP snippet (if enabled) rather than just the root cause in the host log. (markt) 49555: Correctly handled Tag Libraries where functions are defined in static inner classes. (markt)

Cluster

49127: Don't swallow exceptions unnecessarily in SimpleTcpReplicationManager.startInternal(). (markt) 49407: Change the BackupManager so it is consistent with DeltaManager and reports both primary and backup sessions when active sessions are requested. (markt) 49445: When session ID is changed after authentication, ensure the DeltaManager replicates the change in ID to the other nodes in the cluster. (kfujino)

Web applications

49112: Update the ROOT web application's index page. Patch provided by pid. (markt) 49213: Add the permissions necessary to enable the Manager application to operate currently when running with a security manager. (markt) 49436: Correct documented default for readonly attribute of the UserDatabase component. (markt) 49475: Use new role name for manager application access on the ROOT web application's index page. (markt) 49476: CSRF protection was preventing access to the session expiration features. Also switch the manager application to the generic CSRF protection filter. (markt) Better handle failure to create directories required for new hosts in the Host Manager application. (markt) Switch the Host Manager application to the generic CSRF protection for the HTML interface and prevent started hosts from being started and stopped hosts from being stopped. (markt) 49518: Fix typo in extras documentation. (markt) 49522: Fix regression due to change of name for MBeans for naming resources that broke the complete server status page in the manager application. Note these MBeans now have a new name. (markt) 49570: When using the example compression filter, set the Vary header on compressed responses. (markt) Add redirects for the root of the manager and host-manager web applications that redirect users to the html interface rather than returning a 404. (markt) Provide the HTML Manager application with the ability to differentiate between primary, backup and proxy sessions. Note that proxy sessions are only shown if enabled in web.xml. (markt)

Other

49130: Better describe the core package in the Windows installer, making it clear that the service will be installed. Patch provided by sebb. (markt) Re-factor unit tests to enable them to be run once with each of the HTTP connector implementations (BIO, NIO and APR/native). (markt) 49268: Add the necessary plumbing to include CheckStyle in the build process. Start with no checks. Additional checks will be added as they are agreed. (markt) Updated to Ant 1.8.1. The build now requires a minimum of Ant 1.8.x. (markt) Update the re-packaged version of commons-fileupload from 1.2.1 to 1.2.2. The layout of re-packaged version was also restored to the original commons-fileupload layout to make merging of future updates easier. (markt) Update the re-packaged version of Jakarta BCEL from trunk revision 880760 to trunk revision 978831. (markt)

Catalina

Update Servlet support to the Servlet 3.0 specification. (all) Improve and document VirtualWebappLoader. (rjung) 43642: Add prestartminSpareThreads attribute for Executor. (jfclere) Switch from AnnotationProcessor to InstanceManager. Patch provided by David Jecks with modifications by Remy. (remm/fhanik) r620845 and r669119. Make shutdown address configurable. (jfclere) r651977 Add some missing control checks to ThreadWithAttributes. (markt) r677640 Add a startup class that does not require any configuration files. (costin) r700532 Log if temporary file operations within the CGI servlet fail. Make sure header Reader is closed on failure. (markt) r708541 Delete references to DefaultContext which was removed in 6.0.x. (markt) r709018 Initial implementation of an asynchronous file handler for JULI. (fhanik) Give session thisAccessedTime and lastAccessedTime clear semantics. (rjung) Expose thisAccessedTime via Session interface. (rjung) Provide a log format for JULI that provides the same information as the default but on a single line. (markt) r723889 Provide the ability to configure the Executor job queue size and a timeout for adding jobs to the queue. (fhanik) Add support for aliases to StandardContext. This allows content from other directories and/or WAR files to be mapped to paths within the context. (markt) Provide clearer definition of Lifecycle interface, particularly start and stop, and align components that implement Lifecycle with this definition. (markt) 48662: Provide a new option to control the copying of context XML descriptors from web applications to the host's xmlBase. Copying of XMl descriptors is now disabled by default. (markt) Move comet classes from the org.apache.catalina package to the org.apache.catalina.comet package to allow comet to work under a security manager. (markt)

Coyote

Port SSLInsecureRenegotiation from mod_ssl. This requires to use tomcat-native 1.2.21 that have option to detect this support from OpenSSL library. (mturk) Allow bigger AJP packets also for request bodies and responses using the packetSize attribute of the Connector. (rjung) r703017 Make Java socket options consistent between NIO and JIO connector. Expose all the socket options available on java.net.Socket (fhanik) 46051: The writer returned by getWriter() now conforms to the PrintWriter specification and uses platform dependent line endings rather than always using \r\n. (markt) Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk) r724239 NIO connector now always uses an Executor. (fhanik) r724393 Implement keepAliveCount for NIO connector in a thread safe manner. (fhanik) r724849 Implement keep alive timeout for NIO connector. (fhanik)

Jasper

Update JSP support to the JSP 2.2 specification. (markt) Update EL support to the EL 2.2 specification. (markt) r787978 Use "1.6" as the default value for compilerSourceVM and compilerTargetVM options of Jasper. (kkolinko) 48358: Add support for limiting the number of JSPs that are loaded at any one time. Based on a patch by Isabel Drost. (markt) 48689: Access TLD files through a new JarResource interface to make extending Jasper simpler, particularly in OSGi environments. Patch provided by Jarek Gawor. (markt)

High Availability

Add support for UDP and secure communication to tribes. (fhanik) Add versioning to the tribes communication protocol to support future developments. (fhanik) Add a demo on how to use the payload. (fhanik) Started to add JMX support to the cluster implementation. (markt) r609778 Minor fixes to the throughput interceptor and the NIO receiver. (fhanik) r630234 Additional checks for the NIO receiver. (fhanik) r671650 Improve error message when multicast is not enabled. (fhanik)

Web applications

r631321 Update changelog to support the <rev> element in the documentation. (fhanik) A number of additional roles were added to the Manager and Host Manager applications to separate out permissions for the HTML interface, the text interface and the JMX proxy. (markt) CSRF protection was added to the Manager and Host Manager applications. (markt) List array elements in the JMX proxy output of the Manager application. (rjung)

Extras

A new JmxRemoteLifecycleListener that can be used to fix the ports used for remote JMX connections, eg when using JConsole. (markt)

Other

Numerous code clean-up changes including the use of generics and removing unused imports, fields, parameters and methods. (markt) All deprecated internal code has been removed. Warning: If you have custom components for a previous Tomcat version that extend internal Tomcat classes and override deprecated methods it is highly likely that they will no longer work. (markt) Parameterize version number throughout build scripts and source. (rjung)