();
+
+ private TomcatURLStreamHandlerFactory() {
+ // Hide the default constructor
+ }
+
+
+ /**
+ * Creates a new URLStreamHandler instance with the specified protocol.
+ * Will return null if the protocol is not jndi.
+ *
+ * @param protocol the protocol (must be "jndi" here)
+ * @return a URLStreamHandler for the jndi protocol, or null if the
+ * protocol is not JNDI
+ */
+ @Override
+ public URLStreamHandler createURLStreamHandler(String protocol) {
+ if (protocol.equals("jndi")) {
+ return new DirContextURLStreamHandler();
+ } else if (protocol.equals("classpath")) {
+ return new ClasspathURLStreamHandler();
+ } else {
+ for (URLStreamHandlerFactory factory : userFactories) {
+ URLStreamHandler handler =
+ factory.createURLStreamHandler(protocol);
+ if (handler != null) {
+ return handler;
+ }
+ }
+ return null;
+ }
+ }
+
+
+}
diff --git java/org/apache/tomcat/util/file/ConfigFileLoader.java java/org/apache/tomcat/util/file/ConfigFileLoader.java
new file mode 100644
index 0000000..f0a2661
--- /dev/null
+++ java/org/apache/tomcat/util/file/ConfigFileLoader.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.tomcat.util.file;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URL;
+
+/**
+ * This class is used to obtain {@link InputStream}s for configuration files
+ * from a given location String. This allows greater flexibility than these
+ * files having to be loaded directly from a file system.
+ */
+public class ConfigFileLoader {
+
+ private static final URI CATALINA_BASE_URI;
+
+ static {
+ File catalinaBase = new File(System.getProperty("catalina.base"));
+ CATALINA_BASE_URI = catalinaBase.toURI();
+ }
+
+ private ConfigFileLoader() {
+ // Utility class. Hide the default constructor.
+ }
+
+
+ /**
+ * Load the resource from the specified location.
+ *
+ * @param location The location for the resource of interest. The location
+ * may be a URL or a file path. Relative paths will be
+ * resolved against CATALINA_BASE.
+ *
+ * @return The InputStream for the given resource. The caller is responsible
+ * for closing this stream when it is no longer used.
+ *
+ * @throws IOException If an InputStream cannot be created using the
+ * provided location
+ */
+ public static InputStream getInputStream(String location) throws IOException {
+
+ // Absolute URIs will be left alone
+ // Relative files will be resolved relative to catalina base
+ // Absolute files will be converted to URIs
+ URI uri = CATALINA_BASE_URI.resolve(location);
+ URL url = uri.toURL();
+
+ return url.openConnection().getInputStream();
+ }
+}
\ No newline at end of file
diff --git java/org/apache/tomcat/util/net/AbstractEndpoint.java java/org/apache/tomcat/util/net/AbstractEndpoint.java
index c4ad4ce..9f0349b 100644
--- java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -16,7 +16,6 @@
*/
package org.apache.tomcat.util.net;
-import java.io.File;
import java.io.OutputStreamWriter;
import java.net.InetAddress;
import java.net.InetSocketAddress;
@@ -728,25 +727,6 @@ public abstract class AbstractEndpoint {
}
}
-
- public String adjustRelativePath(String path, String relativeTo) {
- // Empty or null path can't point to anything useful. The assumption is
- // that the value is deliberately empty / null so leave it that way.
- if (path == null || path.length() == 0) {
- return path;
- }
- String newPath = path;
- File f = new File(newPath);
- if ( !f.isAbsolute()) {
- newPath = relativeTo + File.separator + newPath;
- f = new File(newPath);
- }
- if (!f.exists()) {
- getLog().warn("configured file:["+newPath+"] does not exist.");
- }
- return newPath;
- }
-
protected abstract Log getLog();
// Flags to indicate optional feature support
// Some of these are always hard-coded, some are hard-coded to false (i.e.
@@ -833,8 +813,7 @@ public abstract class AbstractEndpoint {
private String keystoreFile = System.getProperty("user.home")+"/.keystore";
public String getKeystoreFile() { return keystoreFile;}
public void setKeystoreFile(String s ) {
- keystoreFile = adjustRelativePath(s,
- System.getProperty(Constants.CATALINA_BASE_PROP));
+ keystoreFile = s;
}
private String keystorePass = null;
@@ -874,8 +853,7 @@ public abstract class AbstractEndpoint {
private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
public String getTruststoreFile() {return truststoreFile;}
public void setTruststoreFile(String s) {
- truststoreFile = adjustRelativePath(s,
- System.getProperty(Constants.CATALINA_BASE_PROP));
+ truststoreFile = s;
}
private String truststorePass =
diff --git java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
index 7a4ade6..7cab87f 100644
--- java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+++ java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
@@ -17,8 +17,6 @@
package org.apache.tomcat.util.net.jsse;
-import java.io.File;
-import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
@@ -63,6 +61,7 @@ import javax.net.ssl.X509KeyManager;
import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.compat.JreVendor;
+import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLUtil;
@@ -431,12 +430,7 @@ public class JSSESocketFactory implements ServerSocketFactory, SSLUtil {
}
if(!("PKCS11".equalsIgnoreCase(type) ||
"".equalsIgnoreCase(path))) {
- File keyStoreFile = new File(path);
- if (!keyStoreFile.isAbsolute()) {
- keyStoreFile = new File(System.getProperty(
- Constants.CATALINA_BASE_PROP), path);
- }
- istream = new FileInputStream(keyStoreFile);
+ istream = ConfigFileLoader.getInputStream(path);
}
char[] storePass = null;
@@ -718,16 +712,11 @@ public class JSSESocketFactory implements ServerSocketFactory, SSLUtil {
protected Collection getCRLs(String crlf)
throws IOException, CRLException, CertificateException {
- File crlFile = new File(crlf);
- if( !crlFile.isAbsolute() ) {
- crlFile = new File(
- System.getProperty(Constants.CATALINA_BASE_PROP), crlf);
- }
Collection crls = null;
InputStream is = null;
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
- is = new FileInputStream(crlFile);
+ is = ConfigFileLoader.getInputStream(crlf);
crls = cf.generateCRLs(is);
} catch(IOException iex) {
throw iex;
diff --git test/org/apache/naming/resources/TestClasspathUrlStreamHandler.java test/org/apache/naming/resources/TestClasspathUrlStreamHandler.java
new file mode 100644
index 0000000..fd5693f
--- /dev/null
+++ test/org/apache/naming/resources/TestClasspathUrlStreamHandler.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.util.Properties;
+
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestClasspathUrlStreamHandler {
+
+ @BeforeClass
+ public static void setup() {
+ URL.setURLStreamHandlerFactory(TomcatURLStreamHandlerFactory.getInstance());
+ }
+
+ @Test
+ public void testClasspathURL01() throws IOException {
+ URL u = new URL("classpath:/org/apache/naming/resources/LocalStrings.properties");
+ InputStream is = u.openStream();
+ Properties p = new Properties();
+ p.load(is);
+ String msg = (String) p.get("resources.null");
+ Assert.assertEquals("Document base cannot be null", msg);
+ }
+}
\ No newline at end of file
diff --git test/org/apache/naming/resources/TestDirContextURLStreamHandlerFactory.java test/org/apache/naming/resources/TestDirContextURLStreamHandlerFactory.java
deleted file mode 100644
index 73d46dc..0000000
--- test/org/apache/naming/resources/TestDirContextURLStreamHandlerFactory.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.naming.resources;
-
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLStreamHandler;
-import java.net.URLStreamHandlerFactory;
-
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-
-import org.junit.Test;
-
-public class TestDirContextURLStreamHandlerFactory {
-
- @Test
- public void testUserSuppliedFactory() throws Exception {
-
- URL url = null;
-
- // Initially unknown
- try {
- url = new URL("foo://www.apache.org");
- } catch (MalformedURLException ignore) {
- // Ignore
- }
- assertNull(url);
-
- // Set the factory
- URL.setURLStreamHandlerFactory(
- DirContextURLStreamHandlerFactory.getInstance());
-
- // Still unknown
- try {
- url = new URL("foo://www.apache.org");
- } catch (MalformedURLException ignore) {
- // Ignore
- }
- assertNull(url);
-
- // Register a user factory
- DirContextURLStreamHandlerFactory.addUserFactory(
- new FooURLStreamHandlerFactory());
-
- // Now it works
- try {
- url = new URL("foo://www.apache.org");
- } catch (MalformedURLException ignore) {
- // Ignore
- }
- assertNotNull(url);
- }
-
- public static class FooURLStreamHandlerFactory
- implements URLStreamHandlerFactory {
-
- @Override
- public URLStreamHandler createURLStreamHandler(String protocol) {
- if ("foo".equals(protocol)) {
- // This is good enough for this test but not for actual use
- return new DirContextURLStreamHandler();
- } else {
- return null;
- }
- }
- }
-}
diff --git test/org/apache/naming/resources/TestTomcatURLStreamHandlerFactory.java test/org/apache/naming/resources/TestTomcatURLStreamHandlerFactory.java
new file mode 100644
index 0000000..64cf7c4
--- /dev/null
+++ test/org/apache/naming/resources/TestTomcatURLStreamHandlerFactory.java
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLStreamHandler;
+import java.net.URLStreamHandlerFactory;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+import org.junit.Test;
+
+public class TestTomcatURLStreamHandlerFactory {
+
+ @Test
+ public void testUserSuppliedFactory() throws Exception {
+
+ URL url = null;
+
+ // Initially unknown
+ try {
+ url = new URL("foo://www.apache.org");
+ } catch (MalformedURLException ignore) {
+ // Ignore
+ }
+ assertNull(url);
+
+ // Set the factory
+ URL.setURLStreamHandlerFactory(
+ TomcatURLStreamHandlerFactory.getInstance());
+
+ // Still unknown
+ try {
+ url = new URL("foo://www.apache.org");
+ } catch (MalformedURLException ignore) {
+ // Ignore
+ }
+ assertNull(url);
+
+ // Register a user factory
+ TomcatURLStreamHandlerFactory.addUserFactory(
+ new FooURLStreamHandlerFactory());
+
+ // Now it works
+ try {
+ url = new URL("foo://www.apache.org");
+ } catch (MalformedURLException ignore) {
+ // Ignore
+ }
+ assertNotNull(url);
+ }
+
+ public static class FooURLStreamHandlerFactory
+ implements URLStreamHandlerFactory {
+
+ @Override
+ public URLStreamHandler createURLStreamHandler(String protocol) {
+ if ("foo".equals(protocol)) {
+ // This is good enough for this test but not for actual use
+ return new DirContextURLStreamHandler();
+ } else {
+ return null;
+ }
+ }
+ }
+}
diff --git test/org/apache/tomcat/util/file/TestConfigFileLoader.java test/org/apache/tomcat/util/file/TestConfigFileLoader.java
new file mode 100644
index 0000000..8cf4e1a
--- /dev/null
+++ test/org/apache/tomcat/util/file/TestConfigFileLoader.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.tomcat.util.file;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+
+import org.apache.naming.resources.TomcatURLStreamHandlerFactory;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestConfigFileLoader {
+
+ @BeforeClass
+ public static void setup() {
+ URL.setURLStreamHandlerFactory(
+ TomcatURLStreamHandlerFactory.getInstance());
+ File buildDir = new File(
+ System.getProperty("tomcat.test.tomcatbuild", "output/build"));
+ System.setProperty("catalina.base", buildDir.getAbsolutePath());
+ }
+
+ @Test
+ public void test01() throws IOException {
+ doTest("classpath:org/apache/catalina/mbeans-descriptors.xml");
+ }
+
+ @Test(expected=FileNotFoundException.class)
+ public void test02() throws IOException {
+ doTest("classpath:org/apache/catalina/foo");
+ }
+
+ @Test
+ public void test03() throws IOException {
+ doTest("conf/server.xml");
+ }
+
+ @Test(expected=FileNotFoundException.class)
+ public void test04() throws IOException {
+ doTest("conf/unknown");
+ }
+
+ private void doTest(String path) throws IOException {
+ InputStream is = null;
+ try {
+ is = ConfigFileLoader.getInputStream(path);
+ Assert.assertNotNull(is);
+ } finally {
+ if (is != null) {
+ is.close();
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git webapps/docs/changelog.xml.orig webapps/docs/changelog.xml.orig
new file mode 100644
index 0000000..b734ed6
--- /dev/null
+++ webapps/docs/changelog.xml.orig
@@ -0,0 +1,4780 @@
+
+
+
+]>
+
+
+
+ &project;
+
+
+ Changelog
+
+
+
+
+
+<<<<<<< HEAD
+
+=======
+
+
+
+
+ Add support for the custom classpath protocol in URLs. It
+ an be used anywhere Tomcat accepts a URL for a configuration parameter.
+ (markt)
+
+
+ 56777: Allow file based configuration resources (user
+ database, certificate revocation lists, keystores an dtrust stores) to
+ be configured using URLs as well as files. (markt)
+
+
+ Perform null-checking on input and stored credentials in all Realms
+ before passing credentials off to CredentialHandlers for matching.
+ (schultz)
+
+
+
+
+
+
+ Add the new ciphers from RFC6655 and RFC7251 to the OpenSSL to JSSE
+ cipher mapping. (markt)
+
+
+ Remove DES, RC2 and RC4 from DEFAULT for the OpenSSL to JSSE cipher
+ mapping to align with the OpenSSL development branch. (markt)
+
+
+
+
+
+
+ Improve the error message when JSP parser encounters an error parsing an
+ attribute value. (markt)
+
+
+
+
+
+
+ 58474: Provide a reference to the differences between
+ CATALINA_HOME and CATALINA_BASE in the sample
+ application that is part of the documentation web application. (markt)
+
+
+
+
+
+
+ Ensure JULI adapters does not include the LogFactoryImpl class. Patch
+ provided by Benjamin Gandon. (markt)
+
+
+
+
+
+
+
+
+ 58187: Correct a regression in the fix for 57765
+ that meant that deployment of web applications deployed via the Manager
+ application was delayed until the next execution of the automatic
+ deployment background process. (markt)
+
+
+ 58284: Correctly implement session serialization so
+ non-serializable attributes are skipped with a warning. Patch provided
+ by Andrew Shore. (markt)
+
+
+ 58313: Fix concurrent access of encoders map when clearing
+ encoders prior to switch to async. (markt)
+
+
+ 58320: Fix concurrent access of request attributes which is
+ possible during asynchronous processing. (markt)
+
+
+ 58352: Always trigger a thread dump if Tomcat fails to stop
+ gracefully from catalina.sh even if using
+ -force. Patch provided by Alexandre Garnier. (markt)
+
+
+ 58368: Fix a rare data race in the code that obtains the
+ ApplicationFilterFactory instance. (markt)
+
+
+ 58369: Fix a rare data race in the code that obtains the
+ CookieProcessor for a StandardContext instance. (markt)
+
+
+ Ensure the JAASRealm uses the configured CredentialHandler. (markt)
+
+
+ 58372: Fix rare data races closed and suspended flags that
+ could be triggered by async and/or comet processing. (markt)
+
+
+ 58373: Fix rare data race with the application event
+ listeners for StandardContext. (markt)
+
+
+ 58374: Fix a rare data race in the AsyncContext
+ implementation for access to the internal Tomcat request object to which
+ it holds a reference. (markt)
+
+
+ 58380: Fix two rare data races in the standard session
+ implementation on the flag that tracks if the session is new and on the
+ field that tracks the maximum inactive period. (markt)
+
+
+ 58385: Fix a rare data race in the internal flag Tomcat uses
+ to keep track of whether or not a request is being used for Comet
+ processing. (markt)
+
+
+ 58394: Fix a rare data race in Mapper when adding or removing
+ a host. (markt)
+
+
+ 58398: Fix a rare data race in LifecycleSupport.
+ (markt)
+
+
+ 58412: Ensure that the AsyncFileHandler has the
+ source class and method name available for logging. (fschumacher)
+
+
+ 58416: Correctly detect when a forced stop fails to stop
+ Tomcat because the Tomcat process is waiting on some system call or is
+ uninterruptible. (markt)
+
+
+ 58436: Fix some rare data races in JULI's
+ ClassLoaderLogManager during shutdown. (markt)
+
+
+ 58845: Fix off-by one error in calculation of valid
+ characters in a cookie domain. Patch provided by Thorsten Ehlers.
+ (markt)
+
+
+
+
+
+
+ Correct some edge cases in RequestUtil.normalize(). (markt)
+
+
+ 58275: The IBM JREs accept cipher suite names starting with
+ TLS_ or SSL_ but when listing the supported
+ cipher suites only the SSL_ version is reported. This can
+ break Tomcat's check that at least one requested cipher suite is
+ supported. Tomcat now includes a work-around so either form of the
+ cipher suite name can be used when running on an IBM JRE. (markt)
+
+
+ 58357: For reasons not currently understood when the
+ APR/native connector is used with OpenSSL reads can return an error code
+ when there is no apparent error. This was work-around for HTTP upgrade
+ connections by treating this as EAGAIN. The same fix has
+ now been applied to the standard HTTP connector. (markt)
+
+
+ Minor clean-up in NIO2 SSL handshake code to address some theoretical
+ concurrency issues. (markt)
+
+
+ 58367: Fix a rare data race in the code that obtains the
+ reason phrase for a given HTTP response code. (markt)
+
+
+ 58370: Fix a rare data race in the connector shutdown code.
+ (markt)
+
+
+ 58371: Fix a rare data race when accessing request URI in
+ String form when switching from non-async to async due to early
+ triggering of the gathering of request statistics. (markt)
+
+
+ 58375: Fix a rare data race on the internal flag Tomcat uses
+ to mark a response as committed. (markt)
+
+
+ 58377: Fix a rare data race on the internal flag Tomcat uses
+ to mark a request as using HTTP keep-alive when switching to
+ asynchronous processing. (markt)
+
+
+ 58379: Fix a rare data race on the interal reference Tomcat
+ retains to the socket when switching to asynchronous processing. (markt)
+
+
+ 58387: Fix a rare data race when closing Comet connections.
+ (markt)
+
+
+ 58388: Fix a data race when determining if Comet processing
+ is occurring on a container or non-container thread. (markt)
+
+
+ 58389: Fix a rare data race while shutting down the thread
+ pools on Connector stop. (markt)
+
+
+ Clean up use of error flag on socket wrapper prompted by
+ 58390. (markt)
+
+
+ Remove some unnecessary code from the NIO Poller and fix
+ 58396 as a side-effect. (markt)
+
+
+ 57799: Remove useless sendfile check for NIO SSL. (remm)
+
+
+
+
+
+
+ 57136: Correct a regression in the previous fix for this
+ issue. \${ should only an escape for ${ within
+ an EL expression. Within a JSP page \$ should be an escape
+ for $. The EL specification applies when parsing the
+ expression delimited by ${ and }. Parsing of
+ the delimiting ${ and } is the responsibility
+ of the JSP specification. (markt)
+
+
+ 58296: Fix a memory leak in the JSP unloading feature that
+ meant that using a value other than -1 for
+ maxLoadedJsps triggered a memory leak once the limit was
+ reached. (markt)
+
+
+ 58327: Cache the expression string for value expression
+ literals since it is frequently used and may be expensive to evaluate.
+ Patch provided by Andreas Kohn. (markt)
+
+
+ 58340: Improve error reporting for tag files packaged in
+ JARs. (markt)
+
+
+ 58424: When parsing TLD files, allow whitespace around
+ boolean configuration values. (schultz)
+
+
+ Fix a possible resource leak reported by coverity scan. (fschumacher)
+
+
+ 58427: Enforce the JSP specification defined limitations of
+ which elements are allowed in an implicit.tld file. (markt)
+
+
+ 58444: Ensure that JSPs work with any custom base class that
+ meets the requirements defined in the JSP specification without
+ requiring that base class to implement Tomcat specific code. (markt)
+
+
+
+
+
+
+ Fix a default clusterListeners in SimpleTcpCluster. The
+ optimal default value is different for each session manager.
+ ClusterSessionListener is never used in
+ BackupManager. (kfujino)
+
+
+ Correct log messages in case of using BackupManager.
+ (kfujino)
+
+
+
+
+
+
+ 58342: Fix a copy and paste error that meant MessageHandler
+ removal could fail for binary and pong MessageHandlers. Patch provided
+ by DJ. (markt)
+
+
+ Data races detected by RV-Predict, mostly caused by completion handlers
+ running in separate threads. (markt)
+
+
+ 58414: Correctly handle sending zero length messages when
+ using per message deflate. (markt)
+
+
+
+
+
+
+ Correct documentation for cluster-howto. (kfujino)
+
+
+ Add missing documentation for property alwaysAddExpires for
+ the LegacyCookieProcessor. (markt)
+
+
+
+
+
+
+ Add support for configurations of ChannelListener and
+ MembershipListener in server.xml. (kfujino)
+
+
+ Correct log messages in case of using ReplicatedMap.
+ (kfujino)
+
+
+ 58381: Fix a rare data race in the NioReceiver.
+ (markt)
+
+
+ 58382: Fix multiple rare data races in the default membership
+ implementation. (markt)
+
+
+ 58383: Fix a data race in SenderState. (markt)
+
+
+ 58386: Fix a data race in ObjectReader. (markt)
+
+
+ 58391: Fix multiple data races in
+ NonBlockingCoordinator, most of which were associated with
+ ensuring that log messages contained the correct information. (markt)
+
+
+ 58392: Fix a data race in
+ DomainFilterInterceptor. (markt)
+
+
+ 58393: Fix a data race on the listener in
+ McastService. (markt)
+
+
+ 58395: Fix multiple data races in MemberImpl
+ that were likely to cause issues if certain properties were updated
+ concurrently (such updates are unlikely in normal usage). (markt)
+
+
+ Remove some unnecessary code from PooledParallelSender and
+ fix 58397. (markt)
+
+
+
+
+
+
+ Make sure the pool has been properly configured when attributes that
+ related to the pool size are changed via JMX. (kfujino)
+
+
+
+
+
+
+ Ensure logging works for all tests in a class rather than just the first
+ one executed. (markt)
+
+
+ 58344: Add build properties to enable tests to be executed
+ against alternative binaries. Based on a patch by Petr Sumbera. (markt)
+
+
+
+
+
+>>>>>>> TOMCAT_8_0_28
+
+
+
+ 58255: Document the Semaphore valve. Patch provided by
+ Kyohei Nakamura. (markt)
+
+
+
+
+
+
+
+
+ Make the WAR manifest file available for WebResource instances from an
+ unpacked WAR in the same way the manifest is available if the WAR is not
+ unpacked. (markt)
+
+
+ Ensure that only /WEB-INF/classes/ and
+ /WEB-INF/lib/ are excluded from the web resource caching.
+ (Resources loaded from these locations are cached by the web application
+ class loader.) (markt)
+
+
+ 57741: Enable the CGI servlet to use the standard error page
+ mechanism. Note that if the CGI servlet's debug init parameter is
+ set to 10 or higher then the standard error page mechanism will be
+ bypassed and a debug response generated by the CGI servlet will be
+ returned instead. (markt)
+
+
+ 58031: Make the (first) reason parameter parsing failed
+ available as a request attribute and then use it to provide a better
+ status code via the FailedRequstFilter (if configured). (markt)
+
+
+ 58086: Correct a regression in the fix for 58086 that
+ incorrectly handled WAR URLs. (violetagg)
+
+
+ 58096: Classes loaded from /WEB-INF/classes/
+ should use that directory as their code base. (markt)
+
+
+ Fix possible resource leaks by closing streams properly.
+ Issues reported by Coverity Scan. (violetagg)
+
+
+ 58116: Fix regression in the fix for 57281 that
+ broke Comet support when running under a security manager. Based on a
+ patch provided by Johno Crawford. (markt)
+
+
+ 58125: Avoid a possible ClassCircularityError
+ when running under a security manager. (markt)
+
+
+ 58179: Fix a thread safety issues that could mean concurrent
+ threads setting the same attribute on a ServletContext
+ could both see null as the old value. (markt)
+
+
+ Allow web archives bigger than 2G to be deployed using ANT tasks.
+ (violetagg)
+
+
+ 58192: Correct a regression in the previous fix for
+ 58023. Ensure that classes are associated with their manifest
+ even if the class file is first read (and cached) without the manifest.
+ (markt)
+
+
+ Fix thread safety issue in the AsyncContext implementation
+ that meant a sequence of start();dispatch(); calls using
+ non-container threads could result in a previous dispatch interfering
+ with a subsequent start. (markt)
+
+
+ 58228: Make behaviour of
+ ServletContext.getResource() and
+ ServletContext.getResourceAsStream() consistent with each
+ other and the expected behaviour of the GET_RESOURCE_REQUIRE_SLASH
+ system property. (markt)
+
+
+ 58230: Fix input stream corruption if non-blocking I/O is
+ used and the first read is made immediately after the switch to async
+ mode rather than in response to onDataAvaiable() and that
+ read does not read all the available data. (markt)
+
+
+ Ensure that log4javascript*.jar was not excluded from the
+ standard JAR scanning by default. (markt)
+
+
+
+
+
+
+ 57943: Prevent the same socket being added to the cache
+ twice. Patch based on analysis by Ian Luo / Sun Qi. (markt)
+
+
+ Add text/javascript,application/javascript to the default
+ list of compressable MIME types. (violetagg)
+
+
+ 58103: When pipelining requests, and the previous request was
+ an async request, ensure that the socket is removed from the waiting
+ requests so that the async timeout thread doesn't process it during the
+ next request. (markt)
+
+
+ 58151: Correctly handle EOF in the AJP APR/native connector
+ to prevent the connector entering a loop and generate excessive CPU
+ load. (markt)
+
+
+ In the AJP and HTTP NIO connectors, ensure that the socket timeout is
+ correctly set before adding the socket back to the poller for read.
+ (markt)
+
+
+ 58157: Ensure that the handling of async timeouts does not
+ result in an unnecessary dispatch to a container thread that could
+ result in the current socket being added to the Poller multiple times
+ with multiple attempts to process the same event for the same socket.
+ (markt)
+
+
+ Correct a couple of edge cases in RequestUtil.normalize().
+ (markt)
+
+
+
+
+
+
+ 58110: Like scriptlet sections, declaration sections of JSP
+ pages have a one-to-one mapping of lines to the generated .java file.
+ Use this information to provide more accurate error messages if a
+ compilation error occurs in a declaration section. (markt)
+
+
+ 58119: When tags are compiled they must be placed in the
+ org/apache/jsp/tag/web directory. Correct a regression in the fix for
+ 52725. (violetagg)
+
+
+ Fix a resource leak in JspC identified by Eclipse. (markt)
+
+
+ 58178: Expressions in a tag file should use the tag
+ file's PageContext rather than that of the containing
+ page. (markt)
+
+
+ Following on from the fix for 58178, expressions in a tag
+ file should use the tag file's imports rather than those of the
+ containing page. (markt)
+
+
+
+
+
+
+ 58166: Allow applications to send close codes in the range
+ 3000-4999 inclusive. (markt)
+
+
+ 58232: Avoid possible NPE when adding endpoints
+ programmatically to the
+ javax.websocket.server.ServerContainer.
+ Based on a patch provided by bastian.(violetagg)
+
+
+
+
+
+
+ Correct the incorrect document of QueryTimeoutInterceptor.
+ The setting value is not in milliseconds but in seconds. (kfujino)
+
+
+ 58112: Update the documentation for using the Catalina tasks
+ in an Apache Ant build file. (markt)
+
+
+ Improve the Javadoc for some of the APR socket read functions that have
+ inconsistent behaviour for return values. (markt)
+
+
+
+
+
+
+ 58042: The default value of logFailed attribute
+ of SlowQueryReport is changed to false so that
+ the failed queries are not logged by default. (kfujino)
+
+
+ Fix potential NPE in QueryTimeoutInterceptor. (kfujino)
+
+
+ Add support for stopping the pool cleaner via JMX. (kfujino)
+
+
+ The fairness attribute and
+ ignoreExceptionOnPreLoad attribute do not allow a change
+ via JMX. (kfujino)
+
+
+ If the timeBetweenEvictionRunsMillis attribute is changed
+ via jmx, it should restart the pool cleaner because this attribute
+ affects the execution interval of the pool cleaner. (kfujino)
+
+
+ Eliminate the dependence on maxActive of busy queues and
+ idle queue in order to enable the expansion of the pool size via JMX.
+ (kfujino)
+
+
+
+
+
+
+ Update optional Checkstyle library to 6.8.1. (kkolinko)
+
+
+ Update sample Eclipse IDE configuration to exclude test/webapp* and
+ similar paths from compiler sourcepath. (kkolinko)
+
+
+ Update package renamed Apache Commons Pool to Commons Pool 2.4.2.
+ (markt)
+
+
+ Update package renamed Apache Commons DBCP to Commons DBCP 2.1.1.
+ (markt)
+
+
+ Support the use of the threads attribute on Ant's
+ junit task. Note that using this with a value of greater than one will
+ disbale Cobertura code coverage. (markt)
+
+
+
+
+
+
+
+
+ 57938: Correctly handle empty form fields when a form is
+ submitted as multipart/form-data, the
+ maxPostSize attribute of the Connector has been set to a
+ negative value and the Context has been configured with a value of
+ true for allowCasualMultipartParsing. The
+ meaning of the value zero for the maxPostSize has also been
+ changed to mean a limit of zero rather than no limit to align it with
+ maxSavePostSize and to be more intuitive. (markt)
+
+
+ 57977: Correctly bind and unbind the web application class
+ loader during execution of the PersistentValve. (markt)
+
+
+ Remove some unnecessary code from the web application class loader and
+ deprecate the now unused validate() method since the
+ requirements of SRV.10.7.2 are met using cleaner code in
+ loadClass(String, boolean) and filter().
+ (markt)
+
+
+ Correct a bug that prevented the web application class loader's
+ filter() from working correctly. It only returned
+ true for classes in sub-packages of the listed packages,
+ but not classes located in the packages themselves. (markt)
+
+
+ Add the WebSocket API classes to the list of classes that the web
+ application class loader will always delegate to its parent for loading
+ first. (markt)
+
+
+ 58015: Ensure that whenever the web application class loader
+ checks to see if it should delegate first, it also checks the result
+ of the filter() method which may indicate that it should
+ always delegate first for the current class/resource regardless of the
+ value of the delegate configuration option. (markt)
+
+
+ 58023: Fix potentially excessive memory usage due to
+ unnecessary caching of JAR manifests in the web application class
+ loader. (markt)
+
+
+ 57700: Ensure that Container event
+ ADD_CHILD_EVENT will be sent in all cases. (violetagg)
+
+
+ 58086: Ensure that WAR URLs are handled properly when using
+ ANT for web application deployment. Based on a patch provided by Lukasz
+ Jader. (violetagg)
+
+
+ Fix CredentialHandler element handling in storeconfig. (remm)
+
+
+
+
+
+
+ 57265: Further fix to address a potential threading issue
+ when sendfile is used in conjunction with TLS. (markt)
+
+
+ 57936: Improve robustness of the acceptor thread count
+ parameter for NIO2, since it must be set to 1. Submitted by
+ Oliver Kant. (remm)
+
+
+ 57943: Added a work-around to catch
+ ConcurrentModificationExceptions during Poller timeout
+ processing that were causing the Poller thread to stop. The root cause
+ of these exceptions is currently unknown. (markt)
+
+
+ 57944: Ensure that if non-blocking I/O listeners are set on
+ a non-container thread that the expected listener events are still
+ triggered. (markt)
+
+
+ Fix possible very long (1000 seconds) timeout with APR/native connector.
+ (markt)
+
+
+ Support "-" separator in the SSLProtocol configuration of the
+ APR/native connector for protocol exclusion. (rjung)
+
+
+ 58004: Fix AJP buffering output data even in blocking mode.
+ (remm)
+
+
+
+
+
+
+ 57969: Provide path parameters to POJO via per session
+ javax.websocket.server.ServerEndpointConfig as they vary
+ between different requests. (violetagg)
+
+
+ 57974: Session.getOpenSessions should return all sessions
+ associated with a given endpoint instance, rather than all sessions
+ from the endpoint class. (remm)
+
+
+
+
+
+
+ 57282: Update request processing sequence diagrams. Updated
+ diagrams provided by Stephen Chen. (markt)
+
+
+ 57971: Correct the documentation for the cluster
+ configuration setting recoverySleepTime. (markt)
+
+
+ 57758: Add document of testOnConnect attribute
+ in jdbc-pool doc. (kfujino)
+
+
+ Add description of validatorClassName attribute to testXXXX
+ attributes in jdbc-pool docs. (kfujino)
+
+
+
+
+
+
+ Use StringManager to provide i18n support in the
+ org.apache.catalina.tribes packages. (kfujino)
+
+
+ Do not set the nodes that failed to replication to the backup nodes.
+ Ensure that the nodes that the data has been successfully replicated are
+ set to the backup node. (kfujino)
+
+
+ When failed to replication, rather than all member is handled as a
+ failed member, exclude the failure members from backup members.
+ (kfujino)
+
+
+
+
+
+
+ Refactoring of the removeOldest method in
+ SlowQueryReport to behave as expected. (kfujino)
+
+
+ 57783: Fix NullPointerException in
+ SlowQueryReport. To avoid this NPE, Refactor
+ SlowQueryReport#removeOldest and handle the abandoned
+ connection properly. (kfujino)
+
+
+ 58042: In SlowQueryReportJmx, the
+ LogSlow and logFailed attributes that
+ inherited from SlowQueryReport are used as a condition of
+ whether JMX notifications are sent. (kfujino)
+
+
+ Ensure that specified Boolean attribute values of
+ SlowQueryReport reflect correctly. The LogSlow
+ and the logFailed are not system property, these are
+ attributes of SlowQueryReport. (kfujino)
+
+
+
+
+
+
+ Update package renamed Apache Commons BCEL to r1682271 to pick up some
+ some code clean up. (markt)
+
+
+ Update package renamed Apache Commons DBCP to r1682314 to pick up the
+ DBCP 2.1 release and additional fixes since then. (markt)
+
+
+ Update package renamed Apache Commons Pool to the 2.4 release. (markt)
+
+
+ Update package renamed Apache Commons File upload to r1682322 to pick up
+ the post 1.3.1 fixes. (markt)
+
+
+ Update package renamed Apache Commons Codec to r1682326. No functional
+ changes. Javadoc only. (markt)
+
+
+ Update optional Checkstyle library to 6.7. (kkolinko)
+
+
+
+
+
+
+
+
+ 54618: Add a new HttpHeaderSecurityFilter that
+ adds the Strict-Transport-Security,
+ X-Frame-Options and X-Content-Type-Options
+ HTTP headers to the response. (markt)
+
+
+ 57875: Add javax.websocket.* to the classes for
+ which the web application class loader always delegates first. (markt)
+
+
+ 57871: Ensure that setting the the allowHttpSepsInV0 property
+ of a LegacyCookieProcessor to false only prevents HTTP separators from
+ being used without quotes. (markt)
+
+
+ Add a workaround for issues with SPNEGO authentication when running on
+ Java 8 update 40 and later. The workaround should be safe for earlier
+ Java versions but it can be disabled with the
+ applyJava8u40Fix attribute of the SPNEGO authenticator if
+ necessary. (markt)
+
+
+ 57926: Restore the original X-Forwarded-By and
+ X-Forwarded-For headers after processing by the
+ RemoteIPValve . (markt)
+
+
+
+
+
+
+ Follow up to previous fix that removed the behavior difference between
+ NIO and NIO2 for SSL, which caused corruption with NIO2.
+ (remm)
+
+
+ 57931: Ensure that TLS connections with the NIO or NIO2 HTTP
+ connectors that experience issues during the handshake (e.g. missing or
+ invalid client certificate) are closed cleanly and that the client
+ receives the correct error code rather than simply closing the
+ connection. (markt)
+
+
+
+
+
+
+ 56438: Add debug logging to TLD discovery that logs positive
+ and negative results for JARs, resource paths and directories. Patch
+ provided by VIN. (markt)
+
+
+ 57802: Correct the default implementation of
+ convertToType() provided by
+ javax.el.ELResolver. (markt)
+
+
+ 57887: Fix compilation of recursive tag files packaged in a
+ JAR. (markt)
+
+
+
+
+
+
+ Make sure that stream is closed after using it in
+ DeltaSession.applyDiff(). (kfujino)
+
+
+ Use StringManager to provide i18n support in the
+ org.apache.catalina.ha packages. (kfujino)
+
+
+ Add the context name to log messages when replication context failed to
+ start. (kfujino)
+
+
+
+
+
+
+ 57875: Update the web application class loader documentation
+ to reflect the more relaxed approach to SRV.10.7.2 in Tomcat 8 onwards.
+ (markt)
+
+
+ 57896: Document system property
+ org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER
+ that was introduced in Tomcat 8.0.0. (kkolinko)
+
+
+
+
+
+
+ Ensure that the state transfer flag is updated to true only when the map
+ states have been transferred correctly from existing map members.
+ (kfujino)
+
+
+
+
+
+
+ Update optional Checkstyle library to 6.6. (kkolinko)
+
+
+
+
+
+
+
+
+ 57736: Change the format of the Tomcat specific URLs for
+ resources inside JARs that are in turn packed in a WAR. The
+ ^/ sequence has been replaced by */ so that
+ the resulting URLs are compliant with RFC 2396 and do not trigger
+ exceptions when converted to URIs. The old format will continue to be
+ accepted. (markt)
+
+
+ 57752: Exclude non-cached resources from the Cache statistics
+ for resource lookups. Patch provided by Adam Mlodzinski. (markt)
+
+
+ Allow logging of the remote port in the access log using the format
+ pattern %{remote}p. (rjung)
+
+
+ 57556: Refine the previous fix for this issue so that the
+ real path returned only has a trailing separator if the requested path
+ ended with /. (markt)
+
+
+ 57765: When checking last modified times as part of the
+ automatic deployment process, account for the fact that
+ File.lastModified() has a resolution of one second to
+ ensure that if a file has been modified within the last second, the
+ latest version of the file is always used. Note that a side-effect of
+ this change is that files with modification times in the future are
+ treated as if they are unmodified. (markt)
+
+
+ Align redeploy resource modification checking with reload modification
+ checking so that now, in both cases, a change in modification time
+ rather than an increase in modification time is used to determine if the
+ resource has changed. (markt)
+
+
+ Cleanup o.a.tomcat.util.digester.Digester from debug
+ messages that do not give any valuable information. Patch provided
+ by Polina Genova. (violetagg)
+
+
+ 57772: When reloading a web application and a directory
+ representing an expanded WAR needs to be deleted, delete the directory
+ after the web application has been stopped rather than before to avoid
+ potential ClassNotFoundExceptions. (markt)
+
+
+ Fix wrong logger name of
+ org.apache.catalina.webresources.StandardRoot. (kfujino)
+
+
+ 57801: Improve the error message in the start script in case
+ the PID read from the PID file is already owned by a process. (rjung)
+
+
+ 57841: Improve error logging during web application start.
+ (markt)
+
+
+ 57856: Ensure that any scheme/port changes implemented by the
+ RemoteIpFilter also affect
+ HttpServletResponse.sendRedirect(). (markt)
+
+
+ 57863: Fix the RewriteMap support in RewriteValve that did
+ not use the correct key value to look up entries. Based on a patch
+ provided by Tatsuya Bessho. (markt)
+
+
+
+
+
+
+ 57779: When an I/O error occurs on a non-container thread
+ only dispatch to a container thread to handle the error if using Servlet
+ 3+ asynchronous processing. This avoids potential deadlocks if an
+ application is performing I/O on a non-container thread without using
+ the Servlet 3+ asynchronous API. (markt)
+
+
+ Remove the experimental support for SPDY. No current user agent supports
+ the version of SPDY that the experiment targeted. Note: HTTP/2 support
+ is under development for Tomcat 9 and may be back-ported to Tomcat 8
+ once complete. (markt)
+
+
+ Possible incomplete writes with SSL NIO2. (remm)
+
+
+ Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO
+ differences between NIO and NIO2 that don't seem to be justified.
+ (remm)
+
+
+ After some errors, the pending flags could remain set when using SSL
+ NIO2. (remm)
+
+
+ 57833: When using JKS based keystores for NIO or NIO2, ensure
+ that the key alias is always converted to lower case since that is what
+ JKS key stores expect. Based on a patch by Santosh Giri Govind M.
+ (markt)
+
+
+ 57837: Add text/css to the default list of
+ compressable MIME types. (markt)
+
+
+
+
+
+
+ 57845: Ensure that, if the same JSP is accessed directly and
+ via a <jsp-file> declaration in web.xml, updates to
+ the JSP are visible (subject to the normal rules on re-compilation)
+ regardless of how the JSP is accessed. (markt)
+
+
+ 57855: Explicitly handle the case where a
+ MethodExpression is invoked with null or the wrong number
+ of parameters. Rather than failing with an
+ ArrayIndexOutOfBoundsException or a
+ NullPointerException throw an
+ IllegalArgumentException with a useful error message.
+ (markt)
+
+
+
+
+
+
+ Avoid unnecessary call of DeltaRequest.addSessionListener()
+ in non-primary nodes. (kfujino)
+
+
+ Add new attribute that send all actions for session across Tomcat
+ cluster nodes. (kfujino)
+
+
+ Remove unused pathname attribute in mbean definition of
+ BackupManager. (kfujino)
+
+
+
+
+
+
+ 57761: Ensure that the opening HTTP request is correctly
+ formatted when the WebSocket client connects to a server root. (remm)
+
+
+ 57762: Ensure that the WebSocket client correctly detects
+ when the connection to the server is dropped. (markt)
+
+
+ 57776: Revert the 8.0.21 fix for the
+ permessage-deflate implementation and incorrect op-codes
+ since the fix was unnecessary (the bug only affected trunk) and the fix
+ broke rather than fixed permessage-deflate if an
+ uncompressed message was converted into more than one compressed
+ message. (markt)
+
+
+ Fix log name typo in WsRemoteEndpointImplServer class,
+ caused by a copy-paste. (markt/kkolinko)
+
+
+ 57788: Avoid NPE when looking up a class hierarchy without
+ finding anything. (remm)
+
+
+
+
+
+
+ 57759: Add information to the keyAlias documentation to make
+ it clear that the order keys are read from the keystore is
+ implementation dependent. (markt)
+
+
+ 57864: Update the documentation web application to make it
+ clearer that hex values are not valid for cluster send options. Based on
+ a patch by Kyohei Nakamura. (markt)
+
+
+
+
+
+
+ Fix a concurrency issue when a backup message that has all session data
+ and a backup message that has diff data are processing at the same time.
+ This fix ensures that MapOwner is set to
+ ReplicatedMapEntry. (kfujino)
+
+
+
+
+
+
+ Add missing pom for tomcat-storeconfig. (remm)
+
+
+ Update optional Checkstyle library to 6.5. (kkolinko)
+
+
+ 57707: Improve error message when trying to run a release
+ build on a non-Windows platform and Wine is not available. (markt)
+
+
+
+
+
+
+
+
+ 49785: Enable StartTLS connections for JNDIRealm.
+ (fschumacher)
+
+
+ When docBase refers internal war and unpackWARs is set to false, avoid
+ registration of the invalid redeploy resource that has been added ".war"
+ extension in duplicate. (kfujino)
+
+
+ If WAR exists, it is not necessary to trigger a reload when adding a
+ Directory. (kfujino)
+
+
+ 55988: Add support for Java 8 JSSE server-preferred TLS
+ cipher suite ordering. This feature requires Java 8
+ and is controlled by useServerCipherSuitesOrder
+ attribute on an HTTP connector.
+ Based upon a patch provided by Ognjen Blagojevic. (schultz)
+
+
+ 56608: When deploying an external WAR, add watched resources
+ in the expanded directory based on whether the expanded directory is
+ expected to exist rather than if it does exist. (markt)
+
+
+ When triggering a reload due to a modified watched resource, ensure
+ that multiple changed watched resources only trigger one reload rather
+ than a series of reloads. (markt)
+
+
+ 57601: Ensure that HEAD requests return the correct content
+ length (i.e. the same as for a GET) when the requested resource includes
+ a resource served by the Default servlet. (jboynes/markt)
+
+
+ 57602: Ensure that HEAD requests return the correct content
+ length (i.e. the same as for a GET) when the requested resource includes
+ a resource served by a servlet that extends HttpServlet.
+ (markt)
+
+
+ 57621: When an async request completes, ensure that any
+ remaining request body data is swallowed. (markt)
+
+
+ 57637: Do not create unnecessary sessions when using
+ PersistentValve. (jboynes/fschumacher)
+
+
+ 57645: Correct a regression in the fix for
+ 57190 that incorrectly required the path passed to
+ ServletContext.getContext(String) to be an exact match to a
+ path to an existing context. (markt)
+
+
+ Make sure that unpackWAR attribute of Context
+ is handled correctly in HostConfig. (kfujino)
+
+
+ When deploying a WAR file that contains a context.xml file and
+ unpackWARs is false ignore any context.xml
+ file that may exist in an expanded directory associated with the WAR.
+ (markt)
+
+
+ 57675: Correctly quote strings when using the extended
+ access log. (markt)
+
+
+ Enable Tomcat to detect when a WAR file has been changed while Tomcat is
+ not running. Tomcat does this by adding a META-INF/war-tracking file to
+ the expanded directory and setting the last modified time of this file
+ to the last modified time of the WAR. If Tomcat detects a modified WAR
+ via this mechanism the web application will be redeployed (i.e. the
+ expanded directory will be removed and the modified WAR expanded in its
+ place). (markt)
+
+
+ 57704: Fix potential NPEs during web application start/stop
+ when org.apache.tomcat.InstanceManager is not initialized.
+ (violetagg)
+
+
+ Use the simplified digest output for digest.bat|sh when generating
+ digests with no salt and a single iteration to make it easier to use
+ with DIGEST authentication. (markt)
+
+
+ Add support for LAST_ACCESS_AT_START system property to
+ SingleSignOn. (kfujino)
+
+
+ Refactor Authenticator implementations to reduce code duplication.
+ (markt)
+
+
+ 57724: Handle the case in the CORS filter where a user agent
+ includes an origin header for a non-CORS request. (markt)
+
+
+ When searching for SCIs
+ o.a.catalina.Context.getParentClassLoader will be used
+ instead of java.lang.ClassLoader.getParent. Thus one can
+ provide the correct parent class loader when running embedded Tomcat in
+ other environments such as OSGi. (violetagg)
+
+
+ 57743: Fix a locked file / resource leak issue when a JAR is
+ accessed just before or during web application undeploy. Patch provided
+ by Pavel Avgustinov. (markt)
+
+
+
+
+
+
+ 57540: Make TLS/SSL protocol available in a new request
+ attribute
+ (org.apache.tomcat.util.net.secure_protocol_version).
+ (Note that AJP connectors will require mod_jk 1.2.41 or later,
+ or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy
+ to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see
+ the bug comments for details.)
+ Based upon a patch provided by Ralf Hauser. (schultz)
+
+
+ Fix a cipher ordering issue when using the OpenSSL syntax for JSSE
+ cipher configuration to ensure that ephemeral ECDH with AES is preferred
+ to ephemeral ECDH with anything else. (markt)
+
+
+ 57570: Make the processing of trailer headers with chunked
+ input optional and disabled by default. (markt)
+
+
+ 57592: Correctly handle the case where an
+ AsyncContext is used for non-blocking I/O and is completed
+ during a write operation. (markt)
+
+
+ 57638: Avoid an IllegalArgumentException when an AJP request
+ body chunk larger than the socket read buffer is being read. This
+ typically requires a larger than default AJP packetSize. (markt)
+
+
+ 57674: Avoid a BufferOverflowException when an AJP response
+ body chunk larger than the socket write buffer is being written. This
+ typically requires a larger than default AJP packetSize. (markt)
+
+
+ Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2
+ branch. (markt)
+
+
+ Numerous fixes to the APR/native connector to improve robustness.
+ (markt)
+
+
+ Stop caching and re-using SocketWrapper instances. With the introduction
+ of upgrade and non-blocking I/O, I/O can occur on non-container threads.
+ This makes it nearly impossible to track whether a SocketWrapper is
+ still being referenced or not, making re-use a risky proposition.
+ (markt)
+
+
+ Refactor Connector authentication (only used by AJP) into a separate
+ method. (markt)
+
+
+ 57708: Implement a new feature for AJP connectors - Tomcat
+ Authorization. If the new tomcatAuthorization attribute is set to
+ true (it is disabled by default) Tomcat will take an
+ authenticated user name from the AJP protocol and use the appropriate
+ Realm for the request to authorize (i.e. add roles) to that user.
+ (markt)
+
+
+ Fix an issue that meant that any pipe-lined data read by Tomcat before
+ an asynchronous request completed was lost during the completion of the
+ asynchronous request. This mean that the pipe-lined request(s) would be
+ lost and/or corrupted. (markt)
+
+
+ Update the minimum recommended version of the Tomcat Native library (if
+ used) to 1.1.33. (markt)
+
+
+
+
+
+
+ 57135: Package imports via
+ javax.el.ImportHandler should only import public, concrete
+ classes. (markt)
+
+
+ 57583: Cache 'Not Found' results in
+ javax.el.ImportHandler.resolveClass() to save repeated
+ attempts to load classes that are known not to exist to improve
+ performance. (markt)
+
+
+ 57626: Correct a regression introduced in the 8.0.16 fix for
+ ensuring Jars were closed after use, that broke recompilation of
+ modified JSPs that depended on a tag file packaged in a Jar. (markt)
+
+
+ 57627: Correctly determine last modified times for
+ dependencies when a tag file packaged in a JAR depends on a tag file
+ packaged in a second JAR. (markt)
+
+
+ 57647: Ensure INFO message is logged when scanning jars for
+ TLDs if the scan does not find a TLD in any jar. Previously a message
+ would only be logged if a TLD was not found in all scanned jars. (jboynes)
+
+
+ 57662: Update all references to the ECJ compiler to version
+ 4.4.2. (violetagg)
+
+
+
+
+
+
+ Remove unnecessary method that always returns true. The domain filtering
+ works on DomainFilterInterceptor. (kfujino)
+
+
+
+
+
+
+ Correct a bug in the permessage-deflate implementation that
+ meant that the incorrect op-codes were used if an uncompressed message
+ was converted into more than one compressed message. (markt)
+
+
+ 57676: List conflicting WebSocket endpoint classes when
+ there is a path conflict. Based upon a patch proposed by yangkun.
+ (schultz)
+
+
+
+
+
+
+ 56058: Add links to the AccessLogValve documentation for
+ configuring reverse proxies and/or Tomcat to ensure that the desired
+ information is used entered in the access log when Tomcat is running
+ behind a reverse proxy. (markt)
+
+
+ 57587: Update the JNDI Datasource HOWTO for DBCP2. Patch
+ provided by Phil Steitz. (markt)
+
+
+ Remove incorrect note from context configuration page in the
+ documentation web application that stated WAR files located outside the
+ appBase were never unpacked. (markt)
+
+
+ 57644: Update examples to use Apache Standard Taglib 1.2.5.
+ (jboynes)
+
+
+ 57683: Ensure that if a client aborts their connection to the
+ stock ticker example (the only way a client can disconnect), the example
+ continues to work for existing and new clients. (markt)
+
+
+ Make it clear that when using digested passwords with DIGEST
+ authentication that no salt and only a single iteration must be used
+ when generating the digest. (markt)
+
+
+
+
+
+
+ 57377: Remove the restriction that prevented the use of SSL
+ when specifying a bind address with the JMXRemoteLifecycleListener. Also
+ enable SSL to be configured for the registry as well as the server.
+ (markt)
+
+
+
+
+
+
+ When a map member has been added to ReplicatedMap, make
+ sure to add it to backup nodes list of all other members. (kfujino)
+
+
+ Make sure that refuse the messages from a different domain in
+ DomainFilterInterceptor. (kfujino)
+
+
+
+
+
+
+ Update optional Checkstyle library to 6.4.1. (kkolinko)
+
+
+ 57703: Update the http-method definition for
+ web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6.
+ (markt)
+
+
+ Update to Tomcat Native Library version 1.1.33 to pick up the Windows
+ binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt)
+
+
+
+
+
+
+
+
+ Fix a concurrency issue that meant that a change in socket timeout (e.g.
+ when switching to asynchronous I/O) did not always take effect
+ immediately. (markt)
+
+
+
+
+
+
+
+
+ Clarify threaded usage of variables by removing volatile marker
+ in NonceInfo. Issue reported by Coverity Scan. (fschumacher)
+
+
+ 57180: Further fixes to support the use of arbitrary HTTP
+ methods with the CORS filter. (markt)
+
+
+ 57472: Fix performance regression in resources implementation
+ when signed JARs are used in a web application. (markt)
+
+
+ Warn about problematic setting of appBase. (fschumacher)
+
+
+ Fix exception while authentication in JDBCRealm. (fschumacher)
+
+
+ 57534: CORS Filter should only look at media type component of
+ Content-Type request header. (markt)
+
+
+ 57556: Align getRealPath() behaviour with that
+ of earlier versions and include a trailing separator if the real path
+ refers to a directory. (markt)
+
+
+ Ensure that Servlet 3.0 async requests where startAsync()
+ is called in one container thread and dispatch() is called
+ in a different container thread complete correctly. (markt)
+
+
+ Ensure that user name checking in the optional SecurityListener is
+ case-insensitive (as documented) and than the case-insensitive
+ comparison is performed using the system default Locale. (markt)
+
+
+ 57021: Improve logging in AprLifecycleListener and
+ jni.Library when Tomcat-Native DLL fails to load. Based on a patch by
+ Pravallika Peddi. (markt/kkolinko)
+
+
+
+
+
+
+ Fix several bugs that could cause multiple registrations for write
+ events for a single socket when using Servlet 3.0 async. Typically, the
+ side effects of these multiple registrations would be exceptions
+ appearing in the logs. (markt)
+
+
+ 57432: Align SSL_OP_NO_TLSv1_1 and
+ SSL_OP_NO_TLSv1_2 constant values with OpenSSL (they had
+ been swapped). (markt)
+
+
+ 57509: Improve length check when writing HTTP/1.1
+ response headers: reserve space for 4 extra bytes. (kkolinko)
+
+
+ 57544: Fix potential infinite loop when preparing a kept
+ alive HTTP connection for the next request. (markt)
+
+
+ 57546: Ensure that a dropped network connection does not
+ leave references to the UpgradeProcessor associated with the connection
+ in memory. (markt)
+
+
+ When applying the maxSwallowSize limit to a connection read
+ that many bytes first before closing the connection to give the client a
+ chance to read the response. (markt)
+
+
+ Prevent an async timeout being processed multiple times for the same
+ socket when running on slow and/or heavily loaded systems. (markt)
+
+
+ 57581: Change statistics byte counter in coyote Request
+ object to be long to allow values above 2Gb. (kkolinko)
+
+
+ Use the data that supports cipher definition using OpenSSL syntax to
+ improve the quality of values provided for the
+ javax.servlet.request.key_size request attribute. (markt)
+
+
+ Fix a concurrency issue in the APR Poller that meant it was possible
+ under low load for a socket queued to be added to the Poller not to be
+ added for 10 seconds. (markt)
+
+
+
+
+
+
+ 57123: Update all references to the ECJ compiler to version
+ 4.4.1. With thanks to Ralph Schaer for uploading the 4.4.1 JAR to Maven
+ Central. (markt)
+
+
+ 57564: Make JspC amenable to subclassing. Patch provided by
+ Jan Bartel. (markt)
+
+
+ Simplify code in ProtectedFunctionMapper class of
+ Jasper runtime. (kkolinko)
+
+
+ 57574: Do not check existence of a Java package in
+ javax.el.ImportHandler.importPackage(). (kkolinko)
+
+
+
+
+
+
+ 57490: Make it possible to use Tomcat's WebSocket client
+ within a web application when running under a SecurityManager. Based on
+ a patch by Mikael Sterner. (markt)
+
+
+ Add some debug logging to the WebSocket session to track session
+ creation and session closure. (markt)
+
+
+
+
+
+
+ Clarify documentation for useBodyEncodingForURI
+ attribute of a connector. (kkolinko)
+
+
+ Fix possible resource leaks by closing streams properly. Issues
+ reported by Coverity Scan. (fschumacher)
+
+
+ 57503: Make clear that the JULI integration for log4j only
+ works with log4j 1.2.x. (markt)
+
+
+ 57496: Remove hard-coded URL in JSP SVG example. (markt)
+
+
+
+
+
+
+ Fix a possible deadlock when receiver thread invokes
+ mapMemberAdded() while ping thread invokes
+ memberAlive(). (kfujino)
+
+
+
+
+
+
+ Enhance bean factory used for JNDI resources. New attribute
+ forceString allows to support non-standard
+ string argument property setters. (rjung)
+
+
+ Assign newly created stream to field instead of leaking it uselessly.
+ Issue reported by Coverity Scan. (fschumacher)
+
+
+ Update optional Checkstyle library to 6.3. (kkolinko)
+
+
+ Guard the digester from MbeansDescriptorsDigesterSource with its own
+ lock object. (fschumacher)
+
+
+ Refactor the unit tests and add some new test properties to make it
+ easier to exclude performance tests and relax timing tests. This is
+ primarily for the ASF CI system where these tests frequently fail.
+ (markt)
+
+
+ 57558: Add missing JAR in Ant task definition required by
+ the validate task. (markt)
+
+
+ List names of Testsuites that have failed or skipped tests when
+ running the tests with Ant. (kkolinko)
+
+
+
+
+
+
+
+
+ 57178: The CORS filter now treats null as a
+ valid origin that matches *. Patch provided by Gregor
+ Zurowski. (markt)
+
+
+ 57425: Don't add attributes with null value or name to the
+ replicated context. (fschumacher)
+
+
+ 57431: Enable usage of custom class for context creation when
+ using embedded tomcat. (fschumacher)
+
+
+ 57446: Ensure that ServletContextListeners that
+ have limited access to ServletContext methods are called
+ with the same ServletContext instance for both
+ contextInitialized() and contextDestroyed().
+ (markt)
+
+
+ 57455: Explicitly block the use of the double-quote character
+ when configuring the common, server and shared class loaders since
+ double-quote is used to quote values that contain commas. (markt)
+
+
+ 57461: When an instance of
+ org.apache.catalina.startup.VersionLoggerListener logs the
+ result of System.getProperty("java.home") don't report it
+ in a manner that makes it look like the JAVA_HOME
+ environment variable. (markt)
+
+
+ 57476: Ensure the responses written as part of a forward are
+ fully written. This fixes a regression in 8.0.15 caused by the fix for
+ 57252. (markt)
+
+
+ While closing streams for given resources ensure that if an exception
+ happens it will be handled properly. Issue is reported by Coverity Scan.
+ (violetagg)
+
+
+ 57481: Fix IllegalStateException at the end of
+ the request when using non-blocking reads with the HTTP BIO connector.
+ (markt)
+
+
+ Change Response to use UEncoder instances with shared safeChars.
+ (fschumacher)
+
+
+ Ensure that when static resources are served from JARs, only static
+ resources are served. (markt)
+
+
+ Allow VersionLoggerListener to log all system properties.
+ This feature is off by default. (kkolinko)
+
+
+
+
+
+
+ Ensure that classes imported via the page directive are made available
+ to the EL environment via the ImportHandler. Issue is reported by
+ Coverity Scan. (violetagg)
+
+
+ 57441: Do not trigger an error when using functions defined
+ by lambdas or imported via an ImportHandler in an EL expression in a
+ JSP. (markt)
+
+
+
+
+
+
+ Fix mbean descriptor of ClusterSingleSignOn. (kfujino)
+
+
+ 57473: Add sanity check to FarmWebDeployer's WarWatcher to
+ detect suspected incorrect permissions on the watch directory. (schultz)
+
+
+
+
+
+
+ Clarify the handling of Copy message and Copy nodes. (kfujino)
+
+
+ Copy node does not need to send the entry data. It is enough to send
+ only the node information of the entry. (kfujino)
+
+
+ ReplicatedMap should send the Copy message when replicating. (kfujino)
+
+
+ Fix behavior of ReplicatedMap when member has disappeared. If map entry
+ is primary, rebuild the backup members. If primary node of map entry has
+ disappeared, backup node is promoted to primary. (kfujino)
+
+
+
+
+
+
+
+
+ Correct a regression in the previous fix for 57252 that broke
+ request listeners for non-async requests that triggered an error that
+ was handled by the ErrorReportingValve. (markt/violetagg)
+
+
+
+
+
+
+ Add flushing to send ack in the NIO2 connector. (remm)
+
+
+
+
+
+
+
+
+ 57172: Provide a better error message if something attempts to
+ access a resource through a web application class loader that has been
+ stopped. (markt/kkolinko)
+
+
+ 57173: Revert the fix for 56953 that broke
+ annotation scanning in some cases. (markt)
+
+
+ 57180: Do not limit the CORS filter to only accepting
+ requests that use an HTTP method defined in RFC 7231. (markt)
+
+
+ 57190: Fix ServletContext.getContext(String)
+ when parallel deployment is used so that the correct ServletContext is
+ returned. (markt)
+
+
+ 57208: Prevent NPE in JNDI Realm when no results are found
+ in a directory context for a user with specified user name. Based on
+ a patch provided by Jason McIntosh. (violetagg)
+
+
+ 57209: Add a new attribute, userSearchAsUser to the JNDI
+ Realm. (markt)
+
+
+ 57215: Ensure that the result of calling
+ HttpServletRequest.getContextPath() is neither decoded nor
+ normalized as required by the Servlet specification. (markt)
+
+
+ 57216: Improve handling of invalid context paths. A context
+ path should either be an empty string or start with a
+ '/' and do not end with a
+ '/'. Invalid context path are automatically
+ corrected and a warning is logged. The null and
+ "/" values are now correctly changed to
+ "". (markt/kkolinko)
+
+
+ Update storeconfig with the CredentialHandler element. (remm)
+
+
+ Correct message that is logged when load-on-startup servlet fails
+ to load. It was logging a wrong name. (kkolinko)
+
+
+ 57239: Correct several message typos. Includes patch by
+ vladk. (kkolinko)
+
+
+ Fix closing of Jars during annotation scanning. (schultz/kkolinko)
+
+
+ Fix a concurrency issue in async processing. Ensure that a non-container
+ thread can not change the async state until the container thread has
+ completed. (markt)
+
+
+ 57252: Provide application configured error pages with a
+ chance to handle an async error before the built-in error reporting.
+ (markt)
+
+
+ 57281: Enable non-public Filter and Servlet classes to be
+ configured programmatically via the Servlet 3.0 API and then used
+ without error when running under a SecurityManager. (markt)
+
+
+ 57308: Remove unnecessary calls to
+ System.getProperty() where more suitable API calls are
+ available. (markt)
+
+
+ Add unit tests for RemoteAddrValve and RemoteHostValve. (rjung)
+
+
+ Allow to configure RemoteAddrValve and RemoteHostValve to
+ adopt behavior depending on the connector port. Implemented
+ by optionally adding the connector port to the string compared
+ with the patterns allow and deny. Configured
+ using addConnectorPort attribute on valve. (rjung)
+
+
+ Optionally trigger authentication instead of denial in
+ RemoteAddrValve and RemoteHostValve. This only works in
+ combination with preemptiveAuthentication
+ on the application context. Configured using
+ invalidAuthenticationWhenDeny attribute on valve. (rjung)
+
+
+ Remove the obsolete jndi protocol usage from the scanning
+ process performed by StandardJarScanner. (violetagg)
+
+
+ Prevent file descriptors leak and ensure that files are closed after
+ retrieving the last modification time. (violetagg)
+
+
+ Make o.a.catalina.webresources.StandardRoot easier for
+ extending. (violetagg)
+
+
+ 57326: Enable AsyncListener implementations to
+ re-register themselves during AsyncListener.onStartAsync.
+ (markt)
+
+
+ 57331: Allow ExpiresFilter to use "year" as synonym for
+ "years" in its configuration. (kkolinko)
+
+
+ Ensure that if the RewriteValve rewrites a request that subsequent calls
+ to HttpServletRequest.getRequestURI() return the undecoded
+ URI. (markt)
+
+
+ Ensure that if the RewriteValve rewrites a request to a non-normalized
+ URI that the URI is normalized before the URI is mapped to ensure that
+ the correct mapping is applied. (markt)
+
+
+ Prevent NPEs being logged during post-processing for requests that have
+ been re-written by the RewriteValve. (markt)
+
+
+ Various StoreConfig improvements including removing a dependency on the
+ StandardServer implementation, improve consistency of
+ behaviour when MBean is not registered and improve error messages when
+ accessed via the Manager application. (markt)
+
+
+ Improve SnoopServlet in unit tests. (rjung)
+
+
+ Add RequestDescriptor class to unit tests.
+ Adjust TestRewriteValve to use RequestDescriptor. (rjung)
+
+
+ Add more AJP unit tests. (rjung)
+
+
+ 57363: Log to stderr if LogManager is unable to read
+ configuration files rather than swallowing the exception silently.
+ (markt)
+
+
+
+
+
+
+ Allow HTTP upgrade process to complete without data corruption when
+ additional content is sent along with the upgrade header. (remm)
+
+
+ 57187: Regression handling the special * URL. (remm)
+
+
+ 57234: Make SSL protocol filtering to remove insecure
+ protocols case insensitive. (markt)
+
+
+ 57265: Fix some potential concurrency issues with sendFile
+ and the NIO connector. (markt)
+
+
+ 57324: If the client uses Expect: 100-continue
+ and Tomcat responds with a non-2xx response code, Tomcat also closes the
+ connection. If Tomcat knows the connection is going to be closed when
+ committing the response, Tomcat will now also send the
+ Connection: close response header. (markt)
+
+
+ 57340: When using Comet, ensure that Socket and SocketWrapper
+ are only returned to their respective caches once on socket close (it is
+ possible for multiple threads to call close concurrently). (markt)
+
+
+ 57347: AJP response contains wrong status reason phrase
+ (rjung)
+
+
+ 57391: Allow TLS Session Tickets to be disabled when using
+ the APR/native HTTP connector. Patch provided by Josiah Purtlebaugh.
+ (markt)
+
+
+
+
+
+
+ 57142: As per the clarification from the JSP specification
+ maintenance lead, classes and packages imported via the page directive
+ must be made available to the EL environment via the ImportHandler.
+ (markt)
+
+
+ 57247: Correct the default Java source and target versions in
+ the JspC usage message to 1.7 for Java 7. (markt)
+
+
+ 57309: Ensure that the current EL Resolver is given an
+ opportunity to perform type coercion before applying the default EL
+ coercion rules. (markt)
+
+
+ Improve the calculation of the resource's last-modified, performed by
+ JspCompilationContext, in a way to support URLs with protocol different
+ than jar:file. (violetagg)
+
+
+ Fix potential issue with BeanELResolver when running under a security
+ manager. Some classes may not be accessible but may have accessible
+ interfaces. (markt)
+
+
+
+
+
+
+ In order to enable define in Cluster element,
+ ClusterSingleSignOn implements ClusterValve.
+ (kfujino)
+
+
+ 57338: Improve the ability of the
+ ClusterSingleSignOn valve to handle nodes being added and
+ removed from the Cluster at run time. (markt)
+
+
+
+
+
+
+ Correct multiple issues with the flushing of batched messages that could
+ lead to duplicate and/or corrupt messages. (markt)
+
+
+ Correctly implement headers case insensitivity. (markt/remm)
+
+
+ Allow optional use of user extensions. (remm)
+
+
+ Allow using partial binary message handlers. (remm)
+
+
+ Limit ping/pong message size. (remm)
+
+
+ Allow configuration of the time interval for the periodic event. (remm)
+
+
+ More accurate annotations processing. (remm)
+
+
+ Allow optional default for origin header in the client. (remm)
+
+
+
+
+
+
+ Update documentation for CGI servlet. Recommend to copy the servlet
+ declaration into web application instead of enabling it globally.
+ Correct documentation for cgiPathPrefix. (kkolinko)
+
+
+ Improve HTML version of build instructions and align with
+ BUILDING.txt. (kkolinko)
+
+
+ Improve Tomcat Manager documentation. Rearrange, add section on
+ HTML GUI, document /expire command and Server Status page. (kkolinko)
+
+
+ 57238: Update information on SSL/TLS on Security and SSL
+ documentation pages. Patch by Glen Peterson. (kkolinko)
+
+
+ 57245: Correct the reference to allowLinking in
+ the security configuration guide since that attribute has moved from the
+ Context element to the nested Resources element. (markt)
+
+
+ Fix ambiguity of section links on Valves configuration reference page.
+ (kkolinko)
+
+
+ 57261: Fix vminfo and threaddump Manager commands to start
+ their output with an "OK" line. Document them. Based on a patch by
+ Oleg Trokhov. (kkolinko)
+
+
+ 57267: Document the StoreConfigLifecycleListener
+ and the /save command for the Manager application. (markt)
+
+
+ 57323: Correct display of outdated sessions in sessions
+ count listing in Manager application. (kkolinko)
+
+
+ Add document of ClusterSingleSignOn. (kfujino)
+
+
+
+
+
+
+ When downloading required libraries at build time, use random name
+ for temporary file and automatically create destination directory
+ (base.path). (kkolinko)
+
+
+ Update optional Checkstyle library to 6.2. (kkolinko)
+
+
+ Simplify setproxy task in build.xml.
+ Taskdef there is not needed since Ant 1.8.2. (kkolinko)
+
+
+ Update "ide-eclipse" target in build.xml to create Eclipse
+ project that uses Java 7 compliance settings instead of workspace-wide
+ defaults. (kkolinko)
+
+
+ Update the package renamed copy of Apache Commons Pool 2 to the 2.3
+ release to pick up various fixes since the 2.2 release including one for
+ a possible infinite loop. (markt)
+
+
+ 57285: Restore the manifest entry that marks the Windows
+ uninstaller application as requiring elevated privileges. (markt)
+
+
+ 57344: Provide sha1 checksum files for Tomcat downloads.
+ Correct filename patterns for apache-tomcat-*-embed.tar.gz archive
+ to exclude an *.asc file. (kkolinko)
+
+
+
+
+
+
+
+
+ 43548: Add an XML schema for the tomcat-users.xml file.
+ (markt)
+
+
+ 43682: Add support for referring to the current context, host
+ and service name in per Context logging.properties files by using the
+ properties ${classloader.webappName},
+ ${classloader.hostName} and
+ ${classloader.serviceName}. (markt)
+
+
+ 47919: Extend the information logged when Tomcat starts to
+ optionally log the values of command line arguments (enabled by
+ default) and environment variables (disabled by default). Note that
+ the values added to CATALINA_OPTS and JAVA_OPTS environment variables
+ will be logged, as they are used to build up the command line. (markt)
+
+
+ 49939: Expose the method that clears the static resource
+ cache for a web application via JMX. (markt)
+
+
+ 55951: Allow cookies to use UTF-8 encoded values in HTTP
+ headers. This requires the use of the RFC6265
+ CookieProcessor. (markt)
+
+
+ 55984: Using the allow separators in version 0 cookies option
+ with the legacy cookie processor should only apply to version 0 cookies.
+ Version 1 cookies with values that contain separators should not be
+ affected and should continue to be quoted. (markt)
+
+
+ 56393: Add support for RFC6265 cookie parsing and generation.
+ This is currently disabled by default and may be enabled via the
+ CookieProcessor element of a Context.
+ (markt)
+
+
+ 56394: Introduce new configuration element CookieProcessor in
+ Context to allow context-specific configuration of cookie processing
+ options. Attributes of Context element that were added in Tomcat 8.0.13
+ to allow configuration of a new experimental RFC6265 based cookie parser
+ (useRfc6265 and cookieEncoding) are
+ replaced by this new configuration element. (markt)
+
+
+ Improve the previous fix for 56401. Avoid logging version
+ information in the constructor since it then gets logged at undesirable
+ times such as when using StoreConfig. (markt)
+
+
+ 56403: Add pluggable password derivation support to the
+ Realms via the new CredentialHandler interface.
+ (markt/schultz)
+
+
+ 57016: When using the PersistentValve do not
+ remove sessions from the store when persisting them. (markt)
+
+
+ Deprecate the use of system properties to control cookie parsing and
+ replace them with attributes on the new CookieProcessor
+ that may be configured on a per context basis. (markt)
+
+
+ Correct an edge case and allow a cookie if the value starts with an
+ equals character and the CookieProcessor is not configured
+ to allow equals characters in cookie values but is configured to allow
+ name only cookies. (markt)
+
+
+ 57022: Ensure SPNEGO authentication continues to work with
+ the JNDI Realm using delegated credentials with recent Oracle JREs.
+ (markt)
+
+
+ 57027: Add additional validation for stored credentials used
+ by Realms when the credential is stored using hex encoding. (markt)
+
+
+ 57038: Add a WebResource.getCodeBase() method,
+ implement for all WebResource implementations and then use
+ it in the web application class loader to set the correct code base for
+ resources loaded from JARs and WARs. (markt)
+
+
+ Correct a couple of NPEs in the JNDI Realm that could be triggered with
+ when not specifying a roleBase and enabling roleSearchAsUser. (markt)
+
+
+ Correctly handle relative values for the docBase attribute of a Context.
+ (markt)
+
+
+ Ensure that log messages generated by the web application class loader
+ correctly identify the associated Context when multiple versions of a
+ Context with the same path are present. (markt)
+
+
+ Remove the unnecessary registration of context.xml as a redeploy
+ resource. The context.xml having an external docBase has already been
+ registered as a redeploy resource at first. (kfujino)
+
+
+ 57089: Ensure that configuration of a session ID generator is
+ not lost when a web application is reloaded. (markt)
+
+
+ 57105: When parsing web.xml do not limit the buffer element
+ of the jsp-property-group element to integer values as the allowed
+ values are <number>kb or none. (markt)
+
+
+ Update the minimum required version of the Tomcat Native library (if
+ used) to 1.1.32. (markt)
+
+
+ Update storeconfig with newly introduced elements: SessionIdGenerator,
+ CookieProcessor, JarScanner and JarScanFilter. (remm)
+
+
+ Throw a NullPointerException if a null string is passed to
+ the write(String,int,int) method of the
+ PrintWriter obtained from the ServletResponse.
+ (markt)
+
+
+ Cookie rewrite flag abbreviation should be CO rather than C. (remm)
+
+
+ 57153: When the StandardJarScanner is configured to scan the
+ full class path, ensure that class path entries added directly to the
+ web application class loader are scanned. (markt)
+
+
+ AsyncContext should remain usable until fireOnComplete is called. (remm)
+
+
+ AsyncContext createListener should wrap any instantiation exception
+ using a ServletException. (remm)
+
+
+ 57155: Allow a web application to be configured that does not
+ have a docBase on the file system. This is primarily intended for use
+ when embedding. (markt)
+
+
+ Propagate header ordering from fileupload to the part implementation.
+ (remm)
+
+
+
+
+
+
+ 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector.
+ Based upon a patch by Marcel Šebek. This feature requires
+ Tomcat Native library 1.1.32 or later. (schultz/jfclere)
+
+
+ Cache the Encoder instances used to convert Strings to byte
+ arrays in the Connectors (e.g. when writing HTTP headers) to improve
+ throughput. (markt)
+
+
+ Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and
+ NIO2). The change also ensures that SSLv2 is disabled for these
+ connectors although SSLv2 should already be disabled by default by the
+ JRE. (markt)
+
+
+ Disable SSLv3 by default for the APR/native HTTPS connector. (markt)
+
+
+ Do not increase remaining counter at end of stream in
+ IdentityInputFilter. (kkolinko)
+
+
+ Trigger an error if an invalid attempt is made to use non-blocking IO.
+ (markt)
+
+
+ 57157: Allow calls to
+ AsyncContext.start(Runnable) during non-blocking IO reads
+ and writes. (markt)
+
+
+ Async state MUST_COMPLETE should still be started. (remm)
+
+
+
+
+
+
+ 57099: Ensure that semi-colons are not permitted in JSP
+ import page directives. (markt)
+
+
+ 57113: Fix broken package imports in Expression Language when
+ more than one package was imported and the desired class was not in the
+ last package imported. (markt)
+
+
+ 57132: Fix import conflicts reporting in Expression Language.
+ (kkolinko)
+
+
+ When coercing an object to a given type, only attempt coercion to an
+ array if both the object type and the target type are an array type.
+ (violetagg/markt)
+
+
+ Improve handling of invalid input to
+ javax.el.ImportHandler.resolveClass(). (markt)
+
+
+ Allow the same class to be added to an instance of
+ javax.el.ImportHandler more than once without triggering
+ an error. The second and subsequent calls for the same class will be
+ ignored. (markt)
+
+
+ 57136: Ensure only \${ and \#{ are
+ treated as escapes for ${ and #{ rather than
+ \$ and \# being treated as escapes for
+ $ and # when processing literal expressions in
+ expression language. (markt)
+
+
+ When coercing an object to an array type in Expression Language, handle
+ the case where the source object is an array of primitives.
+ (markt/kkolinko)
+
+
+ Do not throw an exception on missing JSP file servlet initialization.
+ (remm)
+
+
+ 57148: When coercing an object to a given type and a
+ PropertyEditor has been registered for the type correctly
+ coerce the empty string to null if the
+ PropertyEditor throws an exception. (kkolinko/markt)
+
+
+ 57153: Correctly scan for TLDs located in directories that
+ represent expanded JARs files that have been added to the web application
+ class loader's class path. (markt)
+
+
+ 57141: Enable EL in JSPs to refer to static fields of
+ imported classes including the standard java.lang.*
+ imports. (markt)
+
+
+
+
+
+
+ Add support for the SessionIdGenerator to cluster manager
+ template. (kfujino)
+
+
+ Avoid possible integer overflows reported by Coverity Scan. (fschumacher)
+
+
+
+
+
+
+ 57054: Correctly handle the case in the WebSocket client
+ when the HTTP response to the upgrade request can not be read in a
+ single pass; either because the buffer is too small or the server sent
+ the response in multiple packets. (markt)
+
+
+ Extend support for the permessage-deflate extension to the
+ client implementation. (markt)
+
+
+ Fix client subprotocol handling. (remm)
+
+
+ Add null checks for arguments in remote endpoint. (remm/kkolinko)
+
+
+ 57091: Work around the behaviour of the Oracle JRE when
+ creating new threads in an applet environment that breaks the WebSocket
+ client implementation. Patch provided by Niklas Hallqvist. (markt)
+
+
+ 57118: Ensure that that an EncodeException is
+ thrown by RemoteEndpoint.Basic.sendObject(Object) rather
+ than an IOException when no suitable Encoder
+ is configured for the given Object. (markt)
+
+
+
+
+
+
+ Correct a couple of broken links in the Javadoc. (markt)
+
+
+ Correct documentation for ServerCookie.ALLOW_NAME_ONLY
+ system property. (kkolinko)
+
+
+ 57049: Clarified that jvmRoute can be set in
+ <Engine>'s jvmRoute or in a system
+ property. (schultz)
+
+
+ Correct version of Java WebSocket mentioned in documentation
+ (s/1.0/1.1/). (markt/kkolinko)
+
+
+ Suppress timestamp comments in Javadoc. (kkolinko)
+
+
+ 57147: Various corrections to the JDBC Store section of the
+ session manager configuration page of the documentation web application.
+ (markt)
+
+
+
+
+
+
+ 45282: Improve shutdown of NIO receiver so that sockets are
+ closed cleanly. (fhanik/markt)
+
+
+
+
+
+
+ 57005: Fix javadoc errors when building with Java 8. Patch
+ provided by Pierre Viret. (markt)
+
+
+ 57079: Use Tomcat version number for jdbc-pool module when
+ building and shipping the module as part of Tomcat. (markt)
+
+
+ Fix broken overview page in javadoc generated via "javadoc" task in
+ jdbc-pool build.xml file. (kkolinko)
+
+
+
+
+
+
+ 56079: The uninstaller packaged with the Apache Tomcat
+ Windows installer is now digitally signed. (markt)
+
+
+ Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format
+ instead of 12-hour one and use UTC timezone. (markt/kkolinko)
+
+
+ Update the package renamed copy of Apache Commons DBCP 2 to revision
+ 1631450 to pick up additional fixes since the 2.0.1 release including
+ Javadoc corrections to fix errors when compiling with Java 8. (markt)
+
+
+ 56596: Update to Tomcat Native Library version 1.1.32 to
+ pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR
+ 1.5.1. (markt)
+
+
+ In Tomcat tests: log name of the current test method at start time.
+ (kkolinko)
+
+
+
+
+
+
+
+
+ 56079: The Apache Tomcat Windows installer, the Apache Tomcat
+ Windows service and the Apache Tomcat Windows service monitor
+ application are now digitally signed. (markt)
+
+
+
+
+
+
+
+
+ 55917: Allow bytes in the range 0x80 to 0xFF to appear in
+ cookie values if the cookie is a V1 (RFC2109) cookie and the value is
+ correctly quoted. The new RFC6265 based cookie parser must be enabled to
+ correctly handle these cookies. (markt)
+
+
+ 55918: Do not permit control characters to appear in quoted
+ V1 (RFC2109) cookie values. The new RFC6265 based cookie parser must be
+ enabled to correctly handle these cookies. (markt)
+
+
+ 55921: Correctly handle (ignore the cookie) unescaped JSON in
+ a cookie value. The new RFC6265 based cookie parser must be enabled to
+ correctly handle these cookies. (markt)
+
+
+ 56401: Log version information when Tomcat starts.
+ (markt/kkolinko)
+
+
+ 56530: Add a web application class loader implementation that
+ supports the parallel loading of web application classes. (markt)
+
+
+ 56900: Fix some potential resource leaks when reading
+ property files reported by Coverity Scan. Based on patches provided by
+ Felix Schumacher. (markt)
+
+
+ 56902: Fix a potential resource leak in the Default Servlet
+ reported by Coverity Scan. Based on a patch provided by Felix
+ Schumacher. (markt)
+
+
+ 56903: Correct the return value for
+ StandardContext.getResourceOnlyServlets() so that multiple
+ names are separated by commas. Identified by Coverity Scan and fixed
+ based on a patch by Felix Schumacher. (markt)
+
+
+ Add an additional implementation of a RFC6265 based cookie parser along
+ with new Context options to select and configure it. This parser is
+ currently considered experimental and is not used by default. (markt)
+
+
+ Fixed the multipart elements merge operation performed during web
+ application deployment. Identified by Coverity Scan. (violetagg)
+
+
+ Correct the information written by
+ ExtendedAccessLogValve when a format token x-O(XXX) is
+ used so that multiple values for a header XXX are separated by commas.
+ Identified by Coverity Scan. (violetagg)
+
+
+ Fix a potential resource leak when reading MANIFEST.MF file for
+ extension dependencies reported by Coverity Scan. (violetagg)
+
+
+ Fix some potential resource leaks when reading properties, files and
+ other resources. Reported by Coverity Scan. (violetagg)
+
+
+ Correct the previous fix for 56825 that enabled pre-emptive
+ authentication to work with the SSL authenticator. (markt)
+
+
+ Refactor to reduce code duplication identified by Simian. (markt)
+
+
+ When using parallel deployment and undeployOldVersions
+ feature is enabled on a Host, correctly undeploy context of old
+ version. Make sure that Tomcat does not undeploy older Context if
+ current context is not running. (kfujino)
+
+
+ Fix a rare threading issue when locking resources via WebDAV.
+ (markt)
+
+
+ Fix a rare threading issue when using HTTP digest authentication.
+ (markt)
+
+
+ When deploying war, add XML file in the config base to the redeploy
+ resources if war does not have META-INF/context.xml or
+ deployXML is false. If XML file is created in the config
+ base, redeploy will occur. (kfujino)
+
+
+ Various changes to reduce unnecessary code in Tomcat's copy of
+ Apache Commons BCEL to reduce the time taken for annotation scanning
+ when web applications start. Includes contributions from kkolinko and
+ hzhang9. (markt)
+
+
+ 56938: Ensure web applications that have mixed case context
+ paths and are deployed as directories are correctly removed on undeploy
+ when running on a case sensitive file system. (markt)
+
+
+ 57004: Add stuckThreadCount property to
+ StuckThreadDetectionValve's JMX bean. Patch provided by
+ Jiří Pejchal. (schultz)
+
+
+ 57011: Ensure that the request and response are correctly
+ recycled when processing errors during async processing. (markt)
+
+
+
+
+
+
+ 56910: Prevent the invalid value of -1 being
+ used for maxConnections with APR connectors. (markt)
+
+
+ Ensure that AJP connectors enable the KeepAliveTimeout.
+ (kfujino)
+
+
+ Reduce duplicated code. All AJP connectors use common method to
+ configuration of processor. (kfujino)
+
+
+
+
+
+
+ 43001: Enable the JspC Ant task to set the JspC option
+ mappedFile. (markt)
+
+
+ Ensure that the implementation of
+ javax.servlet.jsp.PageContext.include(String)
+ and
+ javax.servlet.jsp.PageContext.include(String, boolean)
+ will throw IOException when an I/O error occur during
+ the operation. (violetagg)
+
+
+ 56908: Fix some potential resource leaks when reading
+ jar files. Reported by Coverity Scan. Patch provided by Felix
+ Schumacher. (violetagg)
+
+
+ Fix a potential resource leak in JDTCompiler when checking whether
+ a resource is a package. Reported by Coverity Scan. (fschumacher)
+
+
+ 56991: Deprecate the use of a request attribute to pass a
+ <jsp-file> declaration to Jasper and prevent an infinite loop
+ if this technique is used in conjunction with an include. (markt)
+
+
+
+
+
+
+ 56905: Make destruction on web application stop of thread
+ group used for WebSocket connections more robust. (kkolinko/markt)
+
+
+ 56907: Ensure that client IO threads are stopped if a secure
+ WebSocket client connection fails. (markt)
+
+
+ 56982: Return the actual negotiated extensions rather than an
+ empty list for Session.getNegotiatedExtensions(). (markt)
+
+
+ Update the WebSocket implementation to support the Java WebSocket
+ specification version 1.1. (markt)
+
+
+
+
+
+
+ Add JarScanner to the nested components listed for a
+ Context. (markt)
+
+
+ Update the Windows authentication documentation after some additional
+ testing to answer the remaining questions. (markt)
+
+
+
+
+
+
+ 56895: Correctly compose JAVA_OPTS in
+ catalina.bat so that escape sequences are preserved. Patch
+ by Lucas Theisen. (markt)
+
+
+ 56988: Allow to use relative path in base.path
+ setting when building Tomcat. (kkolinko)
+
+
+ 56990: Ensure that the ide-eclipse build target
+ downloads all the libraries required by the default Eclipse
+ configuration files. (markt)
+
+
+ Update the package renamed copy of Apache Commons DBCP 2 to revision
+ 1626988 to pick up the fixes since the 2.0.1 release including support
+ for custom eviction policies. (markt)
+
+
+ Update the package renamed copy of Apache Commons Pool 2 to revision
+ 1627271 to pick up the fixes since the 2.2 release including some memory
+ leak fixes and support for application provided eviction policies.
+ (markt)
+
+
+
+
+
+
+
+
+ Make the session id generator extensible by adding a
+ SessionIdGenerator interface, an abstract
+ base class and a standard implementation. (rjung)
+
+
+ 56882: Fix regression in processing of includes and forwards
+ when Context have been reloaded. Tomcat was responding with HTTP Status
+ 503 (Servlet xxx is currently unavailable). (kkolinko)
+
+
+
+
+
+
+ When building a list of JSSE ciphers from an OpenSSL cipher definition,
+ ignore unknown criteria rather than throwing a
+ NullPointerException. (markt)
+
+
+ Add support for the EECDH alias when using the OpenSSL cipher syntax to
+ define JSSE ciphers. (markt)
+
+
+
+
+
+
+ Correct a logic error in the JasperElResolver. There was no
+ functional impact but the code was less efficient as a result of the
+ error. Based on a patch by martinschaef. (markt)
+
+
+ 56568: Enable any HTTP method to be used to request a JSP
+ page that has the isErrorPage page directive set to
+ true. (markt)
+
+
+
+
+
+
+ Extend support for the permessage-deflate extension to
+ compression of outgoing messages on the server side. (markt)
+
+
+
+
+
+
+ 56323: Include the *.bat files when installing
+ Tomcat via the Windows installer. (markt)
+
+
+
+
+
+
+
+
+ 56658: Fix regression that a context was inaccessible after
+ reload. (kkolinko)
+
+
+ 56710: Do not map requests to servlets when context is
+ being reloaded. (kkolinko)
+
+
+ 56712: Fix session idle time calculations in
+ PersistenceManager. (kkolinko)
+
+
+ 56717: Fix duplicate registration of
+ MapperListener during repeated starts of embedded Tomcat.
+ (kkolinko)
+
+
+ 56724: Write an error message to Tomcat logs if container
+ background thread is aborted unexpectedly. (kkolinko)
+
+
+ When scanning class files (e.g. for annotations) and reading the number
+ of parameters in a MethodParameters structure only read a
+ single byte (rather than two bytes) as per the JVM specification. Patch
+ provided by Francesco Komauli. (markt)
+
+
+ Allow the JNDI Realm to start even if the directory is not available.
+ The directory not being available is not fatal once the Realm is started
+ and it need not be fatal when the Realm starts. Based on a patch by
+ Cédric Couralet. (markt)
+
+
+ 56736: Avoid an incorrect IllegalStateException
+ if the async timeout fires after a non-container thread has called
+ AsyncContext.dispatch() but before a container thread
+ starts processing the dispatch. (markt)
+
+
+ 56739: If an application handles an error on an application
+ thread during asynchronous processing by calling
+ HttpServletResponse.sendError(), then ensure that the
+ application is given an opportunity to report that error via an
+ appropriate application defined error page if one is configured. (markt)
+
+
+ 56784: Fix a couple of rare but theoretically possible
+ atomicity bugs. (markt)
+
+
+ 56785: Avoid NullPointerException if directory
+ exists on the class path that is not readable by the Tomcat user.
+ (markt)
+
+
+ 56796: Remove unnecessary sleep when stopping a web
+ application. (markt)
+
+
+ 56801: Improve performance of
+ org.apache.tomcat.util.file.Matcher which is to filter JARs
+ for scanning during web application start. Based on a patch by Sheldon
+ Shao. (markt)
+
+
+ 56815: When the gzip option is enabled for the
+ DefaultServlet ensure that a suitable Vary
+ header is returned for resources that might be returned directly in
+ compressed form. (markt)
+
+
+ Do not mark threads from the container thread pool as container threads
+ when being used to process AsyncContext.start(Runnable) so
+ processing is correctly transferred back to a genuine container thread
+ when necessary. (markt)
+
+
+ Add simple caching for calls to StandardRoot.getResources()
+ in the new (for 8.0.x) resources implementation. (markt)
+
+
+ 56825: Enable pre-emptive authentication to work with the
+ SSL authenticator. Based on a patch by jlmonteiro. (markt)
+
+
+ 56840: Avoid NPE when the rewrite valve is mapped to
+ a context. (remm)
+
+
+ Correctly handle multiple accept-language headers rather
+ than just using the first header to determine the user's preferred
+ Locale. (markt)
+
+
+ 56848: Improve handling of accept-language
+ headers. (markt)
+
+
+ 56857: Fix thread safety issue when calling ServletContext
+ methods while running under a security manager. (markt)
+
+
+
+
+
+
+ Fix NIO2 sendfile state tracking and error handling to fix
+ various corruption issues. (remm)
+
+
+ Missing timeout for NIO2 sendfile writes. (remm)
+
+
+ Allow inline processing for NIO2 sendfile and optimize keepalive
+ behavior. (remm)
+
+
+ Fix excessive NIO2 sendfile direct memory use in some cases, sendfile
+ will now instead use the regular socket write buffer as configured.
+ (remm)
+
+
+ 56661: Fix getLocalAddr() for AJP connectors.
+ The complete fix is only available with a recent AJP forwarder like
+ the forthcoming mod_jk 1.2.41. (rjung)
+
+
+ Use default ciphers defined as
+ HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 so
+ that no weak ciphers are enabled by default. (remm)
+
+
+ 56780: Enable Tomcat to start when using SSL with an IBM JRE
+ in strict SP800-131a mode. (markt)
+
+
+ 56810: Remove use of Java 8 specific API calls in unit tests
+ for OpenSSL to JSSE cipher conversion. (markt)
+
+
+
+
+
+
+ 56709: Fix system property name in a log message. Submitted
+ by Robert Kish. (remm)
+
+
+ 56797: When matching a method in an EL expression, do not
+ treat bridge methods as duplicates of the method they bridge to. In this
+ case always call the target of the bridge method. (markt)
+
+
+
+
+
+
+ 56746: Allow secure WebSocket client threads to use the
+ current context class loader rather than explicitly setting it to the
+ class loader that loaded the WebSocket implementation. This allows
+ WebSocket client connections from within web applications to access,
+ amongst other things, the JNDI resources associated with the web
+ application. (markt)
+
+
+
+
+
+
+ Correct the label in the list of sessions by idle time for the bin that
+ represents the idle time immediately below the maximum permitted idle
+ time when using the expire command of the Manager application. (markt)
+
+
+
+
+
+
+ 53088: More identifiable thread name. (fhanik)
+
+
+ 53200: Selective logging for slow versus failed queries.
+ (fhanik)
+
+
+ 53853: More flexible classloading. (fhanik)
+
+
+ 54225: Disallow empty init SQL. (fhanik)
+
+
+ 54227: Evaluate max age upon borrow. (fhanik)
+
+
+ 54235: Disallow nested pools exploitating using data source.
+ (fhanik)
+
+
+ 54395: Fix JDBC interceptor parsing bug. (fhanik)
+
+
+ 54537: Performance improvement in
+ StatementFinalizer. (fhanik)
+
+
+ 54978: Make sure proper connection validation always happens,
+ regardless of config. (fhanik)
+
+
+ 56318: Ability to trace statement creation in
+ StatementFinalizer. (fhanik)
+
+
+ 56789: getPool() returns the actual pool, always. (fhanik)
+
+
+
+
+
+
+ 56788: Display the full version in the list of installed
+ applications when installed via the Windows installer package. Patch
+ provided by Alexandre Garnier. (markt)
+
+
+ 56829: Add the ability for users to define their own values
+ for _RUNJAVA and _RUNJDB environment
+ variables. Be more strict with executable filename on Windows
+ (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
+
+
+
+
+
+
+
+
+ 44312: Log an error if there is a conflict between Host and
+ Alias names. Improve host management methods in Mapper
+ to avoid occasionally removing a wrong host. Check that host management
+ operations are performed on the host and not on an alias. (kkolinko)
+
+
+ 56611: Refactor code to remove inefficient calls to
+ Method.isAnnotationPresent(). Based on a patch by Jian Mou.
+ (markt/kkolinko)
+
+
+ Fix regression in
+ StandardContext.removeApplicationListener(), introduced by
+ the fix for bug 56588. (kkolinko)
+
+
+ 56653: Fix concurrency issue with lists of contexts in
+ Mapper when stopping Contexts. (kkolinko)
+
+
+ 56657: When using parallel deployment, if the same session id
+ matches different versions of a web application, prefer the latest
+ version. Ensure that remapping selects the version that we expect.
+ (kkolinko)
+
+
+ Assert that mapping result object is empty before performing mapping
+ work in Mapper. (kkolinko)
+
+
+ Remove context and wrapper fields in
+ Request class and deprecate their setters. (kkolinko)
+
+
+ 56658: Avoid delay between registrations of mappings for
+ context and for its servlets. (kkolinko)
+
+
+ 56665: Correct the generation of the effective web.xml when
+ elements contain an empty string as value. (violetagg)
+
+
+ Fix storeconfig exception routing issues, so that a major problem
+ should avoid configuration overwrite. (remm)
+
+
+ Add configuration fields for header names in SSLValve. (remm)
+
+
+ 56666: When clearing the SSO cookie use the same values for
+ domain, path, httpOnly and secure as were used to set the SSO cookie.
+ (markt)
+
+
+ 56677: Ensure that
+ HttpServletRequest.getServletContext() returns the correct
+ value during a cross-context dispatch. (markt)
+
+
+ 56684: Ensure that Tomcat does not shut down if the socket
+ waiting for the shutdown command experiences a
+ SocketTimeoutException. (markt)
+
+
+ 56693: Fix various issues in the static resource cache
+ implementation where the cache retained a stale entry after the
+ successful completion of an operation that always invalidates the cache
+ entry such as a delete operation.
+ (markt)
+
+
+ When the current PathInfo is modified as a result of dispatching a
+ request, ensure that a call to
+ HttpServletRequest.getPathTranslated() returns a value that
+ is based on the modified PathInfo. (markt)
+
+
+ 56698: When persisting idle sessions, only persist newly idle
+ sessions. Patch provided by Felix Schumacher. (markt)
+
+
+
+
+
+
+ 56663: Fix edge cases demonstrated by ByteCounter relating
+ to data available, remaining and extra write events, mostly occurring
+ with non blocking Servlet 3.1. (remm)
+
+
+ Avoid possible NPE stopping endpoints that are not started (stop
+ shouldn't do anything in that case). (remm)
+
+
+ 56704: Add support for OpenSSL syntax for ciphers when
+ using JSSE SSL connectors. Submitted by Emmanuel Hugonnet. (remm)
+
+
+ Allow to configure maxSwallowSize attribute of an HTTP
+ connector via JMX. (kkolinko)
+
+
+
+
+
+
+ 56543: Update to the Eclipse JDT Compiler 4.4. (violetagg)
+
+
+ 56652: Add support for method parameters that use arrays and
+ varargs to ELProcessor.defineFunction().(markt)
+
+
+
+
+
+
+ Add support for the permessage-deflate extension. This is
+ currently limited to decompressing incoming messages on the server side.
+ It is expected that support will be extended to outgoing messages and to
+ the client side shortly. (markt)
+
+
+
+
+
+
+ Attempt to obfuscate session cookie values associated with other web
+ applications when viewing HTTP request headers with the Cookies example
+ from the examples web application. This reduces the opportunity to use
+ this example for malicious purposes should the advice to remove the
+ examples web application from security sensitive systems be ignored.
+ (markt)
+
+
+ 56694: Remove references to Manager attribute
+ checkInterval from documentation and Javadoc since it no
+ longer exists. Based on a patch by Felix Schumacher. Also remove other
+ references to checkInterval that are no longer valid.
+ (markt)
+
+
+
+
+
+
+ Update the API stability section of the release notes now that Tomcat 8
+ has had its first stable release. (markt)
+
+
+ Improve build.xml so that when Eclipse JDT Compiler is
+ updated, it will delete the old JAR from build/lib
+ directory. (kkolinko)
+
+
+ Simplify implementation of "setproxy" target in build.xml.
+ (kkolinko)
+
+
+ Update optional Checkstyle library to 5.7. (kkolinko)
+
+
+ 56596: Update to Tomcat Native Library version 1.1.31 to
+ pick up the Windows binaries that are based on OpenSSL 1.0.1h. (markt)
+
+
+ 56685: Add quotes necessary for daemon.sh to
+ work correctly on Solaris. Based on a suggestion by lfuka. (markt)
+
+
+ Update package renamed Apache Commons Pool2 to r1609323 to pick various
+ bug fixes. (markt)
+
+
+ Update package renamed Apache Commons DBCP2 to r1609329 to pick up a
+ minor bug fix. (markt)
+
+
+ Update package renamed Apache Commons FileUpload to r1596086 to pick
+ various bug fixes. (markt)
+
+
+
+
+
+
+
+
+ 55282: Ensure that one and the same application listener is
+ added only once when starting the web application. (violetagg)
+
+
+ 55975: Apply consistent escaping for double quote and
+ backslash characters when escaping cookie values. (markt)
+
+
+ 56387: Improve the code that handles an attempt to load a
+ class after a web application has been stopped. Use common code to handle
+ this case regardless of the access path and don't throw an exception
+ purely to log a stack trace. (markt)
+
+
+ 56399: Improve implementation of CoyoteAdapter.checkRecycled()
+ to do not use an exception for flow control. (kkolinko)
+
+
+ 56461: New failCtxIfServletStartFails attribute
+ on Context and Host configuration to force the context startup to fail
+ if a load-on-startup servlet fails its startup. (slaurent)
+
+
+ 56526: Improved the StuckThreadDetectionValve to
+ optionally interrupt stuck threads to attempt to unblock them.
+ (slaurent)
+
+
+ 56545: Pre-load two additional classes, the loading of which
+ may otherwise be triggered by a web application which in turn would
+ trigger an exception when running under a security manager. (markt)
+
+
+ 56546: Reduce logging level for stack traces of stuck web
+ application threads printed by WebappClassLoader.clearReferencesThreads()
+ from error to info. (kkolinko)
+
+
+ Refactor and simplify common code in object factories in
+ org.apache.catalina.naming package, found thanks to Simian
+ (Similarity Analyser) tool. Improve handling of Throwable.
+ (markt/kkolinko)
+
+
+ Relax cookie naming restrictions. Cookie attribute names used in the
+ Set-Cookie header may be used unambiguously as cookie
+ names. The restriction that prevented such usage has been removed.
+ (jboynes/markt)
+
+
+ Further relax cookie naming restrictions. Version 0 (a.k.a Netscape
+ format) cookies may now use names that start with the $
+ character. (jboynes/markt)
+
+
+ Restrict cookie naming so that the = character is no longer
+ permitted in a version 0 (a.k.a. Netscape format) cookie name. While
+ Tomcat allowed this, browsers always truncated the name at the
+ = character leading to a mis-match between the cookie the
+ server set and the cookie returned by the browser. (jboynes/markt)
+
+
+ Add a simple ServiceLoader based discovery mechanism to the
+ JULI LogFactory to make it easier to use JULI and Tomcat
+ components that depend on JULI (such as Jasper) independently from
+ Tomcat. Patch provided by Greg Wilkins. (markt)
+
+
+ 56578: Correct regression in the fix for 56339
+ that prevented sessions from expiring when using clustering. (markt)
+
+
+ 56588: Remove code previously added to enforce the
+ requirements of section 4.4 of the Servlet 3.1 specification. The code
+ is no longer required now that Jasper initialization has been refactored
+ and TLD defined listeners are added via a different code path that
+ already enforces the specification requirements. (markt)
+
+
+ 56600: In WebdavServlet: Do not waste time generating
+ response for broken PROPFIND request. (kkolinko)
+
+
+ Provide a better error message when asynchronous operations are not
+ supported by a filter or servlet. Patch provided by Romain Manni-Bucau.
+ (violetagg)
+
+
+ 56606: User entries in tomcat-users.xml file
+ are recommended to use "username" attribute rather than legacy "name"
+ attribute. Fix inconsistencies in Windows installer, examples. Update
+ digester rules and documentation for MemoryRealm.
+ (markt/kkolinko)
+
+
+
+
+
+
+ 56518: When using NIO, do not attempt to write to the socket
+ if the thread is marked interrupted as this will lead to a connection
+ limit leak. This fix was based on analysis of the issue by hanyong.
+ (markt)
+
+
+ 56521: Re-use the asynchronous write buffer between writes to
+ reduce allocation and GC overhead. Based on a patch by leonzhx. Also
+ make the buffer size configurable and remove copying of data within
+ buffer when the buffer is only partially written on a subsequent write.
+ (markt)
+
+
+ Ensure that a request without a body is correctly handled during Comet
+ processing. This fixes the Comet chat example. (markt)
+
+
+ Fix input concurrency issue in NIO2 upgrade. (remm)
+
+
+ Correct a copy/paste error and return a 500 response rather than a 400
+ response when an internal server error occurs on early stages of
+ request processing. (markt)
+
+
+ 56582: Use switch(actionCode) in processors instead of a
+ chain of "elseif"s. (kkolinko)
+
+
+ 56582#c1: Implement DISPATCH_EXECUTE action for AJP
+ connectors. (kkolinko)
+
+
+ Fix CVE-2014-0227:
+ Various improvements to ChunkedInputFilter including clean-up, i18n for
+ error messages and adding an error flag to allow subsequent attempts at
+ reading after an error to fail fast. (markt)
+
+
+ If request contains an unrecognized Expect header, respond with error
+ 417 (Expectation Failed), according to RFC2616 chapter 14.20. (markt)
+
+
+ When an error occurs after the response has been committed close the
+ connection immediately rather than attempting to finish the response to
+ make it easier for the client to differentiate between a complete
+ response and one that failed part way though. (markt)
+
+
+ Remove the beta tag from the NIO2 connectors. (remm)
+
+
+ 56620: Avoid bogus access log entries when pausing the NIO
+ HTTP connector and ensure that access log entries generated by error
+ conditions use the correct request start time. (markt)
+
+
+ Improve configuration of cache sizes in the endpoint. (markt)
+
+
+ Fix CVE-2014-0230:
+ Add a new limit, defaulting to 2MB, for the amount of data Tomcat will
+ swallow for an aborted upload. The limit is configurable by
+ maxSwallowSize attribute of an HTTP connector. (markt)
+
+
+
+
+
+
+ 56334#c15: Fix a regression in EL parsing when quoted string
+ follows a whitespace. (kkolinko/markt)
+
+
+ 56543: Update to the Eclipse JDT Compiler 4.4RC4 to pick up
+ some fixes for Java 8 support. (markt/kkolinko)
+
+
+ 56561: Avoid NoSuchElementException while
+ handling attributes with empty string value. (violetagg)
+
+
+ Do not configure a JspFactory in the
+ JasperInitializer if one has already been set as might be
+ the case in some embedding scenarios. (markt)
+
+
+ Add a simple implementation of InstanceManager and have
+ Jasper use it if no other InstanceManager is provided. This
+ makes it easier to use Jasper independently from Tomcat. Patch provided
+ by Greg Wilkins. (markt)
+
+
+ 56568: Allow any HTTP method when a JSP is being used as an
+ error page. (markt)
+
+
+ 56581: If an error on a JSP page occurs when response has
+ already been committed, do not clear the buffer of JspWriter, but flush
+ it. It will make more clear where the error occurred. (kkolinko)
+
+
+ 56612: Correctly parse two consecutive escaped single quotes
+ when used in UEL expression in a JSP. (markt)
+
+
+ Move code that parses EL expressions within JSP template text from
+ Parser to JspReader class for better
+ performance. (kkolinko)
+
+
+ 56636: Correctly identify the required method when specified
+ via ELProcessor.defineFunction(String,String,String,String)
+ when using Expression Language. (markt)
+
+
+ 56638: When using
+ ELProcessor.defineFunction(String,String,String,String) and
+ no function name is specified, use the method name as the function name
+ as required by the specification. (markt)
+
+
+
+
+
+
+ 56446: Clearer handling of exceptions when calling a method
+ on a POJO based WebSocket endpoint. Based on a suggestion by Eugene
+ Chung. (markt)
+
+
+ When a WebSocket client attempts to write to a closed connection, handle
+ the resulting IllegalStateException in a manner consistent
+ with the handling of an IOException. (markt)
+
+
+ Add more varied endpoints for echo testing. (remm)
+
+
+ 56577: Improve the executor configuration used for the
+ callbacks associated with asynchronous writes. (markt)
+
+
+
+
+
+
+ Set the path for cookies created by the examples web application so they
+ only returned to the examples application. This reduces the opportunity
+ for using such cookies for malicious purposes should the advice to
+ remove the examples web application from security sensitive systems be
+ ignored. (markt/kkolinko)
+
+
+ Attempt to obfuscate session cookie values associated with other web
+ applications when viewing HTTP request headers with the Request Header
+ example from the examples web application. This reduces the opportunity
+ to use this example for malicious purposes should the advice to remove
+ the examples web application from security sensitive systems be ignored.
+ (markt)
+
+
+ Add options for all of the WebSocket echo endpoints to the WebSocket
+ echo example in the examples web application. (markt)
+
+
+ Ensure that the asynchronous WebSocket echo endpoint in the examples
+ web application always waits for the previous message to complete before
+ it sends the next. (markt)
+
+
+
+
+
+
+ Update package renamed Apache Commons DBCP2 to r1596858. (markt)
+
+
+
+
+
+
+
+
+ 56536: Ensure that
+ HttpSessionBindingListener.valueUnbound() uses the correct
+ class loader when the SingleSignOn valve is used. (markt)
+
+
+
+
+
+
+ 56529: Avoid NoSuchElementException while handling
+ attributes with empty string value in custom tags. Patch provided by
+ Hariprasad Manchi. (violetagg)
+
+
+
+
+
+
+
+
+ 56523: When using SPNEGO authentication, log the exceptions
+ associated with failed user logins at debug level rather than error
+ level. (markt)
+
+
+
+
+
+
+ 56399: Assert that both Coyote and Catalina request objects
+ have been properly recycled. (kkolinko)
+
+
+
+
+
+
+ 56522: When setting a value for a
+ ValueExpression, ensure that the expected coercions take
+ place such as a null string being coerced to an empty
+ string. (markt)
+
+
+
+
+
+
+ Copy missing resources file from Apache Commons DBCP 2 to packaged
+ renamed copy of DBCP 2. (markt)
+
+
+
+
+
+
+
+
+ Fix extension validation which was broken by refactoring for new
+ resources implementation. (markt)
+
+
+ Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected
+ immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8
+ decoder tests to account for UTF-8 decoding improvements in Java 8.
+ The custom UTF-8 decoder is still required due to bugs in the UTF-8
+ decoder provided by Java. Java 8's decoder is better than Java
+ 7's but it is still buggy. (markt)
+
+
+ 56027: Add more options for managing FIPS mode in the
+ AprLifecycleListener. (schultz/kkolinko)
+
+
+ 56320: Fix a file descriptor leak in the default servlet when
+ sendfile is used. (markt)
+
+
+ 56321: When a WAR is modified, undeploy the web application
+ before deleting any expanded directory as the undeploy process may
+ refer to classes that need to be loaded from the expanded directory. If
+ the expanded directory is deleted first, any attempt to load a new class
+ during undeploy will fail. (markt)
+
+
+ 56327: Enable AJP as well as HTTP connectors to be created
+ via JMX. Patch by kiran. (markt)
+
+
+ 56339: Avoid an infinite loop if an application calls
+ session.invalidate() from the session destroyed event for
+ that session. (markt)
+
+
+ 56365: Simplify file name pattern matching code in
+ StandardJarScanner. Improve documentation. (kkolinko)
+
+
+ Ensure that the static resource cache is able to detect when a cache
+ entry is invalidated by being overridden by a new resource in a
+ different WebResourceSet. (markt)
+
+
+ 56369: Ensure that removing an MBean notification listener
+ reverts all the operations performed when adding an MBean notification
+ listener. (markt)
+
+
+ Improve implementation of Lifecycle for
+ WebappClassLoader. State is now correctly reported rather
+ than always reporting as NEW. (markt)
+
+
+ 56382: Information about finished deployment and its execution
+ time is added to the log files. Patch is provided by Danila Galimov.
+ (violetagg)
+
+
+ 56383: Properties for disabling server information and error
+ report are added to the org.apache.catalina.valves.ErrorReportValve.
+ Based on the patch provided by Nick Bunn. (violetagg/kkolinko)
+
+
+ 56390: Fix JAR locking issue with JARs containing TLDs and
+ the TLD cache that prevented the undeployment of web applications when
+ the WAR was deleted. (markt)
+
+
+ Fix CVE-2014-0119:
+ Only create XML parsing objects if required and fix associated potential
+ memory leak in the default Servlet.
+ Extend XML factory, parser etc. memory leak protection to cover some
+ additional locations where, theoretically, a memory leak could occur.
+ (markt)
+
+
+ Modify generic exception handling so that
+ StackOverflowError is not treated as a fatal error and can
+ handled and/or logged as required. (markt)
+
+
+ 56409: Avoid StackOverflowError on non-Windows
+ systems if a file named \ is encountered when scanning for
+ TLDs. (markt)
+
+
+ 56430: Extend checks for suspicious URL patterns to include
+ patterns of the form *.a.b which are not valid patterns for
+ extension mappings. (markt)
+
+
+ 56441: Raise the visibility of exceptions thrown when a
+ problem is encountered calling a getter or setter on a component
+ attribute. The logging level is raised from debug to warning. (markt)
+
+
+ 56463: Property for disabling server information is added to
+ the DefaultServlet. Server information is presented in the
+ response sent to the client when directory listings is enabled.
+ (violetagg)
+
+
+ 56472: Allow NamingContextListener to clean up on stop if its
+ start failed. (kkolinko)
+
+
+ 56481: Work around case insensitivity issue in
+ URLClassLoader exposed by some recent refactoring. (markt)
+
+
+ 56492: Avoid eclipse debugger pausing on uncaught exceptions
+ when tomcat renews its threads. (slaurent)
+
+
+ Add the org.apache.naming package to the packages requiring
+ code to have the defineClassInPackage permission when
+ running under a security manager. (markt)
+
+
+ Make the naming context tokens for containers more robust by using a
+ separate object. Require RuntimePermission when introducing a new token.
+ (markt/kkolinko)
+
+
+ 56501: HttpServletRequest.getContextPath()
+ should return the undecoded context path used by the user agent. (markt)
+
+
+ Minor fixes to ThreadLocalLeakPreventionListener. Do not
+ trigger threads renewal for failed contexts. Do not ignore
+ threadRenewalDelay setting. Improve documentation. (kkolinko)
+
+
+ Correct regression introduced in 1239520 that broke loading
+ of users from tomcat-users.xml when using the
+ JAASMemoryLoginModule. (markt)
+
+
+ Correct regression introduced in 797162 that broke
+ authentication of users when using the
+ JAASMemoryLoginModule. (markt)
+
+
+
+
+
+
+ More cleanup of NIO2 endpoint shutdown. (remm)
+
+
+ 56336: AJP output corruption and errors. (remm)
+
+
+ Handle various cases of incomplete writes in NIO2. (remm)
+
+
+ Code cleanups and i18n in NIO2. (remm)
+
+
+ Fix extra onDataAvailable calls in the NIO2 connector. (remm)
+
+
+ Fix gather writes in NIO2 SSL. (remm)
+
+
+ Upgrade the NIO2 connectors to beta, but still not ready for production. (remm)
+
+
+ Fix code duplication between NIO and NIO2. (remm)
+
+
+ 56348: Fix slow asynchronous read when read was performed on
+ a non-container thread. (markt)
+
+
+ 56416: Correct documentation for default value of socket
+ linger for the AJP and HTTP connectors. (markt)
+
+
+ Fix possible corruption if doing keepalive after a comet request. (remm)
+
+
+ 56518: Fix connection limit latch leak when a non-container
+ thread is interrupted during asynchronous processing. (markt)
+
+
+
+
+
+
+ 56334: Fix a regression in the handling of back-slash
+ escaping introduced by the fix for 55735. (markt/kkolinko)
+
+
+ 56425: Improve method matching for EL expressions. When
+ looking for matching methods, an exact match between parameter types is
+ preferred followed by an assignable match followed by a coercible match.
+ (markt)
+
+
+ Correct the handling of back-slash escaping in the EL parser and no
+ longer require that \$ or \# must be followed
+ by { in order for the back-slash escaping to take effect.
+ (markt)
+
+
+
+
+
+
+ Remove the implementation of
+ org.apache.catalina.LifecycleListener from
+ org.apache.catalina.ha.tcp.SimpleTcpCluster.
+ SimpleTcpCluster does not work as
+ LifecycleListener, it works as nested components of Host or
+ Engine. (kfujino)
+
+
+ Remove cluster and replicationValve from cluster manager template. These
+ instance are not necessary to template. (kfujino)
+
+
+ Add support for cross context session replication to
+ org.apache.catalina.ha.session.BackupManager. (kfujino)
+
+
+ Remove the unnecessary cross context check. It does not matter whether
+ the context that is referenced by other context is set to
+ crossContext=true. The context that refers to the different
+ context must be set to crossContext=true. (kfujino)
+
+
+ Move to org.apache.catalina.ha.session.ClusterManagerBase
+ common logics of
+ org.apache.catalina.ha.session.BackupManager and
+ org.apache.catalina.ha.session.DeltaManager. (kfujino)
+
+
+ Simplify the code of o.a.c.ha.tcp.SimpleTcpCluster. In
+ order to add or remove cluster valve to Container, use pipeline instead
+ of IntrospectionUtils. (kfujino)
+
+
+ There is no need to set cluster instance when
+ SimpleTcpCluster.unregisterClusterValve is called.
+ Set null than cluster instance for cleanup. (kfujino)
+
+
+
+
+
+
+ 56343: Avoid a NPE if Tomcat's Java WebSocket 1.0
+ implementation is used with the Java WebSocket 1.0 API JAR from the
+ reference implementation. (markt)
+
+
+ Increase the default maximum size of the executor used by the WebSocket
+ implementation for call backs associated with asynchronous writes from
+ 10 to 200. (markt)
+
+
+ Add a warning if the thread group created for WebSocket asynchronous
+ write call backs can not be destroyed when the web application is
+ stopped. (markt)
+
+
+ Ensure that threads created to support WebSocket clients are stopped
+ when no longer required. This will happen automatically for WebSocket
+ client connections initiated by web applications but stand alone clients
+ must call WsWebSocketContainer.destroy(). (markt)
+
+
+ 56449: When creating a new session, add the message handlers
+ to the session before calling Endpoint.onOpen() so the
+ message handlers are in place should the onOpen() method
+ trigger the sending of any messages. (markt)
+
+
+ 56458: Report WebSocket sessions that are created over secure
+ connections as secure rather than as not secure. (markt)
+
+
+ Stop threads used for secure WebSocket client connections when they are
+ no longer required and give them better names for easier debugging while
+ they are running. (markt)
+
+
+
+
+
+
+ Add Support for copyXML attribute of Host to Host Manager.
+ (kfujino)
+
+
+ Ensure that "name" request parameter is used as a application base of
+ host if "webapps" request parameter is not set when adding host in
+ HostManager Application. (kfujino)
+
+
+ Correct documentation on Windows service options, aligning it with
+ Apache Commons Daemon documentation. (kkolinko)
+
+
+ 56418: Ensure that the Manager web application does not
+ report success for a web application deployment that fails. (slaurent)
+
+
+ Improve valves documentation. Split valves into groups. (kkolinko)
+
+
+ 56513: Make the documentation crystal clear that using
+ sendfile will disable any compression that Tomcat may otherwise have
+ applied to the response. (markt)
+
+
+
+
+
+
+ Review source code and take advantage of Java 7's
+ try-with-resources syntax where possible. (markt)
+
+
+ Align DisplayName of Tomcat installed by service.bat with
+ one installed by the *.exe installer. Print a warning in case if neither
+ server nor client jvm is found by service.bat. (kkolinko)
+
+
+ 56363: Update to version 1.1.30 of Tomcat Native library.
+ (schultz)
+
+
+ Update package renamed Apache Commons BCEL to r1593495 to pick up some
+ additional changes for Java 7 support and some code clean up. (markt)
+
+
+ Update package renamed Apache Commons FileUpload to r1569132 to pick up
+ some small improvements (e.g. better null protection) and
+ some code clean up. (markt)
+
+
+ Update package renamed Apache Commons Codec to r1586336 to pick up some
+ Javadoc fixes and some code clean up. (markt)
+
+
+ Switch to including Apache Commons DBCP via a package renamed svn copy
+ rather than building from a source release for consistency with other
+ Commons packages and to allow faster releases to fix DBCP related
+ issues. (markt)
+
+
+ Update package renamed Apache Commons Pool2 and DBCP2 to r1593563 to
+ pick various bug fixes. (markt)
+
+
+ In tests: allow to configure directory where JUnit reports and access
+ log are written to. (kkolinko)
+
+
+
+
+
+
+
+
+ Rework the fix for 56190 as the previous fix did not recycle
+ the request in all cases leading to mis-routing of requests. (markt)
+
+
+ Allow web applications to package tomcat-jdbc.jar and their JDBC driver
+ of choice in the web application. (markt)
+
+
+ 56293: Cache resources loaded by the class loader from
+ /META-INF/services/ for better performance for repeated
+ look ups. (markt)
+
+
+
+
+
+
+ Fix possibly incomplete final flush with NIO2 when using non blocking
+ mode. (remm)
+
+
+ Cleanup NIO2 endpoint shutdown. (remm)
+
+
+ Fix rare race condition notifying onWritePossible in the NIO2
+ HTTP/1.1 connector. (remm)
+
+
+
+
+
+
+ 54475: Add Java 8 support to SMAP generation for JSPs. Patch
+ by Robbie Gibson. (markt)
+
+
+
+
+
+
+ 56273: If the Manager web application does not perform an
+ operation because the web application is already being serviced, report
+ an error rather than reporting success. (markt)
+
+
+ 56304: Add a note to the documentation about not using
+ WebSocket with BIO HTTP in production. (markt)
+
+
+
+
+
+
+
+
+ Restore the ability to use the addURL() method of the
+ web application class loader to add external resources to the web
+ application. (markt)
+
+
+ Improve the robustness of web application undeployment based on some
+ code analysis triggered by the report for 54315. (markt)
+
+
+ 56125: Correctly construct the URL for a resource that
+ represents the root of a JAR file. (markt)
+
+
+ Generate a valid root element for the effective web.xml for a web
+ application for all supported versions of web.xml. (markt)
+
+
+ Make it easier for applications embedding and/or extending Tomcat to
+ modify the javaseClassLoader attribute of the
+ WebappClassLoader. (markt)
+
+
+ Add missing support for <deny-uncovered-http-methods>
+ element when merging web.xml files. (markt)
+
+
+ Improve merging process for web.xml files to take account of the
+ elements and attributes supported by the Servlet version of the merged
+ file. (markt)
+
+
+ Avoid NullPointerException in resource cache when making an
+ invalid request for a resource outside of the web application. (markt)
+
+
+ Remove an unnecessary null check identified by FindBugs. (markt)
+
+
+ In WebappClassLoader, when reporting threads that are still running
+ while web application is being stopped, print their stack traces to
+ the log. (kkolinko)
+
+
+ 56190: The response should be closed (i.e. no further output
+ is permitted) when a call to AsyncContext.complete() takes
+ effect. (markt)
+
+
+ 56236: Enable Tomcat to work with alternative Servlet and
+ JSP API JARs that package the XML schemas in such as way as to require
+ a dependency on the JSP API before enabling validation for web.xml.
+ Tomcat has no such dependency. (markt)
+
+
+ 56244: Fix MBeans descriptor for WebappClassLoader MBean.
+ (kkolinko)
+
+
+ Add a work around for validating XML documents (often TLDs) that use
+ just the file name to refer to refer to the JavaEE schema on which they
+ are based. (markt)
+
+
+ Add methods of get the idle time from last client access time to
+ org.apache.catalina.Session. (kfujino)
+
+
+ 56246: Fix NullPointerException in MemoryRealm when
+ authenticating an unknown user. (markt)
+
+
+ 56248: Allow the deployer to update an existing WAR file
+ without undeploying the existing application if the update flag is set.
+ This allows any existing custom context.xml for the application to be
+ retained. To update an application and remove any existing context.xml
+ simply undeploy the old version of the application before deploying the
+ new version. (markt)
+
+
+ 56253: When listing resources that are provided by a JAR, fix
+ possible StringIndexOutOfBoundsExceptions. Add some unit
+ tests for this and similar scenarios and fix the additional issues those
+ unit tests identified. Based on a patch by Larry Isaacs. (markt)
+
+
+ Fix CVE-2014-0096:
+ Redefine the globalXsltFile initialisation parameter of the
+ DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf.
+ Prevent user supplied XSLTs used by the DefaultServlet from defining
+ external entities. (markt)
+
+
+
+
+
+
+ In some circumstances asynchronous requests could time out too soon.
+ (markt)
+
+
+ 56172: Avoid possible request corruption when using the AJP
+ NIO connector and a request is sent using more than one AJP message.
+ Patch provided by Amund Elstad. (markt)
+
+
+ Add experimental NIO2 connector. Based on code developed by
+ Nabil Benothman. (remm)
+
+
+ Fix CVE-2014-0075:
+ Improve processing of chuck size from chunked headers. Avoid overflow
+ and use a bit shift instead of a multiplication as it is marginally
+ faster. (markt/kkolinko)
+
+
+ Fix CVE-2014-0095:
+ Correct regression introduced in 8.0.0-RC2 as part of the Servlet 3.1
+ non-blocking IO support that broke handling of requests with an explicit
+ content length of zero. (markt/kkolinko)
+
+
+ Fix CVE-2014-0099:
+ Fix possible overflow when parsing long values from a byte array.
+ (markt)
+
+
+
+
+
+
+ Change the default compiler source and compiler target versions to 1.7
+ since Tomcat 8 requires a minimum of Java 7. (markt)
+
+
+ 56179: Fix parsing of EL expressions that contain unnecessary
+ parentheses. (markt)
+
+
+ 56177: Handle dependency tracking for TLDs when using JspC
+ with a tag library JAR that is located outside of the web application.
+ (markt)
+
+
+ Remove an unnecessary null check identified by FindBugs. (markt)
+
+
+ 56199: Restore validateXml option for JspC which determines
+ if web.xml will be parsed with a validating parser. (markt)
+
+
+ 56223: Throw an IllegalStateException if a call
+ is made to ServletContext.setInitParameter() after the
+ ServletContext has been initialized. (markt)
+
+
+ 56265: Do not escape values of dynamic tag attributes
+ containing EL expressions. (kkolinko)
+
+
+ Make the default compiler source and target versions for JSPs Java 7
+ since Tomcat 8 requires Java 7 as a minimum. (markt)
+
+
+ 56283: Update to the Eclipse JDT Compiler P20140317-1600
+ which adds support for Java 8 syntax to JSPs. Add support for value
+ "1.8" for the compilerSourceVM and
+ compilerTargetVM options. (markt)
+
+
+
+
+
+
+ Avoid a possible deadlock when one thread is shutting down a connection
+ while another thread is trying to write to it. (markt)
+
+
+ Avoid NPE when flushing batched messages. (markt)
+
+
+
+
+
+
+ 56093: Add the SSL Valve to the documentation web
+ application. (markt)
+
+
+ 56217: Improve readability by using left alignment for the
+ table cell containing the request information on the Manager application
+ status page. (markt)
+
+
+ Fixed java.lang.NegativeArraySizeException when using
+ "Expire sessions" command in the manager web application on a
+ context where the session timeout is disabled. (kfujino)
+
+
+ Add support for LAST_ACCESS_AT_START system property to
+ Manager web application. (kfujino)
+
+
+
+
+
+
+ 56115: Expose the httpusecaches property of
+ Ant's get task as some users may need to change the
+ default. Based on a suggestion by Anthony. (markt)
+
+
+ 56143: Improve service.bat so that it can be
+ launched from a non-UAC console. This includes using a single call to
+ tomcat8.exe to install the Windows service rather than
+ three calls, and using command line arguments instead of environment
+ variables to pass the settings. (markt/kkolinko)
+
+
+ Simplify Windows *.bat files: remove %OS% checks, as current java does
+ not run on ancient non-NT operating systems. (kkolinko)
+
+
+ Align options between service.bat and exe
+ Windows installer. For service.bat the changes are in
+ --Classpath, --DisplayName, --StartPath, --StopPath. For
+ exe installer the changes are in --JvmMs, --JvmMx options,
+ which are now 128 Mb and 256 Mb respectively instead of being empty.
+ Explicitly specify --LogPath path when uninstalling Windows service,
+ avoiding default value for that option. (kkolinko)
+
+
+ 56137: Explicitly use NIO connector in SSL example in
+ server.xml so it doesn't break if APR is enabled. (markt)
+
+
+ 56139: Avoid a web application class loader leak in some unit
+ tests when running on Windows. (markt)
+
+
+ Correct build script to avoid building JARs with empty packages. (markt)
+
+
+ Allow to limit JUnit test run to a number of selected test case
+ methods. (kkolinko)
+
+
+ Update Commons Pool 2 to 2.2. (markt)
+
+
+ Update Commons DBCP 2 to the 2.0 release. (markt)
+
+
+ 56189: Remove used file cpappend.bat from the distribution.
+ (markt)
+
+
+ 56204: Remove unnecessary dependency between tasks in the
+ build script. (markt)
+
+
+ Add definition of org.apache.catalina.ant.FindLeaksTask.
+ (kfujino)
+
+
+ Implement org.apache.catalina.ant.VminfoTask,
+ org.apache.catalina.ant.ThreaddumpTask and
+ org.apache.catalina.ant.SslConnectorCiphersTask. (kfujino)
+
+
+ Add the option to the Apache Ant tasks to ignore the constraint of the
+ first line of the response message that must be "OK -"
+ (ignoreResponseConstraint in AbstractCatalinaTask).
+ Default is false. (kfujino)
+
+
+
+
+
+
+
+
+ Fix build of Apache Commons DBCP2 classes. (kkolinko)
+
+
+ Update Commons DBCP 2 to snapshot 170 dated 07 Feb 2014. This enables
+ DBCP to work with a SecurityManager such that only DBCP needs to be
+ granted the necessary permissions to communicate with the database.
+ (markt)
+
+
+
+
+
+
+
+
+ 56082: Fix a concurrency bug in JULI's LogManager
+ implementation. (markt)
+
+
+ 56085: ServletContext.getRealPath(String) should
+ return null for invalid input rather than throwing an
+ IllegalArgumentException. (markt)
+
+
+ Fix WebDAV support that was broken by the refactoring for the new
+ resources implementation. (markt)
+
+
+ Simplify Catalina.initDirs(). (kkolinko)
+
+
+ 56096: When the attribute rmiBindAddress of the
+ JMX Remote Lifecycle Listener is specified it's value will be used when
+ constructing the address of a JMX API connector server. Patch is
+ provided by Jim Talbut. (violetagg)
+
+
+ When environment entry with one and the same name is defined in the web
+ deployment descriptor and with annotation then the one specified in the
+ web deployment descriptor is with priority. (violetagg)
+
+
+ Fix passing the value of false for xmlBlockExternal option
+ of Context to Jasper, as the default was changed in 8.0.1. (kkolinko)
+
+
+
+
+
+
+ Enable non-blocking reads to take place on non-container threads.
+ (markt)
+
+
+
+
+
+
+ Simplify the code of
+ o.a.c.ha.tcp.SimpleTcpCluster.createManager(String).
+ Remove unnecessary class cast. (kfujino)
+
+
+
+
+
+
+ In Manager web application improve handling of file upload errors.
+ Display a message instead of error 500 page. Simplify. (kkolinko)
+
+
+
+
+
+
+ 56104: Correct the version number on the welcome page of the
+ Windows installer. (markt)
+
+
+ Update Commons DBCP 2 to snapshot 168 dated 05 Feb 2014. (markt)
+
+
+ Fix CVE-2014-0050, a denial of service with a malicious, malformed
+ Content-Type header and multipart request processing. Fixed by merging
+ latest code (r1565159) from Commons FileUpload. (markt)
+
+
+
+
+
+
+
+
+ Change default value of xmlBlockExternal attribute of
+ Context. It is true now. (kkolinko)
+
+
+
+
+
+
+ Correct regression in the fix for 55996 that meant that
+ asynchronous requests might timeout too early. (markt)
+
+
+
+
+
+
+ Change default value of the blockExternal attribute of
+ JspC task. The default value is true. Add support for
+ -no-blockExternal switch when JspC is run as a
+ standalone application. (kkolinko)
+
+
+
+
+
+
+ Do not return an empty string for the
+ Sec-WebSocket-Protocol HTTP header when no sub-protocol has
+ been requested or no sub-protocol could be agreed as RFC6455 requires
+ that no Sec-WebSocket-Protocol header is returned in this
+ case. (markt)
+
+
+
+
+
+
+
+
+ Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes
+ contributions from Nick Williams and Jeremy Boynes. (markt)
+
+
+ Implement JSR 245 MR2 - JSP 2.3. (markt)
+
+
+ Implement JSR 341 - Unified Expression Language 3.0. (markt)
+
+
+ Implement JSR 356 - WebSockets. The JSR 356 implementation includes
+ contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski.
+ (markt)
+
+
+ 46727: Refactor default servlet to make it easier to
+ sub-class to implement finer grained control of the file encoding. Based
+ on a patch by Fred Toth. (markt)
+
+
+ 45995: Align Tomcat with Apache httpd and perform MIME type
+ mapping based on file extension in a case insensitive manner. (markt)
+
+
+ Remove duplicate code that converted a Host's appBase attribute to
+ a canonical file. (markt)
+
+
+ 51408: Replace calls to Charset.defaultCharset()
+ with an explicit reference to the ISO-8859-1 Charset. (markt)
+
+
+ Refactor initialization code to use a single, consistent approach to
+ determining the Catalina home (binary) and base (instance) directories.
+ The search order for home is catalina.home system property,
+ parent of current directory if boootstrap.jar is present and finally
+ current working directory. The search order for Catalina base is
+ catalina.base system property falling back to the value for
+ Catalina home. (markt)
+
+
+ 52092: JULI now uses the OneLineFormatter and
+ AsyncFileHandler by default. (markt)
+
+
+ 52558: Refactor CometConnectionManagerValve so
+ that it does not prevent the session from being serialized in when
+ running in a cluster. (markt)
+
+
+ 52767: Remove reference to MySQL specific autoReconnect
+ property in JDBCAccessLogValve. (markt)
+
+
+ Make the Mapper type-safe. Hosts, Contexts and Wrappers are no
+ longer handled as plain objects, instead they keep their type.
+ Code using the Mapper doesn't need to cast objects returned by
+ the mapper. (rjung)
+
+
+ Move Manager, Loader and Resources from Container to Context since
+ Context is the only place they are used. The documentation already
+ states (and has done for some time) that Context is the only valid
+ location for these nested components. (markt)
+
+
+ Move the Mapper from the Connector to the Service since the Mapper is
+ identical for all Connectors of a given Service and it is common for
+ there to be multiple Connectors for a Service (http, https and ajp).
+ This means there is now only ever one Mapper per Service rather than
+ possibly multiple identically configured Mapper objects. (markt)
+
+
+ Remove the per Context Mapper objects and use the Mapper from the
+ Service. This removes the need to maintain two copies of the mappings
+ for Servlets and Filters. (markt)
+
+
+ Implement a new Resources implementation that merges Aliases,
+ VirtualLoader, VirtualDirContext, JAR resources and external
+ repositories into a single framework rather than a separate one for each
+ feature. (markt)
+
+
+ URL rewrite valve, similar in functionality to mod_rewrite. (remm)
+
+
+ Port storeconfig functionality, which can persist to server.xml and
+ context.xml runtime container configuration changes. (remm)
+
+
+ 54095: Add support to the Default Servlet for serving
+ gzipped versions of static resources directly from disk as an
+ alternative to Tomcat compressing them on each request. Patch by
+ Philippe Marschall. (markt)
+
+
+ 54708: Change the name of the working directory for the ROOT
+ application (located under $CATALINA_BASE/work by default) from _ to
+ ROOT. (markt)
+
+
+ Change default configuration so that a change to the global web.xml file
+ will trigger a reload of all web applications. (markt)
+
+
+ 55101: Make BASIC authentication more tolerant of whitespace.
+ Patch provided by Brian Burch. (markt)
+
+
+ 55166: Move JSP descriptor and tag library descriptor schemas
+ to servlet-api.jar to enable relative references between the schemas to
+ be correctly resolved. (markt)
+
+
+ Refactor the descriptor parsing code into a separate module that can be
+ used by both Catalina and Jasper. Includes patches provided by Jeremy
+ Boynes. (violetagg/markt)
+
+
+ 55246: Move TLD scanning to a ServletContainerInitializer
+ provided by Jasper. Includes removal of TldConfig lifecycle listener and
+ associated Context properties. (jboynes)
+
+
+ 55317: Facilitate weaving by allowing ClassFileTransformer to
+ be added to WebappClassLoader. Patch by Nick Williams. (markt)
+
+
+ 55620: Enable Tomcat to start when either $CATALINA_HOME
+ and/or $CATALINA_BASE contains a comma character. Prevent Tomcat from
+ starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon
+ on Windows. Prevent Tomcat from starting when $CATALINA_HOME and/or
+ $CATALINA_BASE contains a colon on Linux/FreeBSD/etc. (markt)
+
+
+ Initialize the JSP runtime in Jasper's initializer to avoid need for a
+ Jasper-specific lifecycle listener. JasperListener has been
+ removed. (jboynes)
+
+
+ Change ordering of elements of JMX objects names so components are
+ grouped more logically in JConsole. Generally, components are now
+ grouped by Host and then by Context. (markt)
+
+
+ Context listener to allow better EE and framework integration. (remm)
+
+
+ 57896: Support defensive copying of "cookie" header so that
+ unescaping double quotes in a cookie value does not corrupt original
+ value of "cookie" header. This is an opt-in feature, enabled by
+ org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER
+ system property. (remm/kkolinko)
+
+
+
+
+
+
+ Experimental support for SPDY. Includes contributions from Sheldon Shao.
+ (costin)
+
+
+ The default connector is now the Java NIO connector even when specifying
+ HTTP/1.1 as protocol (fhanik)
+
+
+ Update default value of pollerThreadCount for the NIO connector. The new
+ default value will never go above 2 regardless of available processors.
+ (fhanik)
+
+
+ 54010: Remove some unnecessary code (duplicate calls to
+ configure the scheme as https for AJP requests originally received over
+ HTTPS). (markt)
+
+
+ Refactor char encoding/decoding using NIO APIs. (remm)
+
+
+ Change the default URIEncoding for all connectors from ISO-8859-1 to
+ UTF-8. (markt)
+
+
+
+
+
+
+ Simplify API of ErrorDispatcher class by using varargs.
+ (kkolinko)
+
+
+ Update Jasper to use the new common web.xml parsing code. Includes
+ patches by Jeremy Boynes. (markt/violetagg)
+
+
+ Create test cases for JspC. Patch by Jeremy Boynes. (markt)
+
+
+ 55246: TLD scanning is now performed by JasperInitializer
+ (a ServletContainerInitializer) removing the need for support within the
+ Servlet container itself. The scan is now performed only once rather than
+ in two passes reducing startup time. (jboynes)
+
+
+ 55251: Do not allow JspC task to fail silently if the web.xml
+ or web.xml fragment can not be generated. (markt)
+
+
+
+
+
+
+ Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage.
+ (kfujino)
+
+
+ Modify method signature in ReplicationValve. Cluster instance is not
+ necessary to argument of method. (kfujino)
+
+
+ Remove unused expireSessionsOnShutdown attribute in
+ org.apache.catalina.ha.session.BackupManager. (kfujino)
+
+
+
+
+
+
+ Extend the diagnostic information provided by the Manager web
+ application to include details of the configured SSL ciphers suites for
+ each connector. (markt)
+
+
+ 48550: Update examples web application to use UTF-8. (markt)
+
+
+ 55383: Improve the design and correct the HTML markup of
+ the documentation web application. Patches provided by Konstantin
+ Preißer. (markt)
+
+
+
+
+
+
+ Refactor AbstractReplicatedMap to use generics. A key
+ side-effect of this is that the class now implements
+ Map<K,V> rather than extends
+ ConcurrentMap. (markt)
+
+
+
+
+
+
+ Remove unused, deprecated code. (markt)
+
+
+ Remove static info String and associated getInfo() method where present.
+ (markt)
+
+
+ (1353242, 1353410):
+ Remove Ant tasks jasper2 and jkstatus.
+ The correct names are jasper and jkupdate.
+ (kkolinko)
+
+
+ 53529: Clean-up the handling of
+ InterruptedException throughout the code base. (markt)
+
+
+ 54899: Provide an initial implementation of NetBeans support.
+ Patch provided by Brian Burch. (markt)
+
+
+ 55166: Move the JSP descriptor and tag library descriptor
+ schema definition files from jsp-api.jar to servlet-api.jar so relative
+ includes between the J2EE, Servlet and JSP schemas are correctly
+ resolved. (markt)
+
+
+ 55372: When starting Tomcat with the jpda option
+ to enable remote debugging, by default only listen on localhost for
+ connections from a debugger. Prior to this change, Tomcat listened on
+ all known addresses. (markt)
+
+
+
+
+
+
diff --git webapps/docs/config/http.xml webapps/docs/config/http.xml
index 4384fce..1ccdcfb 100644
--- webapps/docs/config/http.xml
+++ webapps/docs/config/http.xml
@@ -1017,7 +1017,8 @@
The certificate revocation list to be used to verify client
certificates. If not defined, client certificates will not be checked
- against a certificate revocation list.
+ against a certificate revocation list. The file may be specified using a
+ URL, an absolute path or a relative (to CATAINA_BASE) path.
@@ -1042,7 +1043,8 @@
the file ".keystore" in the operating system home
directory of the user that is running Tomcat. If your
keystoreType doesn't need a file use ""
- (empty string) for this parameter.
+ (empty string) for this parameter. The file may be specified using a
+ URL, an absolute path or a relative (to CATAINA_BASE) path.
@@ -1136,7 +1138,8 @@
The trust store file to use to validate client certificates. The
default is the value of the javax.net.ssl.trustStore system
property. If neither this attribute nor the default system property is
- set, no trust store will be configured.
+ set, no trust store will be configured. The file may be specified using a
+ URL, an absolute path or a relative (to CATAINA_BASE) path.
diff --git webapps/docs/config/realm.xml webapps/docs/config/realm.xml
index 34c4c8b..9b3007a 100644
--- webapps/docs/config/realm.xml
+++ webapps/docs/config/realm.xml
@@ -811,8 +811,8 @@
- Absolute or relative (to $CATALINA_BASE) pathname to the XML file
- containing our user information. See below for details on the
+
URL, absolute path or relative path (to $CATALINA_BASE) for the XML
+ file containing our user information. See below for details on the
XML element format required. If no pathname is specified, the
default value is conf/tomcat-users.xml.
diff --git webapps/docs/jndi-resources-howto.xml webapps/docs/jndi-resources-howto.xml
index 0a5e36f..1df48c4 100644
--- webapps/docs/jndi-resources-howto.xml
+++ webapps/docs/jndi-resources-howto.xml
@@ -471,8 +471,9 @@ public class MyBean2 {
pathname="conf/tomcat-users.xml"
readonly="false" />]]>
- The pathname attribute can be absolute or relative. If
- relative, it is relative to $CATALINA_BASE.
+ The pathname attribute can be a URL, an absolute path or a
+ relative path. If relative, it is relative to $CATALINA_BASE.
+
The readonly attribute is optional and defaults to
true if not supplied. If the XML is writeable then it will be