You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@apache.org on 2001/03/20 05:14:49 UTC
cvs commit: jakarta-tomcat-4.0 RELEASE-NOTES-4.0-B2.txt
craigmcc 01/03/19 20:14:48
Added: . RELEASE-NOTES-4.0-B2.txt
Log:
Add release notes describing the changes of a prospective Beta 2 release
of Tomcat 4.0.
Revision Changes Path
1.1 jakarta-tomcat-4.0/RELEASE-NOTES-4.0-B2.txt
Index: RELEASE-NOTES-4.0-B2.txt
===================================================================
Apache Tomcat Version 4.0 Beta 2
=================================
Release Notes
=============
$Id: RELEASE-NOTES-4.0-B2.txt,v 1.1 2001/03/20 04:14:48 craigmcc Exp $
============
INTRODUCTION:
============
This document describes the changes that have been made in the current
beta release of Apache Tomcat, relative to the previous release.
Bug reports should be entered at the interim bug reporting system for
Jakarta projects at:
http://nagoya.apache.org/bugzilla/
Please use project codes "Catalina" and "Jasper" for servlet-related and
JSP-related bug reports, respectively.
IMPORTANT SECURITY NOTE: This release includes a fix to a "cross site
scripting vulnerability" caused by a request URI such as:
http://localhost:8080/<SCRIPT>alert(document.cookie)</SCRIPT>.xyz
============
NEW FEATURES:
============
---------------------
Catalina New Features:
---------------------
Default WEB.XML File: Add MIME type mappings for WAP related content types.
WebdavServlet: Add a Microsoft-specific header in response to an OPTIONS
request, mirroring what mod_dav is doing.
Valve API: Change the API for Valves so that it properly implements the
"inversion of control" design pattern, and is more similar to the API design
pattern implemented by javax.servlet.Filter.
JNDI Naming Context: Implement a JNDI naming context for use by applications
(for the <env-entry> and <resource-ref> elements) and by Catalina (for access
to static resources of the web application).
Security Manager: Web applications are now run under a security manager,
providing fine-grained control over what web apps can do.
Web Application Archives: You can now configure Tomcat 4.0 to run web
applications directly from a WAR file, instead of having to expand them.
Default Context Configuration: You can now specify a default set of
configuration directives for contexts that are not explicitly defined.
Servlet API Changes: Implement the servlet API changes that have been
approved by the JSR-053 Expert Group, and will appear in the next release
of the specification.
-------------------
Jasper New Features:
-------------------
Security Manager: Adapt Jasper to the new feature of running web applications
under a security manager.
Per-Page Class Loader: Each JSP page is now run in its own class loader. This
eliminates the requirement to kludge the class name in the class file itself.
This change also improves the performance of JSP pages.
Session Persisence: Implement a PersistentManager that can swap sessions out
of memory, as well as save them persistently.
XML Parser Class Loader: Load the XML parser used by by Jasper from a separate
class loader, which eliminates most cases of "package sealing violation" errors
when a web application wishes to use Xerces. See the "KNOWN ISSUES" section
for more information on this topic.
==========================
BUG FIXES AND IMPROVEMENTS:
==========================
------------------
Catalina Bug Fixes:
------------------
DefaultServlet: Return dates on directory listings in GMT format.
WebdavServlet: When a PROPFIND is done on a collection which has an encoded
URI, the href elements being returned were incorrect.
HttpConnector: Make sure that Tomcat will bind to only one IP address when
a hostname is specified.
AccessLogValve: Fix potential for incorrectly named log files.
ResponseBase: setBufferSize() should throw IllegalStateException if any
output has been written, *or* the response has been committed.
StandardClassLoader: Fix a NullPointerException when the manifest file
is missing.
HttpRequestBase: Don't try to read parameters if the stream has already
been opened.
WebdavServlet: Make the DAV collection enumeration code more robust.
FileResources: Fix rare NullPointerExceptions when File.list() returns null.
DefaultServlet: Fix inclusion problem by catching the IllegalStateException
which can be thrown by the servlet container.
WebdavServlet: Update PROPFIND to use streaming.
ApplicationContext: Return null from HttpServletRequest.getPathTranslated()
and ServletContext.getRealPath() if current resources are not filesystem based.
HttpResponseBase: Correct isEncodeable() to correctly assume a default port
of 443 for https, rather than always assuming the default port is 80.
Catalina: The shutdown process now looks up "127.0.0.1" instead of
"localhost" when checking for a valid shutdown source.
DefaultServlet: Encode unsafe characters in the generated hyperlinks.
HttpRequestBase: Improve internationalization support when decoding parameters
in a POST request.
DefaultServlet: Encode and decode paths using UTF-8, and change the encoding
name to UTF8 (UTF-8 is not present in early Java2 versions).
WebdavServlet: Rewrite display names in PROPFIND responses.
DefaultServlet: Fix more i18n issues with the directory browser.
HttpResponseBase: Return a status report for every status except 200/304,
emulating Apache 1.3.x behavior as closely as possible. Don't add a
"Content-Length: 0" when status is 304.
HttpSession: Fix a NullPointerException.
HttpRequestImpl: Perform header name comparisons in lower case.
JDBCRealm: Trim whitespace on reads from the database.
ApplicationDispatcher: Change the propogation method for exceptions thrown
by included or forwarded-to servlets.
StandardManager/StandardSession: Remove "final" declaration so these classes
can be subclassed.
StandardServer: Correct the loop control for validating a reversed IP address.
Bootstrap: Do not add jndi.jar to the classpath if it is already available
via the system classloader (i.e. a JDK 1.3 environment).
StandardContext: Fix an initialization problem when listeners and filters
couldn't be loaded if they were in a JAR file, or if they were in
/WEB-INF/classes and at least one JAR file was present in /WEB-INF/lib.
AccessLogValve: Do not resolve host names by default.
HttpRequestStream: Fix handling of unsigned bytes.
StandardWrapperValve: Correctly report the actual exception that occurred
to the error page, as well as the other request attributes.
HttpRequestStream: Fix a chunking bug.
ApplicationContext: Fix a Watchdog failure on GetResource_1Test.
Bootstrap: Add the classes directory last for class loaders.
HttpResponseImpl: Do not necessarily close the connection if the status
is >= 400.
HttpResponseImpl: Only set content length to zero if it is not an error.
BasicAuthenticator/DigestAuthenticator: Do not set content length to zero.
ResponseStream: Correctly support an offset on the write() method.
DefaultServlet: Set the content length when doing a single ranged request,
which fixes problems with the HTTP seek feature.
HttpResponseImpl/HttpResponseStream: Allow chunking on status 206.
DefaultServlet: POST should be treated like GET.
FormAuthenticator: Restore correct operation of formn based login.
HttpResopnseStream: An end chunk could be printed in the middle of a
response if write(byte[] b, int off, int len) was called with len = 0.
HttpConnector: If an accept exception occurs, close and reopen the
server socket.
HttpProcessor: Don't log interrupted I/O exceptions unless debug > 1.
StandardWrapper: Modify the special case treatment of loading the Jasper
servlet so that it works when you use <jsp-file>, as well as for the usual
declaration of the JSP servlet.
DefaultServlet: Make most methods protected instead of private, to ease
subclassing.
----------------
Jasper Bug Fixes:
----------------
JspParseEventListener: Fix a potential race condition on _jspx_init().
JspServlet: Normalize the path (and use File.toURL()) to make sure the
URL is valid.
Parser: It is up to the tag implementation to process the body of a
tagdependent tag.
BodyContentImpl: Remove buffer allocation and array copy to improve
performance.
ParserController: JSPC did not work well under Windows since the file
separator character was assumed to be "/".
SimplePool: Fix a race condition.
============================
KNOWN ISSUES IN THIS RELEASE:
============================
------------------------------------------
Redeploying From a Web Application Archive:
------------------------------------------
If you attempt to undeploy, then redeploy, an application from the same
web application archive file URL (where the URL refers to an actual WAR
file, not to a directory), the redeploy will fail with error "zip file is
closed". There appears to be a problem in the JDK's JarURLConnection class
where JAR files are cached, even after they are closed, so that a request
for a connection to the same URL returns the previous JarFile object instead
of a new one. As a workaround, you should do one of the following:
* Change the URL of the web application archive each time you redeploy.
* Deploy from an unpacked directory (on the same server) instead of from
a WAR file (this is often more convenient in a development environment
anyway).
--------------------------
Tomcat 4.0 and XML Parsers:
--------------------------
Previous versions of Tomcat 4.0 exposed the XML parser used by Jasper (the
JAXP/1.1 reference implementation) to web applications. This is no longer
the case, because Jasper loads its parser with a new class loader instead.
This change was primarily made to deal with "package sealing violation" errors
caused by the fact that the "jaxp.jar" and "crimson.jar" files (supplied with
the JAXP/1.1 release) are sealed. While this change appears to have eliminated
sealing violation problems when running under JDK 1.2, problems have still been
reported under JDK 1.3.
Until a solution to this problem is implemented, keep the following
information in mind with respect to XML parsers.
* If you wish to make the JAXP/1.1 RI XML parser available to all web
applications, simply move the "jaxp.jar" and "crimson.jar" files from
the "$TOMCAT_HOME/jasper" directory to the "$TOMCAT_HOME/lib" directory.
* If you wish to make another XML parser that is JAXP/1.1-compatible
available to all web applications, install that parser into the
"$TOMCAT_HOME/lib" directory and remove "jaxp.jar" and "crimson.jar"
from the "$TOMCAT_HOME/jasper" directory.
WARNING: No current version of Xerces, including 2.0.0 alpha releases,
fully implements the JAXP/1.1 specification. As a result, you will not
be able to utilize JSP pages in XML syntax (which requires a parser that
is compatible with JAXP/1.1) until Xerces completely implements this
specification.
* If you wish to include an XML parser (such as Xerces) in the WEB-INF/lib
directory of your web application, you may encounter "package sealing
violation" errors under JDK 1.3. One solution would be to manually modify
the JAXP JAR files (jaxp.jar and crimson.jar) so that they are not sealed
(Remove the "sealed" line from META-INF/MANIFEST.MF and re-JAR the files).
This is being considered as a permanent solution to the sealing problem,
so feedback is requested about successful (or unsuccessful) attempts to
use this approach.