View | Details | Raw Unified | Return to bug 56777
Collapse All | Expand All

(-)java/org/apache/catalina/loader/WebappLoader.java (-2 / +2 lines)
Lines 57-63 import org.apache.catalina.core.StandardContext; Link Here
57
import org.apache.catalina.mbeans.MBeanUtils;
57
import org.apache.catalina.mbeans.MBeanUtils;
58
import org.apache.catalina.util.LifecycleMBeanBase;
58
import org.apache.catalina.util.LifecycleMBeanBase;
59
import org.apache.naming.resources.DirContextURLStreamHandler;
59
import org.apache.naming.resources.DirContextURLStreamHandler;
60
import org.apache.naming.resources.DirContextURLStreamHandlerFactory;
60
import org.apache.naming.resources.TomcatURLStreamHandlerFactory;
61
import org.apache.naming.resources.Resource;
61
import org.apache.naming.resources.Resource;
62
import org.apache.tomcat.util.ExceptionUtils;
62
import org.apache.tomcat.util.ExceptionUtils;
63
import org.apache.tomcat.util.modeler.Registry;
63
import org.apache.tomcat.util.modeler.Registry;
Lines 560-566 public class WebappLoader extends LifecycleMBeanBase Link Here
560
560
561
        // Register a stream handler factory for the JNDI protocol
561
        // Register a stream handler factory for the JNDI protocol
562
        URLStreamHandlerFactory streamHandlerFactory =
562
        URLStreamHandlerFactory streamHandlerFactory =
563
                DirContextURLStreamHandlerFactory.getInstance();
563
                TomcatURLStreamHandlerFactory.getInstance();
564
        if (first) {
564
        if (first) {
565
            first = false;
565
            first = false;
566
            try {
566
            try {
(-)java/org/apache/catalina/realm/MemoryRealm.java (-23 / +36 lines)
Lines 19-35 Link Here
19
package org.apache.catalina.realm;
19
package org.apache.catalina.realm;
20
20
21
21
22
import java.io.File;
22
import java.io.IOException;
23
import java.io.InputStream;
23
import java.security.Principal;
24
import java.security.Principal;
24
import java.util.ArrayList;
25
import java.util.ArrayList;
25
import java.util.HashMap;
26
import java.util.HashMap;
26
import java.util.Map;
27
import java.util.Map;
27
28
28
import org.apache.catalina.Globals;
29
import org.apache.catalina.LifecycleException;
29
import org.apache.catalina.LifecycleException;
30
import org.apache.juli.logging.Log;
30
import org.apache.juli.logging.Log;
31
import org.apache.juli.logging.LogFactory;
31
import org.apache.juli.logging.LogFactory;
32
import org.apache.tomcat.util.digester.Digester;
32
import org.apache.tomcat.util.digester.Digester;
33
import org.apache.tomcat.util.file.ConfigFileLoader;
33
34
34
35
35
/**
36
/**
Lines 282-311 public class MemoryRealm extends RealmBase { Link Here
282
    @Override
283
    @Override
283
    protected void startInternal() throws LifecycleException {
284
    protected void startInternal() throws LifecycleException {
284
285
285
        // Validate the existence of our database file
286
        String pathName = getPathname();
286
        File file = new File(pathname);
287
        InputStream is = null;
287
        if (!file.isAbsolute())
288
288
            file = new File(System.getProperty(Globals.CATALINA_BASE_PROP), pathname);
289
        if (!file.exists() || !file.canRead())
290
            throw new LifecycleException
291
                (sm.getString("memoryRealm.loadExist",
292
                              file.getAbsolutePath()));
293
294
        // Load the contents of the database file
295
        if (log.isDebugEnabled())
296
            log.debug(sm.getString("memoryRealm.loadPath",
297
                             file.getAbsolutePath()));
298
        Digester digester = getDigester();
299
        try {
289
        try {
300
            synchronized (digester) {
290
            is = ConfigFileLoader.getInputStream(pathName);
301
                digester.push(this);
291
302
                digester.parse(file);
292
            // Load the contents of the database file
293
            if (log.isDebugEnabled()) {
294
                log.debug(sm.getString("memoryRealm.loadPath", pathName));
303
            }
295
            }
304
        } catch (Exception e) {
296
305
            throw new LifecycleException
297
            Digester digester = getDigester();
306
                (sm.getString("memoryRealm.readXml"), e);
298
            try {
299
                synchronized (digester) {
300
                    digester.push(this);
301
                    digester.parse(is);
302
                }
303
            } catch (Exception e) {
304
                throw new LifecycleException
305
                        (sm.getString("memoryRealm.readXml"), e);
306
            } finally {
307
                digester.reset();
308
            }
309
310
        } catch (IOException ioe) {
311
            throw new LifecycleException(sm.getString("memoryRealm.loadExist",
312
                            pathName), ioe);
313
307
        } finally {
314
        } finally {
308
            digester.reset();
315
            if (is != null) {
316
                try {
317
                    is.close();
318
                } catch (IOException e) {
319
                    // ignore
320
                }
321
            }
309
        }
322
        }
310
323
311
        super.startInternal();
324
        super.startInternal();
(-)java/org/apache/catalina/users/MemoryUserDatabase.java (-38 / +31 lines)
Lines 17-25 Link Here
17
package org.apache.catalina.users;
17
package org.apache.catalina.users;
18
18
19
import java.io.File;
19
import java.io.File;
20
import java.io.FileInputStream;
21
import java.io.FileOutputStream;
20
import java.io.FileOutputStream;
22
import java.io.IOException;
21
import java.io.IOException;
22
import java.io.InputStream;
23
import java.io.OutputStreamWriter;
23
import java.io.OutputStreamWriter;
24
import java.io.PrintWriter;
24
import java.io.PrintWriter;
25
import java.util.HashMap;
25
import java.util.HashMap;
Lines 34-39 import org.apache.juli.logging.Log; Link Here
34
import org.apache.juli.logging.LogFactory;
34
import org.apache.juli.logging.LogFactory;
35
import org.apache.tomcat.util.digester.AbstractObjectCreationFactory;
35
import org.apache.tomcat.util.digester.AbstractObjectCreationFactory;
36
import org.apache.tomcat.util.digester.Digester;
36
import org.apache.tomcat.util.digester.Digester;
37
import org.apache.tomcat.util.file.ConfigFileLoader;
37
import org.apache.tomcat.util.res.StringManager;
38
import org.apache.tomcat.util.res.StringManager;
38
import org.xml.sax.Attributes;
39
import org.xml.sax.Attributes;
39
40
Lines 394-445 public class MemoryUserDatabase implements UserDatabase { Link Here
394
                groups.clear();
395
                groups.clear();
395
                roles.clear();
396
                roles.clear();
396
397
397
                // Construct a reader for the XML input file (if it exists)
398
                String pathName = getPathname();
398
                File file = new File(pathname);
399
                InputStream is = null;
399
                if (!file.isAbsolute()) {
400
                    file = new File(System.getProperty(Globals.CATALINA_BASE_PROP),
401
                                    pathname);
402
                }
403
                if (!file.exists()) {
404
                    log.error(sm.getString("memoryUserDatabase.fileNotFound",
405
                            file.getAbsolutePath()));
406
                    return;
407
                }
408
400
409
                // Construct a digester to read the XML input file
410
                Digester digester = new Digester();
411
                try {
412
                    digester.setFeature(
413
                            "http://apache.org/xml/features/allow-java-encodings",
414
                            true);
415
                } catch (Exception e) {
416
                    log.warn(sm.getString("memoryUserDatabase.xmlFeatureEncoding"), e);
417
                }
418
                digester.addFactoryCreate
419
                    ("tomcat-users/group",
420
                     new MemoryGroupCreationFactory(this), true);
421
                digester.addFactoryCreate
422
                    ("tomcat-users/role",
423
                     new MemoryRoleCreationFactory(this), true);
424
                digester.addFactoryCreate
425
                    ("tomcat-users/user",
426
                     new MemoryUserCreationFactory(this), true);
427
428
                // Parse the XML input file to load this database
429
                FileInputStream fis = null;
430
                try {
401
                try {
431
                    fis =  new FileInputStream(file);
402
                    is = ConfigFileLoader.getInputStream(pathName);
432
                    digester.parse(fis);
403
404
                    // Construct a digester to read the XML input file
405
                    Digester digester = new Digester();
406
                    try {
407
                        digester.setFeature(
408
                                "http://apache.org/xml/features/allow-java-encodings",
409
                                true);
410
                    } catch (Exception e) {
411
                        log.warn(sm.getString("memoryUserDatabase.xmlFeatureEncoding"), e);
412
                    }
413
                    digester.addFactoryCreate
414
                            ("tomcat-users/group",
415
                                    new MemoryGroupCreationFactory(this), true);
416
                    digester.addFactoryCreate
417
                            ("tomcat-users/role",
418
                                    new MemoryRoleCreationFactory(this), true);
419
                    digester.addFactoryCreate
420
                            ("tomcat-users/user",
421
                                    new MemoryUserCreationFactory(this), true);
422
423
                    // Parse the XML input to load this database
424
                    digester.parse(is);
425
                } catch (IOException ioe) {
426
                    log.error(sm.getString("memoryUserDatabase.fileNotFound", pathName));
433
                } finally {
427
                } finally {
434
                    if (fis != null) {
428
                    if (is != null) {
435
                        try {
429
                        try {
436
                            fis.close();
430
                            is.close();
437
                        } catch (IOException ioe) {
431
                        } catch (IOException ioe) {
438
                            // Ignore
432
                            // Ignore
439
                        }
433
                        }
440
                    }
434
                    }
441
                }
435
                }
442
443
            }
436
            }
444
        }
437
        }
445
438
(-)java/org/apache/naming/resources/ClasspathURLStreamHandler.java (+50 lines)
Line 0 Link Here
1
/*
2
 * Licensed to the Apache Software Foundation (ASF) under one or more
3
 * contributor license agreements.  See the NOTICE file distributed with
4
 * this work for additional information regarding copyright ownership.
5
 * The ASF licenses this file to You under the Apache License, Version 2.0
6
 * (the "License"); you may not use this file except in compliance with
7
 * the License.  You may obtain a copy of the License at
8
 *
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 *
11
 * Unless required by applicable law or agreed to in writing, software
12
 * distributed under the License is distributed on an "AS IS" BASIS,
13
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 * See the License for the specific language governing permissions and
15
 * limitations under the License.
16
 */
17
package org.apache.naming.resources;
18
19
import java.io.FileNotFoundException;
20
import java.io.IOException;
21
import java.net.URL;
22
import java.net.URLConnection;
23
import java.net.URLStreamHandler;
24
25
import org.apache.tomcat.util.res.StringManager;
26
27
public class ClasspathURLStreamHandler extends URLStreamHandler {
28
29
    private static final StringManager sm =
30
            StringManager.getManager(Constants.Package);
31
32
33
    @Override
34
    protected URLConnection openConnection(URL u) throws IOException {
35
        String path = u.getPath();
36
37
        // Thread context class loader first
38
        URL classpathUrl = Thread.currentThread().getContextClassLoader().getResource(path);
39
        if (classpathUrl == null) {
40
            // This class's class loader if no joy with the tccl
41
            classpathUrl = ClasspathURLStreamHandler.class.getResource(path);
42
        }
43
44
        if (classpathUrl == null) {
45
            throw new FileNotFoundException(sm.getString("classpathUrlStreamHandler.notFound", u));
46
        }
47
48
        return classpathUrl.openConnection();
49
    }
50
}
(-)java/org/apache/naming/resources/DirContextURLStreamHandlerFactory.java (-80 lines)
Lines 1-80 Link Here
1
/*
2
 * Licensed to the Apache Software Foundation (ASF) under one or more
3
 * contributor license agreements.  See the NOTICE file distributed with
4
 * this work for additional information regarding copyright ownership.
5
 * The ASF licenses this file to You under the Apache License, Version 2.0
6
 * (the "License"); you may not use this file except in compliance with
7
 * the License.  You may obtain a copy of the License at
8
 * 
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 * 
11
 * Unless required by applicable law or agreed to in writing, software
12
 * distributed under the License is distributed on an "AS IS" BASIS,
13
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 * See the License for the specific language governing permissions and
15
 * limitations under the License.
16
 */ 
17
18
package org.apache.naming.resources;
19
20
import java.net.URLStreamHandler;
21
import java.net.URLStreamHandlerFactory;
22
import java.util.List;
23
import java.util.concurrent.CopyOnWriteArrayList;
24
25
/**
26
 * Factory for Stream handlers to a JNDI directory context that also supports
27
 * users specifying additional stream handler.
28
 * 
29
 * @author <a href="mailto:remm@apache.org">Remy Maucherat</a>
30
 */
31
public class DirContextURLStreamHandlerFactory
32
        implements URLStreamHandlerFactory {
33
    
34
    // Singleton
35
    private static DirContextURLStreamHandlerFactory instance =
36
        new DirContextURLStreamHandlerFactory();
37
38
    public static DirContextURLStreamHandlerFactory getInstance() {
39
        return instance;
40
    }
41
42
    public static void addUserFactory(URLStreamHandlerFactory factory) {
43
        instance.userFactories.add(factory);
44
    }
45
46
47
    private List<URLStreamHandlerFactory> userFactories =
48
        new CopyOnWriteArrayList<URLStreamHandlerFactory>();
49
50
    private DirContextURLStreamHandlerFactory() {
51
        // Hide the default constructor
52
    }
53
    
54
    
55
    /**
56
     * Creates a new URLStreamHandler instance with the specified protocol.
57
     * Will return null if the protocol is not <code>jndi</code>.
58
     * 
59
     * @param protocol the protocol (must be "jndi" here)
60
     * @return a URLStreamHandler for the jndi protocol, or null if the 
61
     * protocol is not JNDI
62
     */
63
    @Override
64
    public URLStreamHandler createURLStreamHandler(String protocol) {
65
        if (protocol.equals("jndi")) {
66
            return new DirContextURLStreamHandler();
67
        } else {
68
            for (URLStreamHandlerFactory factory : userFactories) {
69
                URLStreamHandler handler =
70
                    factory.createURLStreamHandler(protocol);
71
                if (handler != null) {
72
                    return handler;
73
                }
74
            }
75
            return null;
76
        }
77
    }
78
    
79
    
80
}
(-)java/org/apache/naming/resources/LocalStrings.properties (+1 lines)
Lines 43-45 standardResources.exists=File base {0} does not exist Link Here
43
standardResources.notStarted=Resources has not yet been started
43
standardResources.notStarted=Resources has not yet been started
44
standardResources.null=Document base cannot be null
44
standardResources.null=Document base cannot be null
45
standardResources.slash=Document base {0} must not end with a slash
45
standardResources.slash=Document base {0} must not end with a slash
46
classpathUrlStreamHandler.notFound=Unable to load the resource [{0}] using the thread context class loader or the current class's class loader
(-)java/org/apache/naming/resources/TomcatURLStreamHandlerFactory.java (+83 lines)
Line 0 Link Here
1
/*
2
 * Licensed to the Apache Software Foundation (ASF) under one or more
3
 * contributor license agreements.  See the NOTICE file distributed with
4
 * this work for additional information regarding copyright ownership.
5
 * The ASF licenses this file to You under the Apache License, Version 2.0
6
 * (the "License"); you may not use this file except in compliance with
7
 * the License.  You may obtain a copy of the License at
8
 * 
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 * 
11
 * Unless required by applicable law or agreed to in writing, software
12
 * distributed under the License is distributed on an "AS IS" BASIS,
13
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 * See the License for the specific language governing permissions and
15
 * limitations under the License.
16
 */ 
17
18
package org.apache.naming.resources;
19
20
import java.net.URLStreamHandler;
21
import java.net.URLStreamHandlerFactory;
22
import java.util.List;
23
import java.util.concurrent.CopyOnWriteArrayList;
24
25
/**
26
 * Factory for Stream handlers to a JNDI directory context,
27
 * or for Stream handlers to a classpath url,
28
 * which also supports users specifying additional stream handler.
29
 * 
30
 * @author <a href="mailto:remm@apache.org">Remy Maucherat</a>
31
 */
32
public class TomcatURLStreamHandlerFactory
33
        implements URLStreamHandlerFactory {
34
    
35
    // Singleton
36
    private static TomcatURLStreamHandlerFactory instance =
37
        new TomcatURLStreamHandlerFactory();
38
39
    public static TomcatURLStreamHandlerFactory getInstance() {
40
        return instance;
41
    }
42
43
    public static void addUserFactory(URLStreamHandlerFactory factory) {
44
        instance.userFactories.add(factory);
45
    }
46
47
48
    private List<URLStreamHandlerFactory> userFactories =
49
        new CopyOnWriteArrayList<URLStreamHandlerFactory>();
50
51
    private TomcatURLStreamHandlerFactory() {
52
        // Hide the default constructor
53
    }
54
    
55
    
56
    /**
57
     * Creates a new URLStreamHandler instance with the specified protocol.
58
     * Will return null if the protocol is not <code>jndi</code>.
59
     * 
60
     * @param protocol the protocol (must be "jndi" here)
61
     * @return a URLStreamHandler for the jndi protocol, or null if the 
62
     * protocol is not JNDI
63
     */
64
    @Override
65
    public URLStreamHandler createURLStreamHandler(String protocol) {
66
        if (protocol.equals("jndi")) {
67
            return new DirContextURLStreamHandler();
68
        } else if (protocol.equals("classpath")) {
69
            return new ClasspathURLStreamHandler();
70
        } else {
71
            for (URLStreamHandlerFactory factory : userFactories) {
72
                URLStreamHandler handler =
73
                    factory.createURLStreamHandler(protocol);
74
                if (handler != null) {
75
                    return handler;
76
                }
77
            }
78
            return null;
79
        }
80
    }
81
    
82
    
83
}
(-)java/org/apache/tomcat/util/file/ConfigFileLoader.java (+68 lines)
Line 0 Link Here
1
/*
2
 *  Licensed to the Apache Software Foundation (ASF) under one or more
3
 *  contributor license agreements.  See the NOTICE file distributed with
4
 *  this work for additional information regarding copyright ownership.
5
 *  The ASF licenses this file to You under the Apache License, Version 2.0
6
 *  (the "License"); you may not use this file except in compliance with
7
 *  the License.  You may obtain a copy of the License at
8
 *
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 *
11
 *  Unless required by applicable law or agreed to in writing, software
12
 *  distributed under the License is distributed on an "AS IS" BASIS,
13
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 *  See the License for the specific language governing permissions and
15
 *  limitations under the License.
16
 *
17
 */
18
package org.apache.tomcat.util.file;
19
20
import java.io.File;
21
import java.io.IOException;
22
import java.io.InputStream;
23
import java.net.URI;
24
import java.net.URL;
25
26
/**
27
 * This class is used to obtain {@link InputStream}s for configuration files
28
 * from a given location String. This allows greater flexibility than these
29
 * files having to be loaded directly from a file system.
30
 */
31
public class ConfigFileLoader {
32
33
    private static final URI CATALINA_BASE_URI;
34
35
    static {
36
        File catalinaBase = new File(System.getProperty("catalina.base"));
37
        CATALINA_BASE_URI = catalinaBase.toURI();
38
    }
39
40
    private ConfigFileLoader() {
41
        // Utility class. Hide the default constructor.
42
    }
43
44
45
    /**
46
     * Load the resource from the specified location.
47
     *
48
     * @param location The location for the resource of interest. The location
49
     *                 may be a URL or a file path. Relative paths will be
50
     *                 resolved against CATALINA_BASE.
51
     *
52
     * @return The InputStream for the given resource. The caller is responsible
53
     *         for closing this stream when it is no longer used.
54
     *
55
     * @throws IOException If an InputStream cannot be created using the
56
     *                     provided location
57
     */
58
    public static InputStream getInputStream(String location) throws IOException {
59
60
        // Absolute URIs will be left alone
61
        // Relative files will be resolved relative to catalina base
62
        // Absolute files will be converted to URIs
63
        URI uri = CATALINA_BASE_URI.resolve(location);
64
        URL url = uri.toURL();
65
66
        return url.openConnection().getInputStream();
67
    }
68
}
(-)java/org/apache/tomcat/util/net/AbstractEndpoint.java (-24 / +2 lines)
Lines 16-22 Link Here
16
 */
16
 */
17
package org.apache.tomcat.util.net;
17
package org.apache.tomcat.util.net;
18
18
19
import java.io.File;
20
import java.io.OutputStreamWriter;
19
import java.io.OutputStreamWriter;
21
import java.net.InetAddress;
20
import java.net.InetAddress;
22
import java.net.InetSocketAddress;
21
import java.net.InetSocketAddress;
Lines 728-752 public abstract class AbstractEndpoint<S> { Link Here
728
        }
727
        }
729
    }
728
    }
730
729
731
732
    public String adjustRelativePath(String path, String relativeTo) {
733
        // Empty or null path can't point to anything useful. The assumption is
734
        // that the value is deliberately empty / null so leave it that way.
735
        if (path == null || path.length() == 0) {
736
            return path;
737
        }
738
        String newPath = path;
739
        File f = new File(newPath);
740
        if ( !f.isAbsolute()) {
741
            newPath = relativeTo + File.separator + newPath;
742
            f = new File(newPath);
743
        }
744
        if (!f.exists()) {
745
            getLog().warn("configured file:["+newPath+"] does not exist.");
746
        }
747
        return newPath;
748
    }
749
750
    protected abstract Log getLog();
730
    protected abstract Log getLog();
751
    // Flags to indicate optional feature support
731
    // Flags to indicate optional feature support
752
    // Some of these are always hard-coded, some are hard-coded to false (i.e.
732
    // Some of these are always hard-coded, some are hard-coded to false (i.e.
Lines 833-840 public abstract class AbstractEndpoint<S> { Link Here
833
    private String keystoreFile = System.getProperty("user.home")+"/.keystore";
813
    private String keystoreFile = System.getProperty("user.home")+"/.keystore";
834
    public String getKeystoreFile() { return keystoreFile;}
814
    public String getKeystoreFile() { return keystoreFile;}
835
    public void setKeystoreFile(String s ) {
815
    public void setKeystoreFile(String s ) {
836
        keystoreFile = adjustRelativePath(s,
816
        keystoreFile = s;
837
                System.getProperty(Constants.CATALINA_BASE_PROP));
838
    }
817
    }
839
818
840
    private String keystorePass = null;
819
    private String keystorePass = null;
Lines 874-881 public abstract class AbstractEndpoint<S> { Link Here
874
    private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
853
    private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
875
    public String getTruststoreFile() {return truststoreFile;}
854
    public String getTruststoreFile() {return truststoreFile;}
876
    public void setTruststoreFile(String s) {
855
    public void setTruststoreFile(String s) {
877
        truststoreFile = adjustRelativePath(s,
856
        truststoreFile = s;
878
                System.getProperty(Constants.CATALINA_BASE_PROP));
879
    }
857
    }
880
858
881
    private String truststorePass =
859
    private String truststorePass =
(-)java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (-14 / +3 lines)
Lines 17-24 Link Here
17
17
18
package org.apache.tomcat.util.net.jsse;
18
package org.apache.tomcat.util.net.jsse;
19
19
20
import java.io.File;
21
import java.io.FileInputStream;
22
import java.io.FileNotFoundException;
20
import java.io.FileNotFoundException;
23
import java.io.IOException;
21
import java.io.IOException;
24
import java.io.InputStream;
22
import java.io.InputStream;
Lines 63-68 import javax.net.ssl.X509KeyManager; Link Here
63
61
64
import org.apache.tomcat.util.compat.JreCompat;
62
import org.apache.tomcat.util.compat.JreCompat;
65
import org.apache.tomcat.util.compat.JreVendor;
63
import org.apache.tomcat.util.compat.JreVendor;
64
import org.apache.tomcat.util.file.ConfigFileLoader;
66
import org.apache.tomcat.util.net.AbstractEndpoint;
65
import org.apache.tomcat.util.net.AbstractEndpoint;
67
import org.apache.tomcat.util.net.Constants;
66
import org.apache.tomcat.util.net.Constants;
68
import org.apache.tomcat.util.net.SSLUtil;
67
import org.apache.tomcat.util.net.SSLUtil;
Lines 431-442 public class JSSESocketFactory implements ServerSocketFactory, SSLUtil { Link Here
431
            }
430
            }
432
            if(!("PKCS11".equalsIgnoreCase(type) ||
431
            if(!("PKCS11".equalsIgnoreCase(type) ||
433
                    "".equalsIgnoreCase(path))) {
432
                    "".equalsIgnoreCase(path))) {
434
                File keyStoreFile = new File(path);
433
                istream = ConfigFileLoader.getInputStream(path);
435
                if (!keyStoreFile.isAbsolute()) {
436
                    keyStoreFile = new File(System.getProperty(
437
                            Constants.CATALINA_BASE_PROP), path);
438
                }
439
                istream = new FileInputStream(keyStoreFile);
440
            }
434
            }
441
435
442
            char[] storePass = null;
436
            char[] storePass = null;
Lines 718-733 public class JSSESocketFactory implements ServerSocketFactory, SSLUtil { Link Here
718
    protected Collection<? extends CRL> getCRLs(String crlf)
712
    protected Collection<? extends CRL> getCRLs(String crlf)
719
        throws IOException, CRLException, CertificateException {
713
        throws IOException, CRLException, CertificateException {
720
714
721
        File crlFile = new File(crlf);
722
        if( !crlFile.isAbsolute() ) {
723
            crlFile = new File(
724
                    System.getProperty(Constants.CATALINA_BASE_PROP), crlf);
725
        }
726
        Collection<? extends CRL> crls = null;
715
        Collection<? extends CRL> crls = null;
727
        InputStream is = null;
716
        InputStream is = null;
728
        try {
717
        try {
729
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
718
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
730
            is = new FileInputStream(crlFile);
719
            is = ConfigFileLoader.getInputStream(crlf);
731
            crls = cf.generateCRLs(is);
720
            crls = cf.generateCRLs(is);
732
        } catch(IOException iex) {
721
        } catch(IOException iex) {
733
            throw iex;
722
            throw iex;
(-)test/org/apache/naming/resources/TestClasspathUrlStreamHandler.java (+44 lines)
Line 0 Link Here
1
/*
2
 * Licensed to the Apache Software Foundation (ASF) under one or more
3
 * contributor license agreements.  See the NOTICE file distributed with
4
 * this work for additional information regarding copyright ownership.
5
 * The ASF licenses this file to You under the Apache License, Version 2.0
6
 * (the "License"); you may not use this file except in compliance with
7
 * the License.  You may obtain a copy of the License at
8
 *
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 *
11
 * Unless required by applicable law or agreed to in writing, software
12
 * distributed under the License is distributed on an "AS IS" BASIS,
13
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 * See the License for the specific language governing permissions and
15
 * limitations under the License.
16
 */
17
package org.apache.naming.resources;
18
19
import java.io.IOException;
20
import java.io.InputStream;
21
import java.net.URL;
22
import java.util.Properties;
23
24
import org.junit.Assert;
25
import org.junit.BeforeClass;
26
import org.junit.Test;
27
28
public class TestClasspathUrlStreamHandler {
29
30
    @BeforeClass
31
    public static void setup() {
32
        URL.setURLStreamHandlerFactory(TomcatURLStreamHandlerFactory.getInstance());
33
    }
34
35
    @Test
36
    public void testClasspathURL01() throws IOException {
37
        URL u = new URL("classpath:/org/apache/naming/resources/LocalStrings.properties");
38
        InputStream is = u.openStream();
39
        Properties p = new Properties();
40
        p.load(is);
41
        String msg = (String) p.get("resources.null");
42
        Assert.assertEquals("Document base cannot be null",  msg);
43
    }
44
}
(-)test/org/apache/naming/resources/TestDirContextURLStreamHandlerFactory.java (-82 lines)
Lines 1-82 Link Here
1
/*
2
 * Licensed to the Apache Software Foundation (ASF) under one or more
3
 * contributor license agreements.  See the NOTICE file distributed with
4
 * this work for additional information regarding copyright ownership.
5
 * The ASF licenses this file to You under the Apache License, Version 2.0
6
 * (the "License"); you may not use this file except in compliance with
7
 * the License.  You may obtain a copy of the License at
8
 *
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 *
11
 * Unless required by applicable law or agreed to in writing, software
12
 * distributed under the License is distributed on an "AS IS" BASIS,
13
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 * See the License for the specific language governing permissions and
15
 * limitations under the License.
16
 */
17
package org.apache.naming.resources;
18
19
import java.net.MalformedURLException;
20
import java.net.URL;
21
import java.net.URLStreamHandler;
22
import java.net.URLStreamHandlerFactory;
23
24
import static org.junit.Assert.assertNotNull;
25
import static org.junit.Assert.assertNull;
26
27
import org.junit.Test;
28
29
public class TestDirContextURLStreamHandlerFactory {
30
31
    @Test
32
    public void testUserSuppliedFactory() throws Exception {
33
34
        URL url = null;
35
36
        // Initially unknown
37
        try {
38
            url = new URL("foo://www.apache.org");
39
        } catch (MalformedURLException ignore) {
40
            // Ignore
41
        }
42
        assertNull(url);
43
44
        // Set the factory
45
        URL.setURLStreamHandlerFactory(
46
                DirContextURLStreamHandlerFactory.getInstance());
47
48
        // Still unknown
49
        try {
50
            url = new URL("foo://www.apache.org");
51
        } catch (MalformedURLException ignore) {
52
            // Ignore
53
        }
54
        assertNull(url);
55
56
        // Register a user factory
57
        DirContextURLStreamHandlerFactory.addUserFactory(
58
                new FooURLStreamHandlerFactory());
59
60
        // Now it works
61
        try {
62
            url = new URL("foo://www.apache.org");
63
        } catch (MalformedURLException ignore) {
64
            // Ignore
65
        }
66
        assertNotNull(url);
67
    }
68
69
    public static class FooURLStreamHandlerFactory
70
            implements URLStreamHandlerFactory {
71
72
        @Override
73
        public URLStreamHandler createURLStreamHandler(String protocol) {
74
            if ("foo".equals(protocol)) {
75
                // This is good enough for this test but not for actual use
76
                return new DirContextURLStreamHandler();
77
            } else {
78
                return null;
79
            }
80
        }
81
    }
82
}
(-)test/org/apache/naming/resources/TestTomcatURLStreamHandlerFactory.java (+82 lines)
Line 0 Link Here
1
/*
2
 * Licensed to the Apache Software Foundation (ASF) under one or more
3
 * contributor license agreements.  See the NOTICE file distributed with
4
 * this work for additional information regarding copyright ownership.
5
 * The ASF licenses this file to You under the Apache License, Version 2.0
6
 * (the "License"); you may not use this file except in compliance with
7
 * the License.  You may obtain a copy of the License at
8
 *
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 *
11
 * Unless required by applicable law or agreed to in writing, software
12
 * distributed under the License is distributed on an "AS IS" BASIS,
13
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 * See the License for the specific language governing permissions and
15
 * limitations under the License.
16
 */
17
package org.apache.naming.resources;
18
19
import java.net.MalformedURLException;
20
import java.net.URL;
21
import java.net.URLStreamHandler;
22
import java.net.URLStreamHandlerFactory;
23
24
import static org.junit.Assert.assertNotNull;
25
import static org.junit.Assert.assertNull;
26
27
import org.junit.Test;
28
29
public class TestTomcatURLStreamHandlerFactory {
30
31
    @Test
32
    public void testUserSuppliedFactory() throws Exception {
33
34
        URL url = null;
35
36
        // Initially unknown
37
        try {
38
            url = new URL("foo://www.apache.org");
39
        } catch (MalformedURLException ignore) {
40
            // Ignore
41
        }
42
        assertNull(url);
43
44
        // Set the factory
45
        URL.setURLStreamHandlerFactory(
46
                TomcatURLStreamHandlerFactory.getInstance());
47
48
        // Still unknown
49
        try {
50
            url = new URL("foo://www.apache.org");
51
        } catch (MalformedURLException ignore) {
52
            // Ignore
53
        }
54
        assertNull(url);
55
56
        // Register a user factory
57
        TomcatURLStreamHandlerFactory.addUserFactory(
58
                new FooURLStreamHandlerFactory());
59
60
        // Now it works
61
        try {
62
            url = new URL("foo://www.apache.org");
63
        } catch (MalformedURLException ignore) {
64
            // Ignore
65
        }
66
        assertNotNull(url);
67
    }
68
69
    public static class FooURLStreamHandlerFactory
70
            implements URLStreamHandlerFactory {
71
72
        @Override
73
        public URLStreamHandler createURLStreamHandler(String protocol) {
74
            if ("foo".equals(protocol)) {
75
                // This is good enough for this test but not for actual use
76
                return new DirContextURLStreamHandler();
77
            } else {
78
                return null;
79
            }
80
        }
81
    }
82
}
(-)test/org/apache/tomcat/util/file/TestConfigFileLoader.java (+73 lines)
Line 0 Link Here
1
/*
2
 *  Licensed to the Apache Software Foundation (ASF) under one or more
3
 *  contributor license agreements.  See the NOTICE file distributed with
4
 *  this work for additional information regarding copyright ownership.
5
 *  The ASF licenses this file to You under the Apache License, Version 2.0
6
 *  (the "License"); you may not use this file except in compliance with
7
 *  the License.  You may obtain a copy of the License at
8
 *
9
 *      http://www.apache.org/licenses/LICENSE-2.0
10
 *
11
 *  Unless required by applicable law or agreed to in writing, software
12
 *  distributed under the License is distributed on an "AS IS" BASIS,
13
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
 *  See the License for the specific language governing permissions and
15
 *  limitations under the License.
16
 *
17
 */
18
package org.apache.tomcat.util.file;
19
20
import java.io.File;
21
import java.io.FileNotFoundException;
22
import java.io.IOException;
23
import java.io.InputStream;
24
import java.net.URL;
25
26
import org.apache.naming.resources.TomcatURLStreamHandlerFactory;
27
import org.junit.Assert;
28
import org.junit.BeforeClass;
29
import org.junit.Test;
30
31
public class TestConfigFileLoader {
32
33
    @BeforeClass
34
    public static void setup() {
35
        URL.setURLStreamHandlerFactory(
36
                TomcatURLStreamHandlerFactory.getInstance());
37
        File buildDir = new File(
38
                System.getProperty("tomcat.test.tomcatbuild", "output/build"));
39
        System.setProperty("catalina.base", buildDir.getAbsolutePath());
40
    }
41
42
    @Test
43
    public void test01() throws IOException {
44
        doTest("classpath:org/apache/catalina/mbeans-descriptors.xml");
45
    }
46
47
    @Test(expected=FileNotFoundException.class)
48
    public void test02() throws IOException {
49
        doTest("classpath:org/apache/catalina/foo");
50
    }
51
52
    @Test
53
    public void test03() throws IOException {
54
        doTest("conf/server.xml");
55
    }
56
57
    @Test(expected=FileNotFoundException.class)
58
    public void test04() throws IOException {
59
        doTest("conf/unknown");
60
    }
61
62
    private void doTest(String path) throws IOException {
63
        InputStream is = null;
64
        try {
65
            is = ConfigFileLoader.getInputStream(path);
66
            Assert.assertNotNull(is);
67
        } finally {
68
            if (is != null) {
69
                is.close();
70
            }
71
        }
72
    }
73
}
(-)webapps/docs/changelog.xml.orig (+4780 lines)
Line 0 Link Here
1
<?xml version="1.0" encoding="UTF-8"?>
2
<!--
3
  Licensed to the Apache Software Foundation (ASF) under one or more
4
  contributor license agreements.  See the NOTICE file distributed with
5
  this work for additional information regarding copyright ownership.
6
  The ASF licenses this file to You under the Apache License, Version 2.0
7
  (the "License"); you may not use this file except in compliance with
8
  the License.  You may obtain a copy of the License at
9
10
      http://www.apache.org/licenses/LICENSE-2.0
11
12
  Unless required by applicable law or agreed to in writing, software
13
  distributed under the License is distributed on an "AS IS" BASIS,
14
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
  See the License for the specific language governing permissions and
16
  limitations under the License.
17
-->
18
<!DOCTYPE document [
19
  <!ENTITY project SYSTEM "project.xml">
20
]>
21
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
22
<document url="changelog.html">
23
24
  &project;
25
26
  <properties>
27
    <title>Changelog</title>
28
    <no-comments />
29
  </properties>
30
31
<body>
32
<!--
33
  Subsection ordering:
34
  General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
35
  Extras, Tribes, jdbc-pool, Other
36
37
  Item Ordering:
38
39
  Fixes having an issue number are sorted by their number, ascending.
40
41
  There is no ordering by add/update/fix.
42
43
  Other fixed issues are added to the end of the list, chronologically.
44
  They eventually become mixed with the numbered issues. (I.e., numbered
45
  issues do not "pop up" wrt. others).
46
-->
47
<<<<<<< HEAD
48
<section name="Tomcat 8.0.26 (markt)" rtext="">
49
=======
50
<section name="Tomcat 8.0.28 (markt)" rtext="in development">
51
  <subsection name="Catalina">
52
    <changelog>
53
      <add>
54
        Add support for the custom <code>classpath</code> protocol in URLs. It
55
        an be used anywhere Tomcat accepts a URL for a configuration parameter.
56
        (markt)
57
      </add>
58
      <fix>
59
        <bug>56777</bug>: Allow file based configuration resources (user
60
        database, certificate revocation lists, keystores an dtrust stores) to
61
        be configured using URLs as well as files. (markt)
62
      </fix>
63
      <fix>
64
        Perform null-checking on input and stored credentials in all Realms
65
        before passing credentials off to CredentialHandlers for matching.
66
        (schultz)
67
      </fix>
68
    </changelog>
69
  </subsection>
70
  <subsection name="Coyote">
71
    <changelog>
72
      <update>
73
        Add the new ciphers from RFC6655 and RFC7251 to the OpenSSL to JSSE
74
        cipher mapping. (markt)
75
      </update>
76
      <update>
77
        Remove DES, RC2 and RC4 from DEFAULT for the OpenSSL to JSSE cipher
78
        mapping to align with the OpenSSL development branch. (markt)
79
      </update>
80
    </changelog>
81
  </subsection>
82
  <subsection name="Jasper">
83
    <changelog>
84
      <fix>
85
        Improve the error message when JSP parser encounters an error parsing an
86
        attribute value. (markt)
87
      </fix>
88
    </changelog>
89
  </subsection>
90
  <subsection name="Web applications">
91
    <changelog>
92
      <update>
93
        <bug>58474</bug>: Provide a reference to the differences between
94
        <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code> in the sample
95
        application that is part of the documentation web application. (markt)
96
      </update>
97
    </changelog>
98
  </subsection>
99
  <subsection name="Extras">
100
    <changelog>
101
      <fix>
102
        Ensure JULI adapters does not include the LogFactoryImpl class. Patch
103
        provided by Benjamin Gandon. (markt)
104
      </fix>
105
    </changelog>
106
  </subsection>
107
</section>
108
<section name="Tomcat 8.0.27 (markt)" rtext="2015-10-01">
109
  <subsection name="Catalina">
110
    <changelog>
111
      <fix>
112
        <bug>58187</bug>: Correct a regression in the fix for <bug>57765</bug>
113
        that meant that deployment of web applications deployed via the Manager
114
        application was delayed until the next execution of the automatic
115
        deployment background process. (markt)
116
      </fix>
117
      <fix>
118
        <bug>58284</bug>: Correctly implement session serialization so
119
        non-serializable attributes are skipped with a warning. Patch provided
120
        by Andrew Shore. (markt)
121
      </fix>
122
      <fix>
123
        <bug>58313</bug>: Fix concurrent access of encoders map when clearing
124
        encoders prior to switch to async. (markt)
125
      </fix>
126
      <fix>
127
        <bug>58320</bug>: Fix concurrent access of request attributes which is
128
        possible during asynchronous processing. (markt)
129
      </fix>
130
      <fix>
131
        <bug>58352</bug>: Always trigger a thread dump if Tomcat fails to stop
132
        gracefully from <code>catalina.sh</code> even if using
133
        <code>-force</code>. Patch provided by  Alexandre Garnier. (markt)
134
      </fix>
135
      <fix>
136
        <bug>58368</bug>: Fix a rare data race in the code that obtains the
137
        <code>ApplicationFilterFactory</code> instance. (markt)
138
      </fix>
139
      <fix>
140
        <bug>58369</bug>: Fix a rare data race in the code that obtains the
141
        CookieProcessor for a StandardContext instance. (markt)
142
      </fix>
143
      <fix>
144
        Ensure the JAASRealm uses the configured CredentialHandler. (markt)
145
      </fix>
146
      <fix>
147
       <bug>58372</bug>: Fix rare data races closed and suspended flags that
148
       could be triggered by async and/or comet processing. (markt)
149
      </fix>
150
      <fix>
151
        <bug>58373</bug>: Fix rare data race with the application event
152
        listeners for StandardContext. (markt)
153
      </fix>
154
      <fix>
155
        <bug>58374</bug>: Fix a rare data race in the AsyncContext
156
        implementation for access to the internal Tomcat request object to which
157
        it holds a reference. (markt)
158
      </fix>
159
      <fix>
160
        <bug>58380</bug>: Fix two rare data races in the standard session
161
        implementation on the flag that tracks if the session is new and on the
162
        field that tracks the maximum inactive period. (markt)
163
      </fix>
164
      <fix>
165
        <bug>58385</bug>: Fix a rare data race in the internal flag Tomcat uses
166
        to keep track of whether or not a request is being used for Comet
167
        processing. (markt)
168
      </fix>
169
      <fix>
170
        <bug>58394</bug>: Fix a rare data race in Mapper when adding or removing
171
        a host. (markt)
172
      </fix>
173
      <fix>
174
        <bug>58398</bug>: Fix a rare data race in <code>LifecycleSupport</code>.
175
        (markt)
176
      </fix>
177
      <fix>
178
        <bug>58412</bug>: Ensure that the <code>AsyncFileHandler</code> has the
179
        source class and method name available for logging. (fschumacher)
180
      </fix>
181
      <fix>
182
        <bug>58416</bug>: Correctly detect when a forced stop fails to stop
183
        Tomcat because the Tomcat process is waiting on some system call or is
184
        uninterruptible. (markt)
185
      </fix>
186
      <fix>
187
        <bug>58436</bug>: Fix some rare data races in JULI&apos;s
188
        <code>ClassLoaderLogManager</code> during shutdown. (markt)
189
      </fix>
190
      <fix>
191
        <bug>58845</bug>: Fix off-by one error in calculation of valid
192
        characters in a cookie domain. Patch provided by Thorsten Ehlers.
193
        (markt)
194
      </fix>
195
    </changelog>
196
  </subsection>
197
  <subsection name="Coyote">
198
    <changelog>
199
      <fix>
200
        Correct some edge cases in <code>RequestUtil.normalize()</code>. (markt)
201
      </fix>
202
      <fix>
203
        <bug>58275</bug>: The IBM JREs accept cipher suite names starting with
204
        <code>TLS_</code> or <code>SSL_</code> but when listing the supported
205
        cipher suites only the <code>SSL_</code> version is reported. This can
206
        break Tomcat&apos;s check that at least one requested cipher suite is
207
        supported. Tomcat now includes a work-around so either form of the
208
        cipher suite name can be used when running on an IBM JRE. (markt)
209
      </fix>
210
      <fix>
211
        <bug>58357</bug>: For reasons not currently understood when the
212
        APR/native connector is used with OpenSSL reads can return an error code
213
        when there is no apparent error. This was work-around for HTTP upgrade
214
        connections by treating this as <code>EAGAIN</code>. The same fix has
215
        now been applied to the standard HTTP connector. (markt)
216
      </fix>
217
      <scode>
218
        Minor clean-up in NIO2 SSL handshake code to address some theoretical
219
        concurrency issues. (markt)
220
      </scode>
221
      <fix>
222
        <bug>58367</bug>: Fix a rare data race in the code that obtains the
223
        reason phrase for a given HTTP response code. (markt)
224
      </fix>
225
      <fix>
226
        <bug>58370</bug>: Fix a rare data race in the connector shutdown code.
227
        (markt)
228
      </fix>
229
      <fix>
230
        <bug>58371</bug>: Fix a rare data race when accessing request URI in
231
        String form when switching from non-async to async due to early
232
        triggering of the gathering of request statistics. (markt)
233
      </fix>
234
      <fix>
235
        <bug>58375</bug>: Fix a rare data race on the internal flag Tomcat uses
236
        to mark a response as committed. (markt)
237
      </fix>
238
      <fix>
239
        <bug>58377</bug>: Fix a rare data race on the internal flag Tomcat uses
240
        to mark a request as using HTTP keep-alive when switching to
241
        asynchronous processing. (markt)
242
      </fix>
243
      <fix>
244
        <bug>58379</bug>: Fix a rare data race on the interal reference Tomcat
245
        retains to the socket when switching to asynchronous processing. (markt)
246
      </fix>
247
      <fix>
248
        <bug>58387</bug>: Fix a rare data race when closing Comet connections.
249
        (markt)
250
      </fix>
251
      <fix>
252
        <bug>58388</bug>: Fix a data race when determining if Comet processing
253
        is occurring on a container or non-container thread. (markt)
254
      </fix>
255
      <fix>
256
        <bug>58389</bug>: Fix a rare data race while shutting down the thread
257
        pools on Connector stop. (markt)
258
      </fix>
259
      <scode>
260
        Clean up use of error flag on socket wrapper prompted by
261
        <bug>58390</bug>. (markt)
262
      </scode>
263
      <scode>
264
        Remove some unnecessary code from the NIO Poller and fix
265
        <bug>58396</bug> as a side-effect. (markt)
266
      </scode>
267
      <fix>
268
        <bug>57799</bug>: Remove useless sendfile check for NIO SSL. (remm)
269
      </fix>
270
    </changelog>
271
  </subsection>
272
  <subsection name="Jasper">
273
    <changelog>
274
      <fix>
275
        <bug>57136</bug>: Correct a regression in the previous fix for this
276
        issue. <code>\${</code> should only an escape for <code>${</code> within
277
        an EL expression. Within a JSP page <code>\$</code> should be an escape
278
        for <code>$</code>. The EL specification applies when parsing the
279
        expression delimited by <code>${</code> and <code>}</code>. Parsing of
280
        the delimiting <code>${</code> and <code>}</code> is the responsibility
281
        of the JSP specification. (markt)
282
      </fix>
283
      <fix>
284
        <bug>58296</bug>: Fix a memory leak in the JSP unloading feature that
285
        meant that using a value other than <code>-1</code> for
286
        <code>maxLoadedJsps</code> triggered a memory leak once the limit was
287
        reached. (markt)
288
      </fix>
289
      <fix>
290
        <bug>58327</bug>: Cache the expression string for value expression
291
        literals since it is frequently used and may be expensive to evaluate.
292
        Patch provided by Andreas Kohn. (markt)
293
      </fix>
294
      <fix>
295
        <bug>58340</bug>: Improve error reporting for tag files packaged in
296
        JARs. (markt)
297
      </fix>
298
      <fix>
299
        <bug>58424</bug>: When parsing TLD files, allow whitespace around
300
        boolean configuration values. (schultz)
301
      </fix>
302
      <fix>
303
        Fix a possible resource leak reported by coverity scan. (fschumacher)
304
      </fix>
305
      <fix>
306
        <bug>58427</bug>: Enforce the JSP specification defined limitations of
307
        which elements are allowed in an implicit.tld file. (markt)
308
      </fix>
309
      <fix>
310
        <bug>58444</bug>: Ensure that JSPs work with any custom base class that
311
        meets the requirements defined in the JSP specification without
312
        requiring that base class to implement Tomcat specific code. (markt)
313
      </fix>
314
    </changelog>
315
  </subsection>
316
  <subsection name="Cluster">
317
    <changelog>
318
      <fix>
319
        Fix a default clusterListeners in <code>SimpleTcpCluster</code>. The
320
        optimal default value is different for each session manager.
321
        <code>ClusterSessionListener</code> is never used in
322
        <code>BackupManager</code>. (kfujino)
323
      </fix>
324
      <fix>
325
        Correct log messages in case of using <code>BackupManager</code>.
326
        (kfujino)
327
      </fix>
328
    </changelog>
329
  </subsection>
330
  <subsection name="WebSocket">
331
    <changelog>
332
      <fix>
333
        <bug>58342</bug>: Fix a copy and paste error that meant MessageHandler
334
        removal could fail for binary and pong MessageHandlers. Patch provided
335
        by DJ. (markt)
336
      </fix>
337
      <fix>
338
        Data races detected by RV-Predict, mostly caused by completion handlers
339
        running in separate threads. (markt)
340
      </fix>
341
      <fix>
342
        <bug>58414</bug>: Correctly handle sending zero length messages when
343
        using per message deflate. (markt)
344
      </fix>
345
    </changelog>
346
  </subsection>
347
  <subsection name="Web applications">
348
    <changelog>
349
      <fix>
350
        Correct documentation for cluster-howto. (kfujino)
351
      </fix>
352
      <fix>
353
        Add missing documentation for property <code>alwaysAddExpires</code> for
354
        the <code>LegacyCookieProcessor</code>. (markt)
355
      </fix>
356
    </changelog>
357
  </subsection>
358
  <subsection name="Tribes">
359
    <changelog>
360
      <add>
361
        Add support for configurations of <code>ChannelListener</code> and
362
        <code>MembershipListener</code> in server.xml. (kfujino)
363
      </add>
364
      <fix>
365
        Correct log messages in case of using <code>ReplicatedMap</code>.
366
        (kfujino)
367
      </fix>
368
      <fix>
369
        <bug>58381</bug>: Fix a rare data race in the <code>NioReceiver</code>.
370
        (markt)
371
      </fix>
372
      <fix>
373
        <bug>58382</bug>: Fix multiple rare data races in the default membership
374
        implementation. (markt)
375
      </fix>
376
      <fix>
377
        <bug>58383</bug>: Fix a data race in <code>SenderState</code>. (markt)
378
      </fix>
379
      <fix>
380
        <bug>58386</bug>: Fix a data race in <code>ObjectReader</code>. (markt)
381
      </fix>
382
      <fix>
383
        <bug>58391</bug>: Fix multiple data races in
384
        <code>NonBlockingCoordinator</code>, most of which were associated with
385
        ensuring that log messages contained the correct information. (markt)
386
      </fix>
387
      <fix>
388
        <bug>58392</bug>: Fix a data race in
389
        <code>DomainFilterInterceptor</code>. (markt)
390
      </fix>
391
      <fix>
392
        <bug>58393</bug>: Fix a data race on the listener in
393
        <code>McastService</code>. (markt)
394
      </fix>
395
      <fix>
396
        <bug>58395</bug>: Fix multiple data races in <code>MemberImpl</code>
397
        that were likely to cause issues if certain properties were updated
398
        concurrently (such updates are unlikely in normal usage). (markt)
399
      </fix>
400
      <scode>
401
        Remove some unnecessary code from <code>PooledParallelSender</code> and
402
        fix <bug>58397</bug>. (markt)
403
      </scode>
404
    </changelog>
405
  </subsection>
406
  <subsection name="jdbc-pool">
407
    <changelog>
408
      <fix>
409
        Make sure the pool has been properly configured when attributes that
410
        related to the pool size are changed via JMX. (kfujino)
411
      </fix>
412
    </changelog>
413
  </subsection>
414
  <subsection name="Other">
415
    <changelog>
416
      <fix>
417
        Ensure logging works for all tests in a class rather than just the first
418
        one executed. (markt)
419
      </fix>
420
      <add>
421
        <bug>58344</bug>: Add build properties to enable tests to be executed
422
        against alternative binaries. Based on a patch by Petr Sumbera. (markt)
423
      </add>
424
    </changelog>
425
  </subsection>
426
</section>
427
<section name="Tomcat 8.0.26 (markt)" rtext="2015-08-21">
428
>>>>>>> TOMCAT_8_0_28
429
  <subsection name="Web applications">
430
    <changelog>
431
      <add>
432
        <bug>58255</bug>: Document the Semaphore valve. Patch provided by
433
        Kyohei Nakamura. (markt)
434
      </add>
435
    </changelog>
436
  </subsection>
437
</section>
438
<section name="Tomcat 8.0.25 (markt)" rtext="not released">
439
  <subsection name="Catalina">
440
    <changelog>
441
      <fix>
442
        Make the WAR manifest file available for WebResource instances from an
443
        unpacked WAR in the same way the manifest is available if the WAR is not
444
        unpacked. (markt)
445
      </fix>
446
      <fix>
447
        Ensure that only <code>/WEB-INF/classes/</code> and
448
        <code>/WEB-INF/lib/</code> are excluded from the web resource caching.
449
        (Resources loaded from these locations are cached by the web application
450
        class loader.) (markt)
451
      </fix>
452
      <add>
453
        <bug>57741</bug>: Enable the CGI servlet to use the standard error page
454
        mechanism. Note that if the CGI servlet&apos;s debug init parameter is
455
        set to 10 or higher then the standard error page mechanism will be
456
        bypassed and a debug response generated by the CGI servlet will be
457
        returned instead. (markt)
458
      </add>
459
      <fix>
460
        <bug>58031</bug>: Make the (first) reason parameter parsing failed
461
        available as a request attribute and then use it to provide a better
462
        status code via the FailedRequstFilter (if configured). (markt)
463
      </fix>
464
      <fix>
465
        <bug>58086</bug>: Correct a regression in the fix for 58086 that
466
        incorrectly handled WAR URLs. (violetagg)
467
      </fix>
468
      <fix>
469
        <bug>58096</bug>: Classes loaded from <code>/WEB-INF/classes/</code>
470
        should use that directory as their code base. (markt)
471
      </fix>
472
      <fix>
473
        Fix possible resource leaks by closing streams properly.
474
        Issues reported by Coverity Scan. (violetagg)
475
      </fix>
476
      <fix>
477
        <bug>58116</bug>: Fix regression in the fix for <bug>57281</bug> that
478
        broke Comet support when running under a security manager. Based on a
479
        patch provided by Johno Crawford. (markt)
480
      </fix>
481
      <fix>
482
        <bug>58125</bug>: Avoid a possible <code>ClassCircularityError</code>
483
        when running under a security manager. (markt)
484
      </fix>
485
      <fix>
486
        <bug>58179</bug>: Fix a thread safety issues that could mean concurrent
487
        threads setting the same attribute on a <code>ServletContext</code>
488
        could both see <code>null</code> as the old value. (markt)
489
      </fix>
490
      <fix>
491
        Allow web archives bigger than 2G to be deployed using ANT tasks.
492
        (violetagg)
493
      </fix>
494
      <fix>
495
        <bug>58192</bug>: Correct a regression in the previous fix for
496
        <bug>58023</bug>. Ensure that classes are associated with their manifest
497
        even if the class file is first read (and cached) without the manifest.
498
        (markt)
499
      </fix>
500
      <fix>
501
        Fix thread safety issue in the <code>AsyncContext</code> implementation
502
        that meant a sequence of <code>start();dispatch();</code> calls using
503
        non-container threads could result in a previous dispatch interfering
504
        with a subsequent start. (markt)
505
      </fix>
506
      <fix>
507
        <bug>58228</bug>: Make behaviour of
508
        <code>ServletContext.getResource()</code> and
509
        <code>ServletContext.getResourceAsStream()</code> consistent with each
510
        other and the expected behaviour of the GET_RESOURCE_REQUIRE_SLASH
511
        system property. (markt)
512
      </fix>
513
      <fix>
514
        <bug>58230</bug>: Fix input stream corruption if non-blocking I/O is
515
        used and the first read is made immediately after the switch to async
516
        mode rather than in response to <code>onDataAvaiable()</code> and that
517
        read does not read all the available data. (markt)
518
      </fix>
519
      <fix>
520
        Ensure that <code>log4javascript*.jar</code> was not excluded from the
521
        standard JAR scanning by default. (markt)
522
      </fix>
523
    </changelog>
524
  </subsection>
525
  <subsection name="Coyote">
526
    <changelog>
527
      <fix>
528
        <bug>57943</bug>: Prevent the same socket being added to the cache
529
        twice. Patch based on analysis by Ian Luo / Sun Qi. (markt)
530
      </fix>
531
      <fix>
532
        Add <code>text/javascript,application/javascript</code> to the default
533
        list of compressable MIME types. (violetagg)
534
      </fix>
535
      <fix>
536
        <bug>58103</bug>: When pipelining requests, and the previous request was
537
        an async request, ensure that the socket is removed from the waiting
538
        requests so that the async timeout thread doesn't process it during the
539
        next request. (markt)
540
      </fix>
541
      <fix>
542
        <bug>58151</bug>: Correctly handle EOF in the AJP APR/native connector
543
        to prevent the connector entering a loop and generate excessive CPU
544
        load. (markt)
545
      </fix>
546
      <fix>
547
        In the AJP and HTTP NIO connectors, ensure that the socket timeout is
548
        correctly set before adding the socket back to the poller for read.
549
        (markt)
550
      </fix>
551
      <fix>
552
        <bug>58157</bug>: Ensure that the handling of async timeouts does not
553
        result in an unnecessary dispatch to a container thread that could
554
        result in the current socket being added to the Poller multiple times
555
        with multiple attempts to process the same event for the same socket.
556
        (markt)
557
      </fix>
558
      <fix>
559
        Correct a couple of edge cases in <code>RequestUtil.normalize()</code>.
560
        (markt)
561
      </fix>
562
    </changelog>
563
  </subsection>
564
  <subsection name="Jasper">
565
    <changelog>
566
      <fix>
567
        <bug>58110</bug>: Like scriptlet sections, declaration sections of JSP
568
        pages have a one-to-one mapping of lines to the generated .java file.
569
        Use this information to provide more accurate error messages if a
570
        compilation error occurs in a declaration section. (markt)
571
      </fix>
572
      <fix>
573
        <bug>58119</bug>: When tags are compiled they must be placed in the
574
        org/apache/jsp/tag/web directory. Correct a regression in the fix for
575
        52725. (violetagg)
576
      </fix>
577
      <fix>
578
        Fix a resource leak in JspC identified by Eclipse. (markt)
579
      </fix>
580
      <fix>
581
        <bug>58178</bug>: Expressions in a tag file should use the tag
582
        file&apos;s <code>PageContext</code> rather than that of the containing
583
        page. (markt)
584
      </fix>
585
      <fix>
586
        Following on from the fix for <bug>58178</bug>, expressions in a tag
587
        file should use the tag file&apos;s imports rather than those of the
588
        containing page. (markt)
589
      </fix>
590
    </changelog>
591
  </subsection>
592
  <subsection name="WebSocket">
593
    <changelog>
594
      <fix>
595
        <bug>58166</bug>: Allow applications to send close codes in the range
596
        3000-4999 inclusive. (markt)
597
      </fix>
598
      <fix>
599
        <bug>58232</bug>: Avoid possible NPE when adding endpoints
600
        programmatically to the
601
        <code>javax.websocket.server.ServerContainer</code>.
602
        Based on a patch provided by bastian.(violetagg)
603
      </fix>
604
    </changelog>
605
  </subsection>
606
  <subsection name="Web applications">
607
    <changelog>
608
      <fix>
609
        Correct the incorrect document of <code>QueryTimeoutInterceptor</code>.
610
        The setting value is not in milliseconds but in seconds. (kfujino)
611
      </fix>
612
      <fix>
613
        <bug>58112</bug>: Update the documentation for using the Catalina tasks
614
        in an Apache Ant build file. (markt)
615
      </fix>
616
      <fix>
617
        Improve the Javadoc for some of the APR socket read functions that have
618
        inconsistent behaviour for return values. (markt)
619
      </fix>
620
    </changelog>
621
  </subsection>
622
  <subsection name="jdbc-pool">
623
    <changelog>
624
      <fix>
625
        <bug>58042</bug>: The default value of <code>logFailed</code> attribute
626
        of <code>SlowQueryReport</code> is changed to <code>false</code> so that
627
        the failed queries are not logged by default. (kfujino)
628
      </fix>
629
      <fix>
630
        Fix potential NPE in <code>QueryTimeoutInterceptor</code>. (kfujino)
631
      </fix>
632
      <fix>
633
        Add support for stopping the pool cleaner via JMX. (kfujino)
634
      </fix>
635
      <fix>
636
        The <code>fairness</code> attribute and
637
        <code>ignoreExceptionOnPreLoad</code> attribute do not allow a change
638
        via JMX. (kfujino)
639
      </fix>
640
      <fix>
641
        If the <code>timeBetweenEvictionRunsMillis</code> attribute is changed
642
        via jmx, it should restart the pool cleaner because this attribute
643
        affects the execution interval of the pool cleaner. (kfujino)
644
      </fix>
645
      <fix>
646
        Eliminate the dependence on <code>maxActive</code> of busy queues and
647
        idle queue in order to enable the expansion of the pool size via JMX.
648
        (kfujino)
649
      </fix>
650
    </changelog>
651
  </subsection>
652
  <subsection name="Other">
653
    <changelog>
654
      <update>
655
        Update optional Checkstyle library to 6.8.1. (kkolinko)
656
      </update>
657
      <fix>
658
        Update sample Eclipse IDE configuration to exclude test/webapp* and
659
        similar paths from compiler sourcepath. (kkolinko)
660
      </fix>
661
      <update>
662
        Update package renamed Apache Commons Pool to Commons Pool 2.4.2.
663
        (markt)
664
      </update>
665
      <update>
666
        Update package renamed Apache Commons DBCP to Commons DBCP 2.1.1.
667
        (markt)
668
      </update>
669
      <add>
670
        Support the use of the <code>threads</code> attribute on Ant&apos;s
671
        junit task. Note that using this with a value of greater than one will
672
        disbale Cobertura code coverage. (markt)
673
      </add>
674
    </changelog>
675
  </subsection>
676
</section>
677
<section name="Tomcat 8.0.24 (markt)" rtext="2015-07-06">
678
  <subsection name="Catalina">
679
    <changelog>
680
      <fix>
681
        <bug>57938</bug>: Correctly handle empty form fields when a form is
682
        submitted as <code>multipart/form-data</code>, the
683
        <code>maxPostSize</code> attribute of the Connector has been set to a
684
        negative value and the Context has been configured with a value of
685
        <code>true</code> for <code>allowCasualMultipartParsing</code>. The
686
        meaning of the value zero for the <code>maxPostSize</code> has also been
687
        changed to mean a limit of zero rather than no limit to align it with
688
        <code>maxSavePostSize</code> and to be more intuitive. (markt)
689
      </fix>
690
      <fix>
691
        <bug>57977</bug>: Correctly bind and unbind the web application class
692
        loader during execution of the PersistentValve. (markt)
693
      </fix>
694
      <fix>
695
        Remove some unnecessary code from the web application class loader and
696
        deprecate the now unused <code>validate()</code> method since the
697
        requirements of SRV.10.7.2 are met using cleaner code in
698
        <code>loadClass(String, boolean)</code> and <code>filter()</code>.
699
        (markt)
700
      </fix>
701
      <fix>
702
        Correct a bug that prevented the web application class loader&apos;s
703
        <code>filter()</code> from working correctly. It only returned
704
        <code>true</code> for classes in sub-packages of the listed packages,
705
        but not classes located in the packages themselves. (markt)
706
      </fix>
707
      <fix>
708
        Add the WebSocket API classes to the list of classes that the web
709
        application class loader will always delegate to its parent for loading
710
        first. (markt)
711
      </fix>
712
      <fix>
713
        <bug>58015</bug>: Ensure that whenever the web application class loader
714
        checks to see if it should delegate first, it also checks the result
715
        of the <code>filter()</code> method which may indicate that it should
716
        always delegate first for the current class/resource regardless of the
717
        value of the delegate configuration option. (markt)
718
      </fix>
719
      <fix>
720
        <bug>58023</bug>: Fix potentially excessive memory usage due to
721
        unnecessary caching of JAR manifests in the web application class
722
        loader. (markt)
723
      </fix>
724
      <fix>
725
        <bug>57700</bug>: Ensure that Container event
726
        <code>ADD_CHILD_EVENT</code> will be sent in all cases. (violetagg)
727
      </fix>
728
      <fix>
729
        <bug>58086</bug>: Ensure that WAR URLs are handled properly when using
730
        ANT for web application deployment. Based on a patch provided by Lukasz
731
        Jader. (violetagg)
732
      </fix>
733
      <fix>
734
        Fix CredentialHandler element handling in storeconfig. (remm)
735
      </fix>
736
    </changelog>
737
  </subsection>
738
  <subsection name="Coyote">
739
    <changelog>
740
      <fix>
741
        <bug>57265</bug>: Further fix to address a potential threading issue
742
        when sendfile is used in conjunction with TLS. (markt)
743
      </fix>
744
      <fix>
745
        <bug>57936</bug>: Improve robustness of the acceptor thread count
746
        parameter for NIO2, since it must be set to 1. Submitted by
747
        Oliver Kant. (remm)
748
      </fix>
749
      <add>
750
        <bug>57943</bug>: Added a work-around to catch
751
        <code>ConcurrentModificationException</code>s during Poller timeout
752
        processing that were causing the Poller thread to stop. The root cause
753
        of these exceptions is currently unknown. (markt)
754
      </add>
755
      <fix>
756
        <bug>57944</bug>: Ensure that if non-blocking I/O listeners are set on
757
        a non-container thread that the expected listener events are still
758
        triggered. (markt)
759
      </fix>
760
      <fix>
761
        Fix possible very long (1000 seconds) timeout with APR/native connector.
762
        (markt)
763
      </fix>
764
      <add>
765
        Support "-" separator in the SSLProtocol configuration of the
766
        APR/native connector for protocol exclusion. (rjung)
767
      </add>
768
      <fix>
769
        <bug>58004</bug>: Fix AJP buffering output data even in blocking mode.
770
        (remm)
771
      </fix>
772
    </changelog>
773
  </subsection>
774
  <subsection name="WebSocket">
775
    <changelog>
776
      <fix>
777
        <bug>57969</bug>: Provide path parameters to POJO via per session
778
        <code>javax.websocket.server.ServerEndpointConfig</code> as they vary
779
        between different requests. (violetagg)
780
      </fix>
781
      <fix>
782
        <bug>57974</bug>: Session.getOpenSessions should return all sessions
783
        associated with a given endpoint instance, rather than all sessions
784
        from the endpoint class. (remm)
785
      </fix>
786
    </changelog>
787
  </subsection>
788
  <subsection name="Web applications">
789
    <changelog>
790
      <fix>
791
        <bug>57282</bug>: Update request processing sequence diagrams. Updated
792
        diagrams provided by Stephen Chen. (markt)
793
      </fix>
794
      <fix>
795
        <bug>57971</bug>: Correct the documentation for the cluster
796
        configuration setting <code>recoverySleepTime</code>. (markt)
797
      </fix>
798
      <add>
799
        <bug>57758</bug>: Add document of <code>testOnConnect</code> attribute
800
        in jdbc-pool doc. (kfujino)
801
      </add>
802
      <add>
803
        Add description of <code>validatorClassName</code> attribute to testXXXX
804
        attributes in jdbc-pool docs. (kfujino)
805
      </add>
806
    </changelog>
807
  </subsection>
808
  <subsection name="Tribes">
809
    <changelog>
810
      <scode>
811
        Use <code>StringManager</code> to provide i18n support in the
812
        <code>org.apache.catalina.tribes</code> packages. (kfujino)
813
      </scode>
814
      <fix>
815
        Do not set the nodes that failed to replication to the backup nodes.
816
        Ensure that the nodes that the data has been successfully replicated are
817
        set to the backup node. (kfujino)
818
      </fix>
819
      <fix>
820
        When failed to replication, rather than all member is handled as a
821
        failed member, exclude the failure members from backup members.
822
        (kfujino)
823
      </fix>
824
    </changelog>
825
  </subsection>
826
  <subsection name="jdbc-pool">
827
    <changelog>
828
      <fix>
829
        Refactoring of the <code>removeOldest</code> method in
830
        <code>SlowQueryReport</code> to behave as expected. (kfujino)
831
      </fix>
832
      <fix>
833
        <bug>57783</bug>: Fix <code>NullPointerException</code> in
834
        <code>SlowQueryReport</code>. To avoid this NPE, Refactor
835
        <code>SlowQueryReport#removeOldest</code> and handle the abandoned
836
        connection properly. (kfujino)
837
      </fix>
838
      <fix>
839
        <bug>58042</bug>: In <code>SlowQueryReportJmx</code>, the
840
        <code>LogSlow</code> and <code>logFailed</code> attributes that
841
        inherited from <code>SlowQueryReport</code> are used as a condition of
842
        whether JMX notifications are sent. (kfujino)
843
      </fix>
844
      <fix>
845
        Ensure that specified <code>Boolean</code> attribute values of
846
        <code>SlowQueryReport</code> reflect correctly. The <code>LogSlow</code>
847
        and the <code>logFailed</code> are not system property, these are
848
        attributes of <code>SlowQueryReport</code>. (kfujino)
849
      </fix>
850
    </changelog>
851
  </subsection>
852
  <subsection name="Other">
853
    <changelog>
854
      <update>
855
        Update package renamed Apache Commons BCEL to r1682271 to pick up some
856
        some code clean up. (markt)
857
      </update>
858
      <update>
859
        Update package renamed Apache Commons DBCP to r1682314 to pick up the
860
        DBCP 2.1 release and additional fixes since then. (markt)
861
      </update>
862
      <update>
863
        Update package renamed Apache Commons Pool to the 2.4 release. (markt)
864
      </update>
865
      <update>
866
        Update package renamed Apache Commons File upload to r1682322 to pick up
867
        the post 1.3.1 fixes. (markt)
868
      </update>
869
      <update>
870
        Update package renamed Apache Commons Codec to r1682326. No functional
871
        changes. Javadoc only. (markt)
872
      </update>
873
      <update>
874
        Update optional Checkstyle library to 6.7. (kkolinko)
875
      </update>
876
    </changelog>
877
  </subsection>
878
</section>
879
<section name="Tomcat 8.0.23 (markt)" rtext="2015-05-22">
880
  <subsection name="Catalina">
881
    <changelog>
882
      <add>
883
        <bug>54618</bug>: Add a new <code>HttpHeaderSecurityFilter</code> that
884
        adds the <code>Strict-Transport-Security</code>,
885
        <code>X-Frame-Options</code> and <code>X-Content-Type-Options</code>
886
        HTTP headers to the response. (markt)
887
      </add>
888
      <fix>
889
        <bug>57875</bug>: Add <code>javax.websocket.*</code> to the classes for
890
        which the web application class loader always delegates first. (markt)
891
      </fix>
892
      <fix>
893
        <bug>57871</bug>: Ensure that setting the the allowHttpSepsInV0 property
894
        of a LegacyCookieProcessor to false only prevents HTTP separators from
895
        being used without quotes. (markt)
896
      </fix>
897
      <fix>
898
        Add a workaround for issues with SPNEGO authentication when running on
899
        Java 8 update 40 and later. The workaround should be safe for earlier
900
        Java versions but it can be disabled with the
901
        <code>applyJava8u40Fix</code> attribute of the SPNEGO authenticator if
902
        necessary. (markt)
903
      </fix>
904
      <fix>
905
        <bug>57926</bug>: Restore the original <code>X-Forwarded-By</code> and
906
        <code>X-Forwarded-For</code> headers after processing by the
907
        <code>RemoteIPValve </code>. (markt)
908
      </fix>
909
    </changelog>
910
  </subsection>
911
  <subsection name="Coyote">
912
    <changelog>
913
      <fix>
914
        Follow up to previous fix that removed the behavior difference between
915
        NIO and NIO2 for SSL, which caused corruption with NIO2.
916
        (remm)
917
      </fix>
918
      <fix>
919
        <bug>57931</bug>: Ensure that TLS connections with the NIO or NIO2 HTTP
920
        connectors that experience issues during the handshake (e.g. missing or
921
        invalid client certificate) are closed cleanly and that the client
922
        receives the correct error code rather than simply closing the
923
        connection. (markt)
924
      </fix>
925
    </changelog>
926
  </subsection>
927
  <subsection name="Jasper">
928
    <changelog>
929
      <fix>
930
        <bug>56438</bug>: Add debug logging to TLD discovery that logs positive
931
        and negative results for JARs, resource paths and directories. Patch
932
        provided by VIN. (markt)
933
      </fix>
934
      <fix>
935
        <bug>57802</bug>: Correct the default implementation of
936
        <code>convertToType()</code> provided by
937
        <code>javax.el.ELResolver</code>. (markt)
938
      </fix>
939
      <fix>
940
        <bug>57887</bug>: Fix compilation of recursive tag files packaged in a
941
        JAR. (markt)
942
      </fix>
943
    </changelog>
944
  </subsection>
945
  <subsection name="Cluster">
946
    <changelog>
947
      <fix>
948
        Make sure that stream is closed after using it in
949
        <code>DeltaSession.applyDiff()</code>. (kfujino)
950
      </fix>
951
      <scode>
952
        Use <code>StringManager</code> to provide i18n support in the
953
        <code>org.apache.catalina.ha packages</code>. (kfujino)
954
      </scode>
955
      <scode>
956
        Add the context name to log messages when replication context failed to
957
        start. (kfujino)
958
      </scode>
959
    </changelog>
960
  </subsection>
961
  <subsection name="Web applications">
962
    <changelog>
963
      <fix>
964
        <bug>57875</bug>: Update the web application class loader documentation
965
        to reflect the more relaxed approach to SRV.10.7.2 in Tomcat 8 onwards.
966
        (markt)
967
      </fix>
968
      <fix>
969
        <bug>57896</bug>: Document system property
970
        <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code>
971
        that was introduced in Tomcat 8.0.0. (kkolinko)
972
      </fix>
973
    </changelog>
974
  </subsection>
975
  <subsection name="Tribes">
976
    <changelog>
977
      <fix>
978
        Ensure that the state transfer flag is updated to true only when the map
979
        states have been transferred correctly from existing map members.
980
        (kfujino)
981
      </fix>
982
    </changelog>
983
  </subsection>
984
  <subsection name="Other">
985
    <changelog>
986
      <update>
987
        Update optional Checkstyle library to 6.6. (kkolinko)
988
      </update>
989
    </changelog>
990
  </subsection>
991
</section>
992
<section name="Tomcat 8.0.22 (markt)" rtext="2015-05-05">
993
  <subsection name="Catalina">
994
    <changelog>
995
      <fix>
996
        <bug>57736</bug>: Change the format of the Tomcat specific URLs for
997
        resources inside JARs that are in turn packed in a WAR. The
998
        <code>^/</code> sequence has been replaced by <code>*/</code> so that
999
        the resulting URLs are compliant with RFC 2396 and do not trigger
1000
        exceptions when converted to URIs. The old format will continue to be
1001
        accepted. (markt)
1002
      </fix>
1003
      <fix>
1004
        <bug>57752</bug>: Exclude non-cached resources from the Cache statistics
1005
        for resource lookups. Patch provided by Adam Mlodzinski. (markt)
1006
      </fix>
1007
      <add>
1008
        Allow logging of the remote port in the access log using the format
1009
        pattern <code>%{remote}p</code>. (rjung)
1010
      </add>
1011
      <fix>
1012
        <bug>57556</bug>: Refine the previous fix for this issue so that the
1013
        real path returned only has a trailing separator if the requested path
1014
        ended with <code>/</code>. (markt)
1015
      </fix>
1016
      <fix>
1017
        <bug>57765</bug>: When checking last modified times as part of the
1018
        automatic deployment process, account for the fact that
1019
        <code>File.lastModified()</code> has a resolution of one second to
1020
        ensure that if a file has been modified within the last second, the
1021
        latest version of the file is always used. Note that a side-effect of
1022
        this change is that files with modification times in the future are
1023
        treated as if they are unmodified. (markt)
1024
      </fix>
1025
      <fix>
1026
        Align redeploy resource modification checking with reload modification
1027
        checking so that now, in both cases, a change in modification time
1028
        rather than an increase in modification time is used to determine if the
1029
        resource has changed. (markt)
1030
      </fix>
1031
      <fix>
1032
        Cleanup <code>o.a.tomcat.util.digester.Digester</code> from debug
1033
        messages that do not give any valuable information. Patch provided
1034
        by Polina Genova. (violetagg)
1035
      </fix>
1036
      <fix>
1037
        <bug>57772</bug>: When reloading a web application and a directory
1038
        representing an expanded WAR needs to be deleted, delete the directory
1039
        after the web application has been stopped rather than before to avoid
1040
        potential ClassNotFoundExceptions. (markt)
1041
      </fix>
1042
      <fix>
1043
        Fix wrong logger name of
1044
        <code>org.apache.catalina.webresources.StandardRoot</code>. (kfujino)
1045
      </fix>
1046
      <fix>
1047
        <bug>57801</bug>: Improve the error message in the start script in case
1048
        the PID read from the PID file is already owned by a process. (rjung)
1049
      </fix>
1050
      <fix>
1051
        <bug>57841</bug>: Improve error logging during web application start.
1052
        (markt)
1053
      </fix>
1054
      <fix>
1055
        <bug>57856</bug>: Ensure that any scheme/port changes implemented by the
1056
        <code>RemoteIpFilter</code> also affect
1057
        <code>HttpServletResponse.sendRedirect()</code>. (markt)
1058
      </fix>
1059
      <fix>
1060
        <bug>57863</bug>: Fix the RewriteMap support in RewriteValve that did
1061
        not use the correct key value to look up entries. Based on a patch
1062
        provided by Tatsuya Bessho. (markt)
1063
      </fix>
1064
    </changelog>
1065
  </subsection>
1066
  <subsection name="Coyote">
1067
    <changelog>
1068
      <fix>
1069
        <bug>57779</bug>: When an I/O error occurs on a non-container thread
1070
        only dispatch to a container thread to handle the error if using Servlet
1071
        3+ asynchronous processing. This avoids potential deadlocks if an
1072
        application is performing I/O on a non-container thread without using
1073
        the Servlet 3+ asynchronous API. (markt)
1074
      </fix>
1075
      <scode>
1076
        Remove the experimental support for SPDY. No current user agent supports
1077
        the version of SPDY that the experiment targeted. Note: HTTP/2 support
1078
        is under development for Tomcat 9 and may be back-ported to Tomcat 8
1079
        once complete. (markt)
1080
      </scode>
1081
      <fix>
1082
        Possible incomplete writes with SSL NIO2. (remm)
1083
      </fix>
1084
      <fix>
1085
        Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO
1086
        differences between NIO and NIO2 that don't seem to be justified.
1087
        (remm)
1088
      </fix>
1089
      <fix>
1090
        After some errors, the pending flags could remain set when using SSL
1091
        NIO2. (remm)
1092
      </fix>
1093
      <fix>
1094
        <bug>57833</bug>: When using JKS based keystores for NIO or NIO2, ensure
1095
        that the key alias is always converted to lower case since that is what
1096
        JKS key stores expect. Based on a patch by  Santosh Giri Govind M.
1097
        (markt)
1098
      </fix>
1099
      <fix>
1100
        <bug>57837</bug>: Add <code>text/css</code> to the default list of
1101
        compressable MIME types. (markt)
1102
      </fix>
1103
    </changelog>
1104
  </subsection>
1105
  <subsection name="Jasper">
1106
    <changelog>
1107
      <fix>
1108
        <bug>57845</bug>: Ensure that, if the same JSP is accessed directly and
1109
        via a <code>&lt;jsp-file&gt;</code> declaration in web.xml, updates to
1110
        the JSP are visible (subject to the normal rules on re-compilation)
1111
        regardless of how the JSP is accessed. (markt)
1112
      </fix>
1113
      <fix>
1114
        <bug>57855</bug>: Explicitly handle the case where a
1115
        <code>MethodExpression</code> is invoked with null or the wrong number
1116
        of parameters. Rather than failing with an
1117
        <code>ArrayIndexOutOfBoundsException</code> or a
1118
        <code>NullPointerException</code> throw an
1119
        <code>IllegalArgumentException</code> with a useful error message.
1120
        (markt)
1121
      </fix>
1122
    </changelog>
1123
  </subsection>
1124
  <subsection name="Cluster">
1125
    <changelog>
1126
      <fix>
1127
        Avoid unnecessary call of <code>DeltaRequest.addSessionListener()</code>
1128
        in non-primary nodes. (kfujino)
1129
      </fix>
1130
      <add>
1131
        Add new attribute that send all actions for session across Tomcat
1132
        cluster nodes. (kfujino)
1133
      </add>
1134
      <fix>
1135
        Remove unused <code>pathname</code> attribute in mbean definition of
1136
        <code>BackupManager</code>. (kfujino)
1137
      </fix>
1138
    </changelog>
1139
  </subsection>
1140
  <subsection name="WebSocket">
1141
    <changelog>
1142
      <fix>
1143
        <bug>57761</bug>: Ensure that the opening HTTP request is correctly
1144
        formatted when the WebSocket client connects to a server root. (remm)
1145
      </fix>
1146
      <fix>
1147
        <bug>57762</bug>: Ensure that the WebSocket client correctly detects
1148
        when the connection to the server is dropped. (markt)
1149
      </fix>
1150
      <fix>
1151
        <bug>57776</bug>: Revert the 8.0.21 fix for the
1152
        <code>permessage-deflate</code> implementation and incorrect op-codes
1153
        since the fix was unnecessary (the bug only affected trunk) and the fix
1154
        broke rather than fixed <code>permessage-deflate</code> if an
1155
        uncompressed message was converted into more than one compressed
1156
        message. (markt)
1157
      </fix>
1158
      <fix>
1159
        Fix log name typo in <code>WsRemoteEndpointImplServer</code> class,
1160
        caused by a copy-paste. (markt/kkolinko)
1161
      </fix>
1162
      <fix>
1163
        <bug>57788</bug>: Avoid NPE when looking up a class hierarchy without
1164
        finding anything. (remm)
1165
      </fix>
1166
    </changelog>
1167
  </subsection>
1168
  <subsection name="Web applications">
1169
    <changelog>
1170
      <add>
1171
        <bug>57759</bug>: Add information to the keyAlias documentation to make
1172
        it clear that the order keys are read from the keystore is
1173
        implementation dependent. (markt)
1174
      </add>
1175
      <fix>
1176
        <bug>57864</bug>: Update the documentation web application to make it
1177
        clearer that hex values are not valid for cluster send options. Based on
1178
        a patch by Kyohei Nakamura. (markt)
1179
      </fix>
1180
    </changelog>
1181
  </subsection>
1182
  <subsection name="Tribes">
1183
    <changelog>
1184
      <fix>
1185
        Fix a concurrency issue when a backup message that has all session data
1186
        and a backup message that has diff data are processing at the same time.
1187
        This fix ensures that <code>MapOwner</code> is set to
1188
        <code>ReplicatedMapEntry</code>. (kfujino)
1189
      </fix>
1190
    </changelog>
1191
  </subsection>
1192
  <subsection name="Other">
1193
    <changelog>
1194
      <fix>
1195
        Add missing pom for tomcat-storeconfig. (remm)
1196
      </fix>
1197
      <update>
1198
        Update optional Checkstyle library to 6.5. (kkolinko)
1199
      </update>
1200
      <fix>
1201
        <bug>57707</bug>: Improve error message when trying to run a release
1202
        build on a non-Windows platform and Wine is not available. (markt)
1203
      </fix>
1204
    </changelog>
1205
  </subsection>
1206
</section>
1207
<section name="Tomcat 8.0.21 (markt)" rtext="2015-03-26">
1208
  <subsection name="Catalina">
1209
    <changelog>
1210
      <add>
1211
        <bug>49785</bug>: Enable StartTLS connections for JNDIRealm.
1212
        (fschumacher)
1213
      </add>
1214
      <fix>
1215
        When docBase refers internal war and unpackWARs is set to false, avoid
1216
        registration of the invalid redeploy resource that has been added ".war"
1217
        extension in duplicate. (kfujino)
1218
      </fix>
1219
      <fix>
1220
        If WAR exists, it is not necessary to trigger a reload when adding a
1221
        Directory. (kfujino)
1222
      </fix>
1223
      <fix>
1224
        <bug>55988</bug>: Add support for Java 8 JSSE server-preferred TLS
1225
        cipher suite ordering. This feature requires Java 8
1226
        and is controlled by <code>useServerCipherSuitesOrder</code>
1227
        attribute on an HTTP connector.
1228
        Based upon a patch provided by Ognjen Blagojevic. (schultz)
1229
      </fix>
1230
      <fix>
1231
        <bug>56608</bug>: When deploying an external WAR, add watched resources
1232
        in the expanded directory based on whether the expanded directory is
1233
        expected to exist rather than if it does exist. (markt)
1234
      </fix>
1235
      <fix>
1236
         When triggering a reload due to a modified watched resource, ensure
1237
         that multiple changed watched resources only trigger one reload rather
1238
         than a series of reloads. (markt)
1239
      </fix>
1240
      <fix>
1241
        <bug>57601</bug>: Ensure that HEAD requests return the correct content
1242
        length (i.e. the same as for a GET) when the requested resource includes
1243
        a resource served by the Default servlet. (jboynes/markt)
1244
      </fix>
1245
      <fix>
1246
        <bug>57602</bug>: Ensure that HEAD requests return the correct content
1247
        length (i.e. the same as for a GET) when the requested resource includes
1248
        a resource served by a servlet that extends <code>HttpServlet</code>.
1249
        (markt)
1250
      </fix>
1251
      <fix>
1252
        <bug>57621</bug>: When an async request completes, ensure that any
1253
        remaining request body data is swallowed. (markt)
1254
      </fix>
1255
      <fix>
1256
        <bug>57637</bug>: Do not create unnecessary sessions when using
1257
        PersistentValve. (jboynes/fschumacher)
1258
      </fix>
1259
      <fix>
1260
        <bug>57645</bug>: Correct a regression in the fix for
1261
        <bug>57190</bug> that incorrectly required the path passed to
1262
        <code>ServletContext.getContext(String)</code> to be an exact match to a
1263
        path to an existing context. (markt)
1264
      </fix>
1265
      <fix>
1266
        Make sure that <code>unpackWAR</code> attribute of <code>Context</code>
1267
        is handled correctly in <code>HostConfig</code>. (kfujino)
1268
      </fix>
1269
      <fix>
1270
        When deploying a WAR file that contains a context.xml file and
1271
        <code>unpackWARs</code> is <code>false</code> ignore any context.xml
1272
        file that may exist in an expanded directory associated with the WAR.
1273
        (markt)
1274
      </fix>
1275
      <fix>
1276
        <bug>57675</bug>: Correctly quote strings when using the extended
1277
        access log. (markt)
1278
      </fix>
1279
      <add>
1280
        Enable Tomcat to detect when a WAR file has been changed while Tomcat is
1281
        not running. Tomcat does this by adding a META-INF/war-tracking file to
1282
        the expanded directory and setting the last modified time of this file
1283
        to the last modified time of the WAR. If Tomcat detects a modified WAR
1284
        via this mechanism the web application will be redeployed (i.e. the
1285
        expanded directory will be removed and the modified WAR expanded in its
1286
        place). (markt)
1287
      </add>
1288
      <fix>
1289
        <bug>57704</bug>: Fix potential NPEs during web application start/stop
1290
        when <code>org.apache.tomcat.InstanceManager</code> is not initialized.
1291
        (violetagg)
1292
      </fix>
1293
      <add>
1294
        Use the simplified digest output for digest.bat|sh when generating
1295
        digests with no salt and a single iteration to make it easier to use
1296
        with DIGEST authentication. (markt)
1297
      </add>
1298
      <fix>
1299
        Add support for <code>LAST_ACCESS_AT_START</code> system property to
1300
        <code>SingleSignOn</code>. (kfujino)
1301
      </fix>
1302
      <scode>
1303
        Refactor Authenticator implementations to reduce code duplication.
1304
        (markt)
1305
      </scode>
1306
      <fix>
1307
        <bug>57724</bug>: Handle the case in the CORS filter where a user agent
1308
        includes an origin header for a non-CORS request. (markt)
1309
      </fix>
1310
      <fix>
1311
        When searching for SCIs
1312
        <code>o.a.catalina.Context.getParentClassLoader</code> will be used
1313
        instead of <code>java.lang.ClassLoader.getParent</code>. Thus one can
1314
        provide the correct parent class loader when running embedded Tomcat in
1315
        other environments such as OSGi. (violetagg)
1316
      </fix>
1317
      <fix>
1318
        <bug>57743</bug>: Fix a locked file / resource leak issue when a JAR is
1319
        accessed just before or during web application undeploy. Patch provided
1320
        by  Pavel Avgustinov. (markt)
1321
      </fix>
1322
    </changelog>
1323
  </subsection>
1324
  <subsection name="Coyote">
1325
    <changelog>
1326
      <add>
1327
        <bug>57540</bug>: Make TLS/SSL protocol available in a new request
1328
        attribute
1329
        (<code>org.apache.tomcat.util.net.secure_protocol_version</code>).
1330
        (Note that AJP connectors will require <tt>mod_jk</tt> 1.2.41 or later,
1331
        or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy
1332
        to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see
1333
        the bug comments for details.)
1334
        Based upon a patch provided by Ralf Hauser. (schultz)
1335
      </add>
1336
      <fix>
1337
        Fix a cipher ordering issue when using the OpenSSL syntax for JSSE
1338
        cipher configuration to ensure that ephemeral ECDH with AES is preferred
1339
        to ephemeral ECDH with anything else. (markt)
1340
      </fix>
1341
      <fix>
1342
        <bug>57570</bug>: Make the processing of trailer headers with chunked
1343
        input optional and disabled by default. (markt)
1344
      </fix>
1345
      <fix>
1346
        <bug>57592</bug>: Correctly handle the case where an
1347
        <code>AsyncContext</code> is used for non-blocking I/O and is completed
1348
        during a write operation. (markt)
1349
      </fix>
1350
      <fix>
1351
        <bug>57638</bug>: Avoid an IllegalArgumentException when an AJP request
1352
        body chunk larger than the socket read buffer is being read. This
1353
        typically requires a larger than default AJP packetSize. (markt)
1354
      </fix>
1355
      <fix>
1356
        <bug>57674</bug>: Avoid a BufferOverflowException when an AJP response
1357
        body chunk larger than the socket write buffer is being written. This
1358
        typically requires a larger than default AJP packetSize. (markt)
1359
      </fix>
1360
      <update>
1361
        Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2
1362
        branch. (markt)
1363
      </update>
1364
      <fix>
1365
        Numerous fixes to the APR/native connector to improve robustness.
1366
        (markt)
1367
      </fix>
1368
      <fix>
1369
        Stop caching and re-using SocketWrapper instances. With the introduction
1370
        of upgrade and non-blocking I/O, I/O can occur on non-container threads.
1371
        This makes it nearly impossible to track whether a SocketWrapper is
1372
        still being referenced or not, making re-use a risky proposition.
1373
        (markt)
1374
      </fix>
1375
      <scode>
1376
        Refactor Connector authentication (only used by AJP) into a separate
1377
        method. (markt)
1378
      </scode>
1379
      <add>
1380
        <bug>57708</bug>: Implement a new feature for AJP connectors - Tomcat
1381
        Authorization. If the new tomcatAuthorization attribute is set to
1382
        <code>true</code> (it is disabled by default) Tomcat will take an
1383
        authenticated user name from the AJP protocol and use the appropriate
1384
        Realm for the request to authorize (i.e. add roles) to that user.
1385
        (markt)
1386
      </add>
1387
      <fix>
1388
        Fix an issue that meant that any pipe-lined data read by Tomcat before
1389
        an asynchronous request completed was lost during the completion of the
1390
        asynchronous request. This mean that the pipe-lined request(s) would be
1391
        lost and/or corrupted. (markt)
1392
      </fix>
1393
      <update>
1394
        Update the minimum recommended version of the Tomcat Native library (if
1395
        used) to 1.1.33. (markt)
1396
      </update>
1397
    </changelog>
1398
  </subsection>
1399
  <subsection name="Jasper">
1400
    <changelog>
1401
      <fix>
1402
        <bug>57135</bug>: Package imports via
1403
        <code>javax.el.ImportHandler</code> should only import public, concrete
1404
        classes. (markt)
1405
      </fix>
1406
      <fix>
1407
        <bug>57583</bug>: Cache &apos;Not Found&apos; results in
1408
        <code>javax.el.ImportHandler.resolveClass()</code> to save repeated
1409
        attempts to load classes that are known not to exist to improve
1410
        performance. (markt)
1411
      </fix>
1412
      <fix>
1413
        <bug>57626</bug>: Correct a regression introduced in the 8.0.16 fix for
1414
        ensuring Jars were closed after use, that broke recompilation of
1415
        modified JSPs that depended on a tag file packaged in a Jar. (markt)
1416
      </fix>
1417
      <fix>
1418
        <bug>57627</bug>: Correctly determine last modified times for
1419
        dependencies when a tag file packaged in a JAR depends on a tag file
1420
        packaged in a second JAR. (markt)
1421
      </fix>
1422
      <fix>
1423
        <bug>57647</bug>: Ensure INFO message is logged when scanning jars for
1424
        TLDs if the scan does not find a TLD in any jar. Previously a message
1425
        would only be logged if a TLD was not found in all scanned jars. (jboynes)
1426
      </fix>
1427
      <update>
1428
        <bug>57662</bug>: Update all references to the ECJ compiler to version
1429
        4.4.2. (violetagg)
1430
      </update>
1431
    </changelog>
1432
  </subsection>
1433
  <subsection name="Cluster">
1434
    <changelog>
1435
      <fix>
1436
        Remove unnecessary method that always returns true. The domain filtering
1437
        works on <code>DomainFilterInterceptor</code>. (kfujino)
1438
      </fix>
1439
    </changelog>
1440
  </subsection>
1441
  <subsection name="WebSocket">
1442
    <changelog>
1443
      <fix>
1444
        Correct a bug in the <code>permessage-deflate</code> implementation that
1445
        meant that the incorrect op-codes were used if an uncompressed message
1446
        was converted into more than one compressed message. (markt)
1447
      </fix>
1448
      <add>
1449
        <bug>57676</bug>: List conflicting WebSocket endpoint classes when
1450
        there is a path conflict. Based upon a patch proposed by yangkun.
1451
        (schultz)
1452
      </add>
1453
    </changelog>
1454
  </subsection>
1455
  <subsection name="Web applications">
1456
    <changelog>
1457
      <fix>
1458
        <bug>56058</bug>: Add links to the AccessLogValve documentation for
1459
        configuring reverse proxies and/or Tomcat to ensure that the desired
1460
        information is used entered in the access log when Tomcat is running
1461
        behind a reverse proxy. (markt)
1462
      </fix>
1463
      <fix>
1464
        <bug>57587</bug>: Update the JNDI Datasource HOWTO for DBCP2. Patch
1465
        provided by Phil Steitz. (markt)
1466
      </fix>
1467
      <fix>
1468
        Remove incorrect note from context configuration page in the
1469
        documentation web application that stated WAR files located outside the
1470
        appBase were never unpacked. (markt)
1471
      </fix>
1472
      <update>
1473
        <bug>57644</bug>: Update examples to use Apache Standard Taglib 1.2.5.
1474
        (jboynes)
1475
      </update>
1476
      <fix>
1477
        <bug>57683</bug>: Ensure that if a client aborts their connection to the
1478
        stock ticker example (the only way a client can disconnect), the example
1479
        continues to work for existing and new clients. (markt)
1480
      </fix>
1481
      <fix>
1482
        Make it clear that when using digested passwords with DIGEST
1483
        authentication that no salt and only a single iteration must be used
1484
        when generating the digest. (markt)
1485
      </fix>
1486
    </changelog>
1487
  </subsection>
1488
  <subsection name="Extras">
1489
    <changelog>
1490
      <fix>
1491
        <bug>57377</bug>: Remove the restriction that prevented the use of SSL
1492
        when specifying a bind address with the JMXRemoteLifecycleListener. Also
1493
        enable SSL to be configured for the registry as well as the server.
1494
        (markt)
1495
      </fix>
1496
    </changelog>
1497
  </subsection>
1498
  <subsection name="Tribes">
1499
    <changelog>
1500
      <fix>
1501
        When a map member has been added to <code>ReplicatedMap</code>, make
1502
        sure to add it to backup nodes list of all other members. (kfujino)
1503
      </fix>
1504
      <fix>
1505
        Make sure that refuse the messages from a different domain in
1506
        <code>DomainFilterInterceptor</code>. (kfujino)
1507
      </fix>
1508
    </changelog>
1509
  </subsection>
1510
  <subsection name="Other">
1511
    <changelog>
1512
      <update>
1513
        Update optional Checkstyle library to 6.4.1. (kkolinko)
1514
      </update>
1515
      <fix>
1516
        <bug>57703</bug>: Update the <code>http-method</code> definition for
1517
        web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6.
1518
        (markt)
1519
      </fix>
1520
      <update>
1521
        Update to Tomcat Native Library version 1.1.33 to pick up the Windows
1522
        binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt)
1523
      </update>
1524
    </changelog>
1525
  </subsection>
1526
</section>
1527
<section name="Tomcat 8.0.20 (markt)" rtext="2015-02-20">
1528
  <subsection name="Coyote">
1529
    <changelog>
1530
      <fix>
1531
        Fix a concurrency issue that meant that a change in socket timeout (e.g.
1532
        when switching to asynchronous I/O) did not always take effect
1533
        immediately. (markt)
1534
      </fix>
1535
    </changelog>
1536
  </subsection>
1537
</section>
1538
<section name="Tomcat 8.0.19 (markt)" rtext="not released">
1539
  <subsection name="Catalina">
1540
    <changelog>
1541
      <fix>
1542
        Clarify threaded usage of variables by removing volatile marker
1543
        in NonceInfo. Issue reported by Coverity Scan. (fschumacher)
1544
      </fix>
1545
      <fix>
1546
        <bug>57180</bug>: Further fixes to support the use of arbitrary HTTP
1547
        methods with the CORS filter. (markt)
1548
      </fix>
1549
      <fix>
1550
        <bug>57472</bug>: Fix performance regression in resources implementation
1551
        when signed JARs are used in a web application. (markt)
1552
      </fix>
1553
      <add>
1554
        Warn about problematic setting of appBase. (fschumacher)
1555
      </add>
1556
      <fix>
1557
        Fix exception while authentication in JDBCRealm. (fschumacher)
1558
      </fix>
1559
      <fix>
1560
       <bug>57534</bug>: CORS Filter should only look at media type component of
1561
       Content-Type request header. (markt)
1562
      </fix>
1563
      <fix>
1564
        <bug>57556</bug>: Align <code>getRealPath()</code> behaviour with that
1565
        of earlier versions and include a trailing separator if the real path
1566
        refers to a directory. (markt)
1567
      </fix>
1568
      <fix>
1569
        Ensure that Servlet 3.0 async requests where <code>startAsync()</code>
1570
        is called in one container thread and <code>dispatch()</code> is called
1571
        in a different container thread complete correctly. (markt)
1572
      </fix>
1573
      <fix>
1574
        Ensure that user name checking in the optional SecurityListener is
1575
        case-insensitive (as documented) and than the case-insensitive
1576
        comparison is performed using the system default Locale. (markt)
1577
      </fix>
1578
      <add>
1579
        <bug>57021</bug>: Improve logging in AprLifecycleListener and
1580
        jni.Library when Tomcat-Native DLL fails to load. Based on a patch by
1581
        Pravallika Peddi. (markt/kkolinko)
1582
      </add>
1583
    </changelog>
1584
  </subsection>
1585
  <subsection name="Coyote">
1586
    <changelog>
1587
      <fix>
1588
        Fix several bugs that could cause multiple registrations for write
1589
        events for a single socket when using Servlet 3.0 async. Typically, the
1590
        side effects of these multiple registrations would be exceptions
1591
        appearing in the logs. (markt)
1592
      </fix>
1593
      <fix>
1594
        <bug>57432</bug>: Align <code>SSL_OP_NO_TLSv1_1</code> and
1595
        <code>SSL_OP_NO_TLSv1_2</code> constant values with OpenSSL (they had
1596
        been swapped). (markt)
1597
      </fix>
1598
      <fix>
1599
        <bug>57509</bug>: Improve length check when writing HTTP/1.1
1600
        response headers: reserve space for 4 extra bytes. (kkolinko)
1601
      </fix>
1602
      <fix>
1603
        <bug>57544</bug>: Fix potential infinite loop when preparing a kept
1604
        alive HTTP connection for the next request. (markt)
1605
      </fix>
1606
      <fix>
1607
        <bug>57546</bug>: Ensure that a dropped network connection does not
1608
        leave references to the UpgradeProcessor associated with the connection
1609
        in memory. (markt)
1610
      </fix>
1611
      <fix>
1612
        When applying the <code>maxSwallowSize</code> limit to a connection read
1613
        that many bytes first before closing the connection to give the client a
1614
        chance to read the response. (markt)
1615
      </fix>
1616
      <fix>
1617
        Prevent an async timeout being processed multiple times for the same
1618
        socket when running on slow and/or heavily loaded systems. (markt)
1619
      </fix>
1620
      <fix>
1621
        <bug>57581</bug>: Change statistics byte counter in coyote Request
1622
        object to be long to allow values above 2Gb. (kkolinko)
1623
      </fix>
1624
      <update>
1625
        Use the data that supports cipher definition using OpenSSL syntax to
1626
        improve the quality of values provided for the
1627
        <code>javax.servlet.request.key_size</code> request attribute. (markt)
1628
      </update>
1629
      <fix>
1630
        Fix a concurrency issue in the APR Poller that meant it was possible
1631
        under low load for a socket queued to be added to the Poller not to be
1632
        added for 10 seconds. (markt)
1633
      </fix>
1634
    </changelog>
1635
  </subsection>
1636
  <subsection name="Jasper">
1637
    <changelog>
1638
      <update>
1639
        <bug>57123</bug>: Update all references to the ECJ compiler to version
1640
        4.4.1. With thanks to Ralph Schaer for uploading the 4.4.1 JAR to Maven
1641
        Central. (markt)
1642
      </update>
1643
      <add>
1644
        <bug>57564</bug>:  Make JspC amenable to subclassing. Patch provided by
1645
        Jan Bartel. (markt)
1646
      </add>
1647
      <fix>
1648
        Simplify code in <code>ProtectedFunctionMapper</code> class of
1649
        Jasper runtime. (kkolinko)
1650
      </fix>
1651
      <fix>
1652
        <bug>57574</bug>: Do not check existence of a Java package in
1653
        <code>javax.el.ImportHandler.importPackage()</code>. (kkolinko)
1654
      </fix>
1655
    </changelog>
1656
  </subsection>
1657
  <subsection name="WebSocket">
1658
    <changelog>
1659
      <fix>
1660
        <bug>57490</bug>: Make it possible to use Tomcat&apos;s WebSocket client
1661
        within a web application when running under a SecurityManager. Based on
1662
        a patch by Mikael Sterner. (markt)
1663
      </fix>
1664
      <add>
1665
        Add some debug logging to the WebSocket session to track session
1666
        creation and session closure. (markt)
1667
      </add>
1668
    </changelog>
1669
  </subsection>
1670
  <subsection name="Web applications">
1671
    <changelog>
1672
      <update>
1673
        Clarify documentation for <code>useBodyEncodingForURI</code>
1674
        attribute of a connector. (kkolinko)
1675
      </update>
1676
      <fix>
1677
        Fix possible resource leaks by closing streams properly. Issues
1678
        reported by Coverity Scan. (fschumacher)
1679
      </fix>
1680
      <fix>
1681
        <bug>57503</bug>: Make clear that the JULI integration for log4j only
1682
        works with log4j 1.2.x. (markt)
1683
      </fix>
1684
      <fix>
1685
        <bug>57496</bug>: Remove hard-coded URL in JSP SVG example. (markt)
1686
      </fix>
1687
    </changelog>
1688
  </subsection>
1689
  <subsection name="Tribes">
1690
    <changelog>
1691
      <fix>
1692
        Fix a possible deadlock when receiver thread invokes
1693
        <code>mapMemberAdded()</code> while ping thread invokes
1694
        <code>memberAlive()</code>. (kfujino)
1695
      </fix>
1696
    </changelog>
1697
  </subsection>
1698
  <subsection name="Other">
1699
    <changelog>
1700
      <add>
1701
        Enhance bean factory used for JNDI resources. New attribute
1702
        <code>forceString</code> allows to support non-standard
1703
        string argument property setters. (rjung)
1704
      </add>
1705
      <fix>
1706
        Assign newly created stream to field instead of leaking it uselessly.
1707
        Issue reported by Coverity Scan. (fschumacher)
1708
      </fix>
1709
      <update>
1710
        Update optional Checkstyle library to 6.3. (kkolinko)
1711
      </update>
1712
      <fix>
1713
        Guard the digester from MbeansDescriptorsDigesterSource with its own
1714
        lock object. (fschumacher)
1715
      </fix>
1716
      <fix>
1717
        Refactor the unit tests and add some new test properties to make it
1718
        easier to exclude performance tests and relax timing tests. This is
1719
        primarily for the ASF CI system where these tests frequently fail.
1720
        (markt)
1721
      </fix>
1722
      <fix>
1723
        <bug>57558</bug>: Add missing JAR in Ant task definition required by
1724
        the validate task. (markt)
1725
      </fix>
1726
      <add>
1727
        List names of Testsuites that have failed or skipped tests when
1728
        running the tests with Ant. (kkolinko)
1729
      </add>
1730
    </changelog>
1731
  </subsection>
1732
</section>
1733
<section name="Tomcat 8.0.18 (markt)" rtext="2015-01-26">
1734
  <subsection name="Catalina">
1735
    <changelog>
1736
      <fix>
1737
        <bug>57178</bug>: The CORS filter now treats <code>null</code> as a
1738
        valid origin that matches <code>*</code>. Patch provided by Gregor
1739
        Zurowski. (markt)
1740
      </fix>
1741
      <fix>
1742
        <bug>57425</bug>: Don't add attributes with null value or name to the
1743
        replicated context. (fschumacher)
1744
      </fix>
1745
      <add>
1746
        <bug>57431</bug>: Enable usage of custom class for context creation when
1747
        using embedded tomcat. (fschumacher)
1748
      </add>
1749
      <fix>
1750
        <bug>57446</bug>: Ensure that <code>ServletContextListener</code>s that
1751
        have limited access to <code>ServletContext</code> methods are called
1752
        with the same <code>ServletContext</code> instance for both
1753
        <code>contextInitialized()</code> and <code>contextDestroyed()</code>.
1754
        (markt)
1755
      </fix>
1756
      <fix>
1757
        <bug>57455</bug>: Explicitly block the use of the double-quote character
1758
        when configuring the common, server and shared class loaders since
1759
        double-quote is used to quote values that contain commas. (markt)
1760
      </fix>
1761
      <fix>
1762
        <bug>57461</bug>: When an instance of
1763
        <code>org.apache.catalina.startup.VersionLoggerListener</code> logs the
1764
        result of <code>System.getProperty("java.home")</code> don't report it
1765
        in a manner that makes it look like the <code>JAVA_HOME</code>
1766
        environment variable. (markt)
1767
      </fix>
1768
      <fix>
1769
        <bug>57476</bug>: Ensure the responses written as part of a forward are
1770
        fully written. This fixes a regression in 8.0.15 caused by the fix for
1771
        <bug>57252</bug>. (markt)
1772
      </fix>
1773
      <fix>
1774
        While closing streams for given resources ensure that if an exception
1775
        happens it will be handled properly. Issue is reported by Coverity Scan.
1776
        (violetagg)
1777
      </fix>
1778
      <fix>
1779
        <bug>57481</bug>: Fix <code>IllegalStateException</code> at the end of
1780
        the request when using non-blocking reads with the HTTP BIO connector.
1781
        (markt)
1782
      </fix>
1783
      <fix>
1784
        Change Response to use UEncoder instances with shared safeChars.
1785
        (fschumacher)
1786
      </fix>
1787
      <fix>
1788
        Ensure that when static resources are served from JARs, only static
1789
        resources are served. (markt)
1790
      </fix>
1791
      <add>
1792
        Allow <code>VersionLoggerListener</code> to log all system properties.
1793
        This feature is off by default. (kkolinko)
1794
      </add>
1795
    </changelog>
1796
  </subsection>
1797
  <subsection name="Jasper">
1798
    <changelog>
1799
      <fix>
1800
        Ensure that classes imported via the page directive are made available
1801
        to the EL environment via the ImportHandler. Issue is reported by
1802
        Coverity Scan. (violetagg)
1803
      </fix>
1804
      <fix>
1805
        <bug>57441</bug>: Do not trigger an error when using functions defined
1806
        by lambdas or imported via an ImportHandler in an EL expression in a
1807
        JSP. (markt)
1808
      </fix>
1809
    </changelog>
1810
  </subsection>
1811
  <subsection name="Cluster">
1812
    <changelog>
1813
      <fix>
1814
        Fix mbean descriptor of <code>ClusterSingleSignOn</code>. (kfujino)
1815
      </fix>
1816
      <fix>
1817
        <bug>57473</bug>: Add sanity check to FarmWebDeployer's WarWatcher to
1818
        detect suspected incorrect permissions on the watch directory. (schultz)
1819
      </fix>
1820
    </changelog>
1821
  </subsection>
1822
  <subsection name="Tribes">
1823
    <changelog>
1824
      <fix>
1825
        Clarify the handling of Copy message and Copy nodes. (kfujino)
1826
      </fix>
1827
      <fix>
1828
        Copy node does not need to send the entry data. It is enough to send
1829
        only the node information of the entry. (kfujino)
1830
      </fix>
1831
      <fix>
1832
        ReplicatedMap should send the Copy message when replicating. (kfujino)
1833
      </fix>
1834
      <fix>
1835
        Fix behavior of ReplicatedMap when member has disappeared. If map entry
1836
        is primary, rebuild the backup members. If primary node of map entry has
1837
        disappeared, backup node is promoted to primary. (kfujino)
1838
      </fix>
1839
    </changelog>
1840
  </subsection>
1841
</section>
1842
<section name="Tomcat 8.0.17 (markt)" rtext="2015-01-16">
1843
  <subsection name="Catalina">
1844
    <changelog>
1845
      <fix>
1846
        Correct a regression in the previous fix for <bug>57252</bug> that broke
1847
        request listeners for non-async requests that triggered an error that
1848
        was handled by the ErrorReportingValve. (markt/violetagg)
1849
      </fix>
1850
    </changelog>
1851
  </subsection>
1852
  <subsection name="Coyote">
1853
    <changelog>
1854
      <fix>
1855
        Add flushing to send ack in the NIO2 connector. (remm)
1856
      </fix>
1857
    </changelog>
1858
  </subsection>
1859
</section>
1860
<section name="Tomcat 8.0.16 (markt)" rtext="not released">
1861
  <subsection name="Catalina">
1862
    <changelog>
1863
      <fix>
1864
        <bug>57172</bug>: Provide a better error message if something attempts to
1865
        access a resource through a web application class loader that has been
1866
        stopped. (markt/kkolinko)
1867
      </fix>
1868
      <fix>
1869
        <bug>57173</bug>: Revert the fix for <bug>56953</bug> that broke
1870
        annotation scanning in some cases. (markt)
1871
      </fix>
1872
      <fix>
1873
        <bug>57180</bug>: Do not limit the CORS filter to only accepting
1874
        requests that use an HTTP method defined in RFC 7231. (markt)
1875
      </fix>
1876
      <fix>
1877
        <bug>57190</bug>: Fix <code>ServletContext.getContext(String)</code>
1878
        when parallel deployment is used so that the correct ServletContext is
1879
        returned. (markt)
1880
      </fix>
1881
      <fix>
1882
        <bug>57208</bug>: Prevent NPE in JNDI Realm when no results are found
1883
        in a directory context for a user with specified user name. Based on
1884
        a patch provided by Jason McIntosh. (violetagg)
1885
      </fix>
1886
      <add>
1887
        <bug>57209</bug>: Add a new attribute, userSearchAsUser to the JNDI
1888
        Realm. (markt)
1889
      </add>
1890
      <fix>
1891
        <bug>57215</bug>: Ensure that the result of calling
1892
        <code>HttpServletRequest.getContextPath()</code> is neither decoded nor
1893
        normalized as required by the Servlet specification. (markt)
1894
      </fix>
1895
      <fix>
1896
        <bug>57216</bug>: Improve handling of invalid context paths. A context
1897
        path should either be an empty string or start with a
1898
        <code>&apos;/&apos;</code> and do not end with a
1899
        <code>&apos;/&apos;</code>. Invalid context path are automatically
1900
        corrected and a warning is logged. The <code>null</code> and
1901
        <code>&quot;/&quot;</code> values are now correctly changed to
1902
        <code>&quot;&quot;</code>. (markt/kkolinko)
1903
      </fix>
1904
      <fix>
1905
        Update storeconfig with the CredentialHandler element. (remm)
1906
      </fix>
1907
      <fix>
1908
        Correct message that is logged when load-on-startup servlet fails
1909
        to load. It was logging a wrong name. (kkolinko)
1910
      </fix>
1911
      <fix>
1912
        <bug>57239</bug>: Correct several message typos. Includes patch by
1913
        vladk. (kkolinko)
1914
      </fix>
1915
      <fix>
1916
        Fix closing of Jars during annotation scanning. (schultz/kkolinko)
1917
      </fix>
1918
      <fix>
1919
        Fix a concurrency issue in async processing. Ensure that a non-container
1920
        thread can not change the async state until the container thread has
1921
        completed. (markt)
1922
      </fix>
1923
      <fix>
1924
        <bug>57252</bug>: Provide application configured error pages with a
1925
        chance to handle an async error before the built-in error reporting.
1926
        (markt)
1927
      </fix>
1928
      <fix>
1929
        <bug>57281</bug>: Enable non-public Filter and Servlet classes to be
1930
        configured programmatically via the Servlet 3.0 API and then used
1931
        without error when running under a SecurityManager. (markt)
1932
      </fix>
1933
      <fix>
1934
        <bug>57308</bug>: Remove unnecessary calls to
1935
        <code>System.getProperty()</code> where more suitable API calls are
1936
        available. (markt)
1937
      </fix>
1938
      <add>
1939
        Add unit tests for RemoteAddrValve and RemoteHostValve. (rjung)
1940
      </add>
1941
      <add>
1942
        Allow to configure RemoteAddrValve and RemoteHostValve to
1943
        adopt behavior depending on the connector port. Implemented
1944
        by optionally adding the connector port to the string compared
1945
        with the patterns <code>allow</code> and <code>deny</code>. Configured
1946
        using <code>addConnectorPort</code> attribute on valve. (rjung)
1947
      </add>
1948
      <add>
1949
        Optionally trigger authentication instead of denial in
1950
        RemoteAddrValve and RemoteHostValve. This only works in
1951
        combination with <code>preemptiveAuthentication</code>
1952
        on the application context. Configured using
1953
        <code>invalidAuthenticationWhenDeny</code> attribute on valve. (rjung)
1954
      </add>
1955
      <fix>
1956
        Remove the obsolete <code>jndi</code> protocol usage from the scanning
1957
        process performed by StandardJarScanner. (violetagg)
1958
      </fix>
1959
      <fix>
1960
        Prevent file descriptors leak and ensure that files are closed after
1961
        retrieving the last modification time. (violetagg)
1962
      </fix>
1963
      <update>
1964
        Make <code>o.a.catalina.webresources.StandardRoot</code> easier for
1965
        extending. (violetagg)
1966
      </update>
1967
      <fix>
1968
        <bug>57326</bug>: Enable <code>AsyncListener</code> implementations to
1969
        re-register themselves during <code>AsyncListener.onStartAsync</code>.
1970
        (markt)
1971
      </fix>
1972
      <fix>
1973
        <bug>57331</bug>: Allow ExpiresFilter to use "year" as synonym for
1974
        "years" in its configuration. (kkolinko)
1975
      </fix>
1976
      <fix>
1977
        Ensure that if the RewriteValve rewrites a request that subsequent calls
1978
        to <code>HttpServletRequest.getRequestURI()</code> return the undecoded
1979
        URI. (markt)
1980
      </fix>
1981
      <fix>
1982
        Ensure that if the RewriteValve rewrites a request to a non-normalized
1983
        URI that the URI is normalized before the URI is mapped to ensure that
1984
        the correct mapping is applied. (markt)
1985
      </fix>
1986
      <fix>
1987
        Prevent NPEs being logged during post-processing for requests that have
1988
        been re-written by the RewriteValve. (markt)
1989
      </fix>
1990
      <fix>
1991
        Various StoreConfig improvements including removing a dependency on the
1992
        <code>StandardServer</code> implementation, improve consistency of
1993
        behaviour when MBean is not registered and improve error messages when
1994
        accessed via the Manager application. (markt)
1995
      </fix>
1996
      <update>
1997
          Improve SnoopServlet in unit tests. (rjung)
1998
      </update>
1999
      <add>
2000
          Add RequestDescriptor class to unit tests.
2001
          Adjust TestRewriteValve to use RequestDescriptor. (rjung)
2002
      </add>
2003
      <update>
2004
          Add more AJP unit tests. (rjung)
2005
      </update>
2006
      <fix>
2007
        <bug>57363</bug>: Log to stderr if LogManager is unable to read
2008
        configuration files rather than swallowing the exception silently.
2009
        (markt)
2010
      </fix>
2011
    </changelog>
2012
  </subsection>
2013
  <subsection name="Coyote">
2014
    <changelog>
2015
      <fix>
2016
        Allow HTTP upgrade process to complete without data corruption when
2017
        additional content is sent along with the upgrade header. (remm)
2018
      </fix>
2019
      <fix>
2020
        <bug>57187</bug>: Regression handling the special * URL. (remm)
2021
      </fix>
2022
      <fix>
2023
        <bug>57234</bug>: Make SSL protocol filtering to remove insecure
2024
        protocols case insensitive. (markt)
2025
      </fix>
2026
      <fix>
2027
        <bug>57265</bug>: Fix some potential concurrency issues with sendFile
2028
        and the NIO connector. (markt)
2029
      </fix>
2030
      <fix>
2031
        <bug>57324</bug>: If the client uses <code>Expect: 100-continue</code>
2032
        and Tomcat responds with a non-2xx response code, Tomcat also closes the
2033
        connection. If Tomcat knows the connection is going to be closed when
2034
        committing the response, Tomcat will now also send the
2035
        <code>Connection: close</code> response header. (markt)
2036
      </fix>
2037
      <fix>
2038
        <bug>57340</bug>: When using Comet, ensure that Socket and SocketWrapper
2039
        are only returned to their respective caches once on socket close (it is
2040
        possible for multiple threads to call close concurrently). (markt)
2041
      </fix>
2042
      <fix>
2043
        <bug>57347</bug>: AJP response contains wrong status reason phrase
2044
        (rjung)
2045
      </fix>
2046
      <add>
2047
        <bug>57391</bug>: Allow TLS Session Tickets to be disabled when using
2048
        the APR/native HTTP connector. Patch provided by Josiah Purtlebaugh.
2049
        (markt)
2050
      </add>
2051
    </changelog>
2052
  </subsection>
2053
  <subsection name="Jasper">
2054
    <changelog>
2055
      <fix>
2056
        <bug>57142</bug>: As per the clarification from the JSP specification
2057
        maintenance lead, classes and packages imported via the page directive
2058
        must be made available to the EL environment via the ImportHandler.
2059
        (markt)
2060
      </fix>
2061
      <fix>
2062
        <bug>57247</bug>: Correct the default Java source and target versions in
2063
        the JspC usage message to <code>1.7</code> for Java 7. (markt)
2064
      </fix>
2065
      <fix>
2066
        <bug>57309</bug>: Ensure that the current EL Resolver is given an
2067
        opportunity to perform type coercion before applying the default EL
2068
        coercion rules. (markt)
2069
      </fix>
2070
      <fix>
2071
        Improve the calculation of the resource's last-modified, performed by
2072
        JspCompilationContext, in a way to support URLs with protocol different
2073
        than <code>jar:file</code>. (violetagg)
2074
      </fix>
2075
      <fix>
2076
        Fix potential issue with BeanELResolver when running under a security
2077
        manager. Some classes may not be accessible but may have accessible
2078
        interfaces. (markt)
2079
      </fix>
2080
    </changelog>
2081
  </subsection>
2082
  <subsection name="Cluster">
2083
    <changelog>
2084
      <fix>
2085
        In order to enable define in <code>Cluster</code> element,
2086
        <code>ClusterSingleSignOn</code> implements <code>ClusterValve</code>.
2087
        (kfujino)
2088
      </fix>
2089
      <fix>
2090
        <bug>57338</bug>: Improve the ability of the
2091
        <code>ClusterSingleSignOn</code> valve to handle nodes being added and
2092
        removed from the Cluster at run time. (markt)
2093
      </fix>
2094
    </changelog>
2095
  </subsection>
2096
  <subsection name="WebSocket">
2097
    <changelog>
2098
      <fix>
2099
        Correct multiple issues with the flushing of batched messages that could
2100
        lead to duplicate and/or corrupt messages. (markt)
2101
      </fix>
2102
      <fix>
2103
        Correctly implement headers case insensitivity. (markt/remm)
2104
      </fix>
2105
      <fix>
2106
        Allow optional use of user extensions. (remm)
2107
      </fix>
2108
      <fix>
2109
        Allow using partial binary message handlers. (remm)
2110
      </fix>
2111
      <fix>
2112
        Limit ping/pong message size. (remm)
2113
      </fix>
2114
      <fix>
2115
        Allow configuration of the time interval for the periodic event. (remm)
2116
      </fix>
2117
      <fix>
2118
        More accurate annotations processing. (remm)
2119
      </fix>
2120
      <fix>
2121
        Allow optional default for origin header in the client. (remm)
2122
      </fix>
2123
    </changelog>
2124
  </subsection>
2125
  <subsection name="Web applications">
2126
    <changelog>
2127
      <fix>
2128
        Update documentation for CGI servlet. Recommend to copy the servlet
2129
        declaration into web application instead of enabling it globally.
2130
        Correct documentation for cgiPathPrefix. (kkolinko)
2131
      </fix>
2132
      <update>
2133
        Improve HTML version of build instructions and align with
2134
        BUILDING.txt. (kkolinko)
2135
      </update>
2136
      <update>
2137
        Improve Tomcat Manager documentation. Rearrange, add section on
2138
        HTML GUI, document /expire command and Server Status page. (kkolinko)
2139
      </update>
2140
      <update>
2141
        <bug>57238</bug>: Update information on SSL/TLS on Security and SSL
2142
        documentation pages. Patch by Glen Peterson. (kkolinko)
2143
      </update>
2144
      <fix>
2145
        <bug>57245</bug>: Correct the reference to <code>allowLinking</code> in
2146
        the security configuration guide since that attribute has moved from the
2147
        Context element to the nested Resources element. (markt)
2148
      </fix>
2149
      <fix>
2150
        Fix ambiguity of section links on Valves configuration reference page.
2151
        (kkolinko)
2152
      </fix>
2153
      <fix>
2154
        <bug>57261</bug>: Fix vminfo and threaddump Manager commands to start
2155
        their output with an "OK" line. Document them. Based on a patch by
2156
        Oleg Trokhov. (kkolinko)
2157
      </fix>
2158
      <fix>
2159
        <bug>57267</bug>: Document the <code>StoreConfigLifecycleListener</code>
2160
        and the <code>/save</code> command for the Manager application. (markt)
2161
      </fix>
2162
      <fix>
2163
        <bug>57323</bug>: Correct display of outdated sessions in sessions
2164
        count listing in Manager application. (kkolinko)
2165
      </fix>
2166
      <add>
2167
        Add document of <code>ClusterSingleSignOn</code>. (kfujino)
2168
      </add>
2169
    </changelog>
2170
  </subsection>
2171
  <subsection name="Other">
2172
    <changelog>
2173
      <update>
2174
        When downloading required libraries at build time, use random name
2175
        for temporary file and automatically create destination directory
2176
        (<code>base.path</code>). (kkolinko)
2177
      </update>
2178
      <update>
2179
        Update optional Checkstyle library to 6.2. (kkolinko)
2180
      </update>
2181
      <update>
2182
        Simplify <code>setproxy</code> task in <code>build.xml</code>.
2183
        Taskdef there is not needed since Ant 1.8.2. (kkolinko)
2184
      </update>
2185
      <fix>
2186
        Update "ide-eclipse" target in <code>build.xml</code> to create Eclipse
2187
        project that uses Java 7 compliance settings instead of workspace-wide
2188
        defaults. (kkolinko)
2189
      </fix>
2190
     <fix>
2191
        Update the package renamed copy of Apache Commons Pool 2 to the 2.3
2192
        release to pick up various fixes since the 2.2 release including one for
2193
        a possible infinite loop. (markt)
2194
      </fix>
2195
      <fix>
2196
        <bug>57285</bug>: Restore the manifest entry that marks the Windows
2197
        uninstaller application as requiring elevated privileges. (markt)
2198
      </fix>
2199
      <add>
2200
        <bug>57344</bug>: Provide sha1 checksum files for Tomcat downloads.
2201
        Correct filename patterns for apache-tomcat-*-embed.tar.gz archive
2202
        to exclude an *.asc file. (kkolinko)
2203
      </add>
2204
    </changelog>
2205
  </subsection>
2206
</section>
2207
<section name="Tomcat 8.0.15 (markt)" rtext="2014-11-07">
2208
  <subsection name="Catalina">
2209
    <changelog>
2210
      <add>
2211
        <bug>43548</bug>: Add an XML schema for the tomcat-users.xml file.
2212
        (markt)
2213
      </add>
2214
      <add>
2215
        <bug>43682</bug>: Add support for referring to the current context, host
2216
        and service name in per Context logging.properties files by using the
2217
        properties <code>${classloader.webappName}</code>,
2218
        <code>${classloader.hostName}</code> and
2219
        <code>${classloader.serviceName}</code>. (markt)
2220
      </add>
2221
      <add>
2222
        <bug>47919</bug>: Extend the information logged when Tomcat starts to
2223
        optionally log the values of command line arguments (enabled by
2224
        default) and environment variables (disabled by default). Note that
2225
        the values added to CATALINA_OPTS and JAVA_OPTS environment variables
2226
        will be logged, as they are used to build up the command line. (markt)
2227
      </add>
2228
      <add>
2229
        <bug>49939</bug>: Expose the method that clears the static resource
2230
        cache for a web application via JMX. (markt)
2231
      </add>
2232
      <fix>
2233
        <bug>55951</bug>: Allow cookies to use UTF-8 encoded values in HTTP
2234
        headers. This requires the use of the RFC6265
2235
        <strong>CookieProcessor</strong>. (markt)
2236
      </fix>
2237
      <fix>
2238
        <bug>55984</bug>: Using the allow separators in version 0 cookies option
2239
        with the legacy cookie processor should only apply to version 0 cookies.
2240
        Version 1 cookies with values that contain separators should not be
2241
        affected and should continue to be quoted. (markt)
2242
      </fix>
2243
      <add>
2244
        <bug>56393</bug>: Add support for RFC6265 cookie parsing and generation.
2245
        This is currently disabled by default and may be enabled via the
2246
        <strong>CookieProcessor</strong> element of a <strong>Context</strong>.
2247
        (markt)
2248
      </add>
2249
      <add>
2250
        <bug>56394</bug>: Introduce new configuration element CookieProcessor in
2251
        Context to allow context-specific configuration of cookie processing
2252
        options. Attributes of Context element that were added in Tomcat 8.0.13
2253
        to allow configuration of a new experimental RFC6265 based cookie parser
2254
        (<code>useRfc6265</code> and <code>cookieEncoding</code>) are
2255
        replaced by this new configuration element. (markt)
2256
      </add>
2257
      <fix>
2258
        Improve the previous fix for <bug>56401</bug>. Avoid logging version
2259
        information in the constructor since it then gets logged at undesirable
2260
        times such as when using <code>StoreConfig</code>. (markt)
2261
      </fix>
2262
      <fix>
2263
        <bug>56403</bug>: Add pluggable password derivation support to the
2264
        Realms via the new <code>CredentialHandler</code> interface.
2265
        (markt/schultz)
2266
      </fix>
2267
      <fix>
2268
        <bug>57016</bug>: When using the <code>PersistentValve</code> do not
2269
        remove sessions from the store when persisting them. (markt)
2270
      </fix>
2271
      <add>
2272
        Deprecate the use of system properties to control cookie parsing and
2273
        replace them with attributes on the new <code>CookieProcessor</code>
2274
        that may be configured on a per context basis. (markt)
2275
      </add>
2276
      <fix>
2277
        Correct an edge case and allow a cookie if the value starts with an
2278
        equals character and the <code>CookieProcessor</code> is not configured
2279
        to allow equals characters in cookie values but is configured to allow
2280
        name only cookies. (markt)
2281
      </fix>
2282
      <fix>
2283
        <bug>57022</bug>: Ensure SPNEGO authentication continues to work with
2284
        the JNDI Realm using delegated credentials with recent Oracle JREs.
2285
        (markt)
2286
      </fix>
2287
      <fix>
2288
        <bug>57027</bug>: Add additional validation for stored credentials used
2289
        by Realms when the credential is stored using hex encoding. (markt)
2290
      </fix>
2291
      <fix>
2292
        <bug>57038</bug>: Add a <code>WebResource.getCodeBase()</code> method,
2293
        implement for all <code>WebResource</code> implementations and then use
2294
        it in the web application class loader to set the correct code base for
2295
        resources loaded from JARs and WARs. (markt)
2296
      </fix>
2297
      <fix>
2298
        Correct a couple of NPEs in the JNDI Realm that could be triggered with
2299
        when not specifying a roleBase and enabling roleSearchAsUser. (markt)
2300
      </fix>
2301
      <fix>
2302
        Correctly handle relative values for the docBase attribute of a Context.
2303
        (markt)
2304
      </fix>
2305
      <fix>
2306
        Ensure that log messages generated by the web application class loader
2307
        correctly identify the associated Context when multiple versions of a
2308
        Context with the same path are present. (markt)
2309
      </fix>
2310
      <fix>
2311
        Remove the unnecessary registration of context.xml as a redeploy
2312
        resource. The context.xml having an external docBase has already been
2313
        registered as a redeploy resource at first. (kfujino)
2314
      </fix>
2315
      <fix>
2316
        <bug>57089</bug>: Ensure that configuration of a session ID generator is
2317
        not lost when a web application is reloaded. (markt)
2318
      </fix>
2319
      <fix>
2320
        <bug>57105</bug>: When parsing web.xml do not limit the buffer element
2321
        of the jsp-property-group element to integer values as the allowed
2322
        values are <code>&lt;number&gt;kb</code> or <code>none</code>. (markt)
2323
      </fix>
2324
      <update>
2325
        Update the minimum required version of the Tomcat Native library (if
2326
        used) to 1.1.32. (markt)
2327
      </update>
2328
      <fix>
2329
        Update storeconfig with newly introduced elements: SessionIdGenerator,
2330
        CookieProcessor, JarScanner and JarScanFilter. (remm)
2331
      </fix>
2332
      <fix>
2333
        Throw a <code>NullPointerException</code> if a null string is passed to
2334
        the <code>write(String,int,int)</code> method of the
2335
        <code>PrintWriter</code> obtained from the <code>ServletResponse</code>.
2336
        (markt)
2337
      </fix>
2338
      <fix>
2339
        Cookie rewrite flag abbreviation should be CO rather than C. (remm)
2340
      </fix>
2341
      <fix>
2342
        <bug>57153</bug>: When the StandardJarScanner is configured to scan the
2343
        full class path, ensure that class path entries added directly to the
2344
        web application class loader are scanned. (markt)
2345
      </fix>
2346
      <fix>
2347
        AsyncContext should remain usable until fireOnComplete is called. (remm)
2348
      </fix>
2349
      <fix>
2350
        AsyncContext createListener should wrap any instantiation exception
2351
        using a ServletException. (remm)
2352
      </fix>
2353
      <fix>
2354
        <bug>57155</bug>: Allow a web application to be configured that does not
2355
        have a docBase on the file system. This is primarily intended for use
2356
        when embedding. (markt)
2357
      </fix>
2358
      <fix>
2359
        Propagate header ordering from fileupload to the part implementation.
2360
        (remm)
2361
      </fix>
2362
    </changelog>
2363
  </subsection>
2364
  <subsection name="Coyote">
2365
    <changelog>
2366
      <add>
2367
        <bug>53952</bug>: Add support for TLSv1.1 and TLSv1.2 for APR connector.
2368
        Based upon a patch by Marcel &#352;ebek. This feature requires
2369
        Tomcat Native library 1.1.32 or later. (schultz/jfclere)
2370
      </add>
2371
      <scode>
2372
        Cache the <code>Encoder</code> instances used to convert Strings to byte
2373
        arrays in the Connectors (e.g. when writing HTTP headers) to improve
2374
        throughput. (markt)
2375
      </scode>
2376
      <add>
2377
        Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and
2378
        NIO2). The change also ensures that SSLv2 is disabled for these
2379
        connectors although SSLv2 should already be disabled by default by the
2380
        JRE. (markt)
2381
      </add>
2382
      <add>
2383
        Disable SSLv3 by default for the APR/native HTTPS connector. (markt)
2384
      </add>
2385
      <fix>
2386
        Do not increase remaining counter at end of stream in
2387
        IdentityInputFilter. (kkolinko)
2388
      </fix>
2389
      <fix>
2390
        Trigger an error if an invalid attempt is made to use non-blocking IO.
2391
        (markt)
2392
      </fix>
2393
      <fix>
2394
        <bug>57157</bug>: Allow calls to
2395
        <code>AsyncContext.start(Runnable)</code> during non-blocking IO reads
2396
        and writes. (markt)
2397
      </fix>
2398
      <fix>
2399
        Async state MUST_COMPLETE should still be started. (remm)
2400
      </fix>
2401
    </changelog>
2402
  </subsection>
2403
  <subsection name="Jasper">
2404
    <changelog>
2405
      <fix>
2406
        <bug>57099</bug>: Ensure that semi-colons are not permitted in JSP
2407
        import page directives. (markt)
2408
      </fix>
2409
      <fix>
2410
        <bug>57113</bug>: Fix broken package imports in Expression Language when
2411
        more than one package was imported and the desired class was not in the
2412
        last package imported. (markt)
2413
      </fix>
2414
      <fix>
2415
        <bug>57132</bug>: Fix import conflicts reporting in Expression Language.
2416
        (kkolinko)
2417
      </fix>
2418
      <fix>
2419
        When coercing an object to a given type, only attempt coercion to an
2420
        array if both the object type and the target type are an array type.
2421
        (violetagg/markt)
2422
      </fix>
2423
      <fix>
2424
        Improve handling of invalid input to
2425
        <code>javax.el.ImportHandler.resolveClass()</code>. (markt)
2426
      </fix>
2427
      <fix>
2428
        Allow the same class to be added to an instance of
2429
        <code>javax.el.ImportHandler</code> more than once without triggering
2430
        an error. The second and subsequent calls for the same class will be
2431
        ignored. (markt)
2432
      </fix>
2433
      <fix>
2434
        <bug>57136</bug>: Ensure only <code>\${</code> and <code>\#{</code> are
2435
        treated as escapes for <code>${</code> and <code>#{</code> rather than
2436
        <code>\$</code> and <code>\#</code> being treated as escapes for
2437
        <code>$</code> and <code>#</code> when processing literal expressions in
2438
        expression language. (markt)
2439
      </fix>
2440
      <fix>
2441
        When coercing an object to an array type in Expression Language, handle
2442
        the case where the source object is an array of primitives.
2443
        (markt/kkolinko)
2444
      </fix>
2445
      <fix>
2446
        Do not throw an exception on missing JSP file servlet initialization.
2447
        (remm)
2448
      </fix>
2449
      <fix>
2450
        <bug>57148</bug>: When coercing an object to a given type and a
2451
        <code>PropertyEditor</code> has been registered for the type correctly
2452
        coerce the empty string to <code>null</code> if the
2453
        <code>PropertyEditor</code> throws an exception. (kkolinko/markt)
2454
      </fix>
2455
      <fix>
2456
        <bug>57153</bug>: Correctly scan for TLDs located in directories that
2457
        represent expanded JARs files that have been added to the web application
2458
        class loader&apos;s class path. (markt)
2459
      </fix>
2460
      <fix>
2461
        <bug>57141</bug>: Enable EL in JSPs to refer to static fields of
2462
        imported classes including the standard <code>java.lang.*</code>
2463
        imports. (markt)
2464
      </fix>
2465
    </changelog>
2466
  </subsection>
2467
  <subsection name="Cluster">
2468
    <changelog>
2469
      <fix>
2470
        Add support for the <code>SessionIdGenerator</code> to cluster manager
2471
        template. (kfujino)
2472
      </fix>
2473
      <fix>
2474
        Avoid possible integer overflows reported by Coverity Scan. (fschumacher)
2475
      </fix>
2476
    </changelog>
2477
  </subsection>
2478
  <subsection name="WebSocket">
2479
    <changelog>
2480
      <fix>
2481
        <bug>57054</bug>: Correctly handle the case in the WebSocket client
2482
        when the HTTP response to the upgrade request can not be read in a
2483
        single pass; either because the buffer is too small or the server sent
2484
        the response in multiple packets. (markt)
2485
      </fix>
2486
      <add>
2487
        Extend support for the <code>permessage-deflate</code> extension to the
2488
        client implementation. (markt)
2489
      </add>
2490
      <fix>
2491
        Fix client subprotocol handling. (remm)
2492
      </fix>
2493
      <fix>
2494
        Add null checks for arguments in remote endpoint. (remm/kkolinko)
2495
      </fix>
2496
      <fix>
2497
        <bug>57091</bug>: Work around the behaviour of the Oracle JRE when
2498
        creating new threads in an applet environment that breaks the WebSocket
2499
        client implementation. Patch provided by Niklas Hallqvist. (markt)
2500
      </fix>
2501
      <fix>
2502
        <bug>57118</bug>: Ensure that that an <code>EncodeException</code> is
2503
        thrown by <code>RemoteEndpoint.Basic.sendObject(Object)</code> rather
2504
        than an <code>IOException</code> when no suitable <code>Encoder</code>
2505
        is configured for the given Object. (markt)
2506
      </fix>
2507
    </changelog>
2508
  </subsection>
2509
  <subsection name="Web applications">
2510
    <changelog>
2511
      <fix>
2512
        Correct a couple of broken links in the Javadoc. (markt)
2513
      </fix>
2514
      <fix>
2515
        Correct documentation for <code>ServerCookie.ALLOW_NAME_ONLY</code>
2516
        system property. (kkolinko)
2517
      </fix>
2518
      <fix>
2519
        <bug>57049</bug>: Clarified that <code>jvmRoute</code> can be set in
2520
        <code>&lt;Engine&gt;</code>'s <code>jvmRoute</code> or in a system
2521
        property. (schultz)
2522
      </fix>
2523
      <fix>
2524
        Correct version of Java WebSocket mentioned in documentation
2525
        (s/1.0/1.1/). (markt/kkolinko)
2526
      </fix>
2527
      <update>
2528
        Suppress timestamp comments in Javadoc. (kkolinko)
2529
      </update>
2530
      <fix>
2531
        <bug>57147</bug>: Various corrections to the JDBC Store section of the
2532
        session manager configuration page of the documentation web application.
2533
        (markt)
2534
      </fix>
2535
    </changelog>
2536
  </subsection>
2537
  <subsection name="Tribes">
2538
    <changelog>
2539
      <fix>
2540
        <bug>45282</bug>: Improve shutdown of NIO receiver so that sockets are
2541
        closed cleanly. (fhanik/markt)
2542
      </fix>
2543
    </changelog>
2544
  </subsection>
2545
  <subsection name="jdbc-pool">
2546
    <changelog>
2547
      <fix>
2548
        <bug>57005</bug>: Fix javadoc errors when building with Java 8. Patch
2549
        provided by Pierre Viret. (markt)
2550
      </fix>
2551
      <fix>
2552
        <bug>57079</bug>: Use Tomcat version number for jdbc-pool module when
2553
        building and shipping the module as part of Tomcat. (markt)
2554
      </fix>
2555
      <fix>
2556
        Fix broken overview page in javadoc generated via "javadoc" task in
2557
        jdbc-pool build.xml file. (kkolinko)
2558
      </fix>
2559
    </changelog>
2560
  </subsection>
2561
  <subsection name="Other">
2562
    <changelog>
2563
      <fix>
2564
        <bug>56079</bug>: The uninstaller packaged with the Apache Tomcat
2565
        Windows installer is now digitally signed. (markt)
2566
      </fix>
2567
      <fix>
2568
        Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format
2569
        instead of 12-hour one and use UTC timezone. (markt/kkolinko)
2570
      </fix>
2571
      <fix>
2572
        Update the package renamed copy of Apache Commons DBCP 2 to revision
2573
        1631450 to pick up additional fixes since the 2.0.1 release including
2574
        Javadoc corrections to fix errors when compiling with Java 8. (markt)
2575
      </fix>
2576
      <update>
2577
        <bug>56596</bug>: Update to Tomcat Native Library version 1.1.32 to
2578
        pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR
2579
        1.5.1. (markt)
2580
      </update>
2581
      <scode>
2582
        In Tomcat tests: log name of the current test method at start time.
2583
        (kkolinko)
2584
      </scode>
2585
    </changelog>
2586
  </subsection>
2587
</section>
2588
<section name="Tomcat 8.0.14 (markt)" rtext="2014-09-29">
2589
  <subsection name="Other">
2590
    <changelog>
2591
      <fix>
2592
        <bug>56079</bug>: The Apache Tomcat Windows installer, the Apache Tomcat
2593
        Windows service and the Apache Tomcat Windows service monitor
2594
        application are now digitally signed. (markt)
2595
      </fix>
2596
    </changelog>
2597
  </subsection>
2598
</section>
2599
<section name="Tomcat 8.0.13 (markt)" rtext="not released">
2600
  <subsection name="Catalina">
2601
    <changelog>
2602
      <fix>
2603
        <bug>55917</bug>: Allow bytes in the range 0x80 to 0xFF to appear in
2604
        cookie values if the cookie is a V1 (RFC2109) cookie and the value is
2605
        correctly quoted. The new RFC6265 based cookie parser must be enabled to
2606
        correctly handle these cookies. (markt)
2607
      </fix>
2608
      <fix>
2609
        <bug>55918</bug>: Do not permit control characters to appear in quoted
2610
        V1 (RFC2109) cookie values. The new RFC6265 based cookie parser must be
2611
        enabled to correctly handle these cookies. (markt)
2612
      </fix>
2613
      <fix>
2614
        <bug>55921</bug>: Correctly handle (ignore the cookie) unescaped JSON in
2615
        a cookie value. The new RFC6265 based cookie parser must be enabled to
2616
        correctly handle these cookies. (markt)
2617
      </fix>
2618
      <add>
2619
        <bug>56401</bug>: Log version information when Tomcat starts.
2620
        (markt/kkolinko)
2621
      </add>
2622
      <add>
2623
        <bug>56530</bug>: Add a web application class loader implementation that
2624
        supports the parallel loading of web application classes. (markt)
2625
      </add>
2626
      <fix>
2627
        <bug>56900</bug>: Fix some potential resource leaks when reading
2628
        property files reported by Coverity Scan. Based on patches provided by
2629
        Felix Schumacher. (markt)
2630
      </fix>
2631
      <fix>
2632
        <bug>56902</bug>: Fix a potential resource leak in the Default Servlet
2633
        reported by Coverity Scan. Based on a patch provided by Felix
2634
        Schumacher. (markt)
2635
      </fix>
2636
      <fix>
2637
        <bug>56903</bug>: Correct the return value for
2638
        <code>StandardContext.getResourceOnlyServlets()</code> so that multiple
2639
        names are separated by commas. Identified by Coverity Scan and fixed
2640
        based on a patch by Felix Schumacher. (markt)
2641
      </fix>
2642
      <add>
2643
        Add an additional implementation of a RFC6265 based cookie parser along
2644
        with new Context options to select and configure it. This parser is
2645
        currently considered experimental and is not used by default. (markt)
2646
      </add>
2647
      <fix>
2648
        Fixed the multipart elements merge operation performed during web
2649
        application deployment. Identified by Coverity Scan. (violetagg)
2650
      </fix>
2651
      <fix>
2652
        Correct the information written by
2653
        <code>ExtendedAccessLogValve</code> when a format token x-O(XXX) is
2654
        used so that multiple values for a header XXX are separated by commas.
2655
        Identified by Coverity Scan. (violetagg)
2656
      </fix>
2657
      <fix>
2658
        Fix a potential resource leak when reading MANIFEST.MF file for
2659
        extension dependencies reported by Coverity Scan. (violetagg)
2660
      </fix>
2661
      <fix>
2662
        Fix some potential resource leaks when reading properties, files and
2663
        other resources. Reported by Coverity Scan. (violetagg)
2664
      </fix>
2665
      <fix>
2666
        Correct the previous fix for <bug>56825</bug> that enabled pre-emptive
2667
        authentication to work with the SSL authenticator. (markt)
2668
      </fix>
2669
      <scode>
2670
        Refactor to reduce code duplication identified by Simian. (markt)
2671
      </scode>
2672
      <fix>
2673
        When using parallel deployment and <code>undeployOldVersions</code>
2674
        feature is enabled on a Host, correctly undeploy context of old
2675
        version. Make sure that Tomcat does not undeploy older Context if
2676
        current context is not running. (kfujino)
2677
      </fix>
2678
      <fix>
2679
        Fix a rare threading issue when locking resources via WebDAV.
2680
        (markt)
2681
      </fix>
2682
      <fix>
2683
        Fix a rare threading issue when using HTTP digest authentication.
2684
        (markt)
2685
      </fix>
2686
      <fix>
2687
        When deploying war, add XML file in the config base to the redeploy
2688
        resources if war does not have META-INF/context.xml or
2689
        <code>deployXML</code> is false. If  XML file is created in the config
2690
        base, redeploy will occur. (kfujino)
2691
      </fix>
2692
      <scode>
2693
        Various changes to reduce unnecessary code in Tomcat&apos;s copy of
2694
        Apache Commons BCEL to reduce the time taken for annotation scanning
2695
        when web applications start. Includes contributions from kkolinko and
2696
        hzhang9. (markt)
2697
      </scode>
2698
      <fix>
2699
        <bug>56938</bug>: Ensure web applications that have mixed case context
2700
        paths and are deployed as directories are correctly removed on undeploy
2701
        when running on a case sensitive file system. (markt)
2702
      </fix>
2703
      <add>
2704
        <bug>57004</bug>: Add <code>stuckThreadCount</code> property to
2705
        <code>StuckThreadDetectionValve</code>'s JMX bean. Patch provided by
2706
        Ji&#x159;&#xED; Pejchal. (schultz)
2707
      </add>
2708
      <fix>
2709
        <bug>57011</bug>: Ensure that the request and response are correctly
2710
        recycled when processing errors during async processing. (markt)
2711
      </fix>
2712
    </changelog>
2713
  </subsection>
2714
  <subsection name="Coyote">
2715
    <changelog>
2716
      <fix>
2717
        <bug>56910</bug>: Prevent the invalid value of <code>-1</code> being
2718
        used for <code>maxConnections</code> with APR connectors. (markt)
2719
      </fix>
2720
      <fix>
2721
        Ensure that AJP connectors enable the <code>KeepAliveTimeout</code>.
2722
        (kfujino)
2723
      </fix>
2724
      <fix>
2725
        Reduce duplicated code. All AJP connectors use common method to
2726
        configuration of processor. (kfujino)
2727
      </fix>
2728
    </changelog>
2729
  </subsection>
2730
  <subsection name="Jasper">
2731
    <changelog>
2732
      <fix>
2733
        <bug>43001</bug>: Enable the JspC Ant task to set the JspC option
2734
        <code>mappedFile</code>. (markt)
2735
      </fix>
2736
      <fix>
2737
        Ensure that the implementation of
2738
        <code>javax.servlet.jsp.PageContext.include(String)</code>
2739
        and
2740
        <code>javax.servlet.jsp.PageContext.include(String, boolean)</code>
2741
        will throw <code>IOException</code> when an I/O error occur during
2742
        the operation. (violetagg)
2743
      </fix>
2744
      <fix>
2745
        <bug>56908</bug>: Fix some potential resource leaks when reading
2746
        jar files. Reported by Coverity Scan. Patch provided by Felix
2747
        Schumacher. (violetagg)
2748
      </fix>
2749
      <fix>
2750
        Fix a potential resource leak in JDTCompiler when checking whether
2751
        a resource is a package. Reported by Coverity Scan. (fschumacher)
2752
      </fix>
2753
      <fix>
2754
        <bug>56991</bug>: Deprecate the use of a request attribute to pass a
2755
        &lt;jsp-file&gt; declaration to Jasper and prevent an infinite loop
2756
        if this technique is used in conjunction with an include. (markt)
2757
      </fix>
2758
    </changelog>
2759
  </subsection>
2760
  <subsection name="WebSocket">
2761
    <changelog>
2762
      <fix>
2763
        <bug>56905</bug>: Make destruction on web application stop of thread
2764
        group used for WebSocket connections more robust. (kkolinko/markt)
2765
      </fix>
2766
      <fix>
2767
        <bug>56907</bug>: Ensure that client IO threads are stopped if a secure
2768
        WebSocket client connection fails. (markt)
2769
      </fix>
2770
      <fix>
2771
        <bug>56982</bug>: Return the actual negotiated extensions rather than an
2772
        empty list for <code>Session.getNegotiatedExtensions()</code>. (markt)
2773
      </fix>
2774
      <update>
2775
        Update the WebSocket implementation to support the Java WebSocket
2776
        specification version 1.1. (markt)
2777
      </update>
2778
    </changelog>
2779
  </subsection>
2780
  <subsection name="Web applications">
2781
    <changelog>
2782
      <add>
2783
        Add <code>JarScanner</code> to the nested components listed for a
2784
        Context. (markt)
2785
      </add>
2786
      <update>
2787
        Update the Windows authentication documentation after some additional
2788
        testing to answer the remaining questions. (markt)
2789
      </update>
2790
    </changelog>
2791
  </subsection>
2792
  <subsection name="Other">
2793
    <changelog>
2794
      <fix>
2795
        <bug>56895</bug>: Correctly compose <code>JAVA_OPTS</code> in
2796
        <code>catalina.bat</code> so that escape sequences are preserved. Patch
2797
        by Lucas Theisen. (markt)
2798
      </fix>
2799
      <update>
2800
        <bug>56988</bug>: Allow to use relative path in <code>base.path</code>
2801
        setting when building Tomcat. (kkolinko)
2802
      </update>
2803
      <fix>
2804
        <bug>56990</bug>: Ensure that the <code>ide-eclipse</code> build target
2805
        downloads all the libraries required by the default Eclipse
2806
        configuration files. (markt)
2807
      </fix>
2808
      <fix>
2809
        Update the package renamed copy of Apache Commons DBCP 2 to revision
2810
        1626988 to pick up the fixes since the 2.0.1 release including support
2811
        for custom eviction policies. (markt)
2812
      </fix>
2813
      <fix>
2814
        Update the package renamed copy of Apache Commons Pool 2 to revision
2815
        1627271 to pick up the fixes since the 2.2 release including some memory
2816
        leak fixes and support for application provided eviction policies.
2817
        (markt)
2818
      </fix>
2819
    </changelog>
2820
  </subsection>
2821
</section>
2822
<section name="Tomcat 8.0.12 (markt)" rtext="2014-09-03">
2823
  <subsection name="Catalina">
2824
    <changelog>
2825
      <add>
2826
        Make the session id generator extensible by adding a
2827
        <code>SessionIdGenerator</code> interface, an abstract
2828
        base class and a standard implementation. (rjung)
2829
      </add>
2830
      <fix>
2831
        <bug>56882</bug>: Fix regression in processing of includes and forwards
2832
        when Context have been reloaded. Tomcat was responding with HTTP Status
2833
        503 (Servlet xxx is currently unavailable). (kkolinko)
2834
      </fix>
2835
    </changelog>
2836
  </subsection>
2837
  <subsection name="Coyote">
2838
    <changelog>
2839
      <fix>
2840
        When building a list of JSSE ciphers from an OpenSSL cipher definition,
2841
        ignore unknown criteria rather than throwing a
2842
        <code>NullPointerException</code>. (markt)
2843
      </fix>
2844
      <add>
2845
        Add support for the EECDH alias when using the OpenSSL cipher syntax to
2846
        define JSSE ciphers. (markt)
2847
      </add>
2848
    </changelog>
2849
  </subsection>
2850
  <subsection name="Jasper">
2851
    <changelog>
2852
      <fix>
2853
        Correct a logic error in the <code>JasperElResolver</code>. There was no
2854
        functional impact but the code was less efficient as a result of the
2855
        error. Based on a patch by martinschaef. (markt)
2856
      </fix>
2857
      <fix>
2858
        <bug>56568</bug>: Enable any HTTP method to be used to request a JSP
2859
        page that has the <code>isErrorPage</code> page directive set to
2860
        <code>true</code>. (markt)
2861
      </fix>
2862
    </changelog>
2863
  </subsection>
2864
  <subsection name="WebSocket">
2865
    <changelog>
2866
      <add>
2867
        Extend support for the <code>permessage-deflate</code> extension to
2868
        compression of outgoing messages on the server side. (markt)
2869
      </add>
2870
    </changelog>
2871
  </subsection>
2872
  <subsection name="Other">
2873
    <changelog>
2874
      <add>
2875
        <bug>56323</bug>: Include the <code>*.bat</code> files when installing
2876
        Tomcat via the Windows installer. (markt)
2877
      </add>
2878
    </changelog>
2879
  </subsection>
2880
</section>
2881
<section name="Tomcat 8.0.11 (markt)" rtext="2014-08-22">
2882
  <subsection name="Catalina">
2883
    <changelog>
2884
      <fix>
2885
        <bug>56658</bug>: Fix regression that a context was inaccessible after
2886
        reload. (kkolinko)
2887
      </fix>
2888
      <fix>
2889
        <bug>56710</bug>: Do not map requests to servlets when context is
2890
        being reloaded. (kkolinko)
2891
      </fix>
2892
      <fix>
2893
        <bug>56712</bug>: Fix session idle time calculations in
2894
        <code>PersistenceManager</code>. (kkolinko)
2895
      </fix>
2896
      <fix>
2897
        <bug>56717</bug>: Fix duplicate registration of
2898
        <code>MapperListener</code> during repeated starts of embedded Tomcat.
2899
        (kkolinko)
2900
      </fix>
2901
      <add>
2902
        <bug>56724</bug>: Write an error message to Tomcat logs if container
2903
        background thread is aborted unexpectedly. (kkolinko)
2904
      </add>
2905
      <fix>
2906
        When scanning class files (e.g. for annotations) and reading the number
2907
        of parameters in a <code>MethodParameters</code> structure only read a
2908
        single byte (rather than two bytes) as per the JVM specification. Patch
2909
        provided by Francesco Komauli. (markt)
2910
      </fix>
2911
      <fix>
2912
        Allow the JNDI Realm to start even if the directory is not available.
2913
        The directory not being available is not fatal once the Realm is started
2914
        and it need not be fatal when the Realm starts. Based on a patch by
2915
        Cédric Couralet. (markt)
2916
      </fix>
2917
      <fix>
2918
        <bug>56736</bug>: Avoid an incorrect <code>IllegalStateException</code>
2919
        if the async timeout fires after a non-container thread has called
2920
        <code>AsyncContext.dispatch()</code> but before a container thread
2921
        starts processing the dispatch. (markt)
2922
      </fix>
2923
      <fix>
2924
        <bug>56739</bug>: If an application handles an error on an application
2925
        thread during asynchronous processing by calling
2926
        <code>HttpServletResponse.sendError()</code>, then ensure that the
2927
        application is given an opportunity to report that error via an
2928
        appropriate application defined error page if one is configured. (markt)
2929
      </fix>
2930
      <fix>
2931
        <bug>56784</bug>: Fix a couple of rare but theoretically possible
2932
        atomicity bugs. (markt)
2933
      </fix>
2934
      <fix>
2935
        <bug>56785</bug>: Avoid <code>NullPointerException</code> if directory
2936
        exists on the class path that is not readable by the Tomcat user.
2937
        (markt)
2938
      </fix>
2939
      <fix>
2940
        <bug>56796</bug>: Remove unnecessary sleep when stopping a web
2941
        application. (markt)
2942
      </fix>
2943
      <fix>
2944
        <bug>56801</bug>: Improve performance of
2945
        <code>org.apache.tomcat.util.file.Matcher</code> which is to filter JARs
2946
        for scanning during web application start. Based on a patch by Sheldon
2947
        Shao. (markt)
2948
      </fix>
2949
      <fix>
2950
        <bug>56815</bug>: When the <code>gzip</code> option is enabled for the
2951
        <code>DefaultServlet</code> ensure that a suitable <code>Vary</code>
2952
        header is returned for resources that might be returned directly in
2953
        compressed form. (markt)
2954
      </fix>
2955
      <fix>
2956
        Do not mark threads from the container thread pool as container threads
2957
        when being used to process <code>AsyncContext.start(Runnable)</code> so
2958
        processing is correctly transferred back to a genuine container thread
2959
        when necessary. (markt)
2960
      </fix>
2961
      <add>
2962
        Add simple caching for calls to <code>StandardRoot.getResources()</code>
2963
        in the new (for 8.0.x) resources implementation. (markt)
2964
      </add>
2965
      <fix>
2966
        <bug>56825</bug>: Enable pre-emptive authentication to work with the
2967
        SSL authenticator. Based on a patch by jlmonteiro. (markt)
2968
      </fix>
2969
      <fix>
2970
        <bug>56840</bug>: Avoid NPE when the rewrite valve is mapped to
2971
        a context. (remm)
2972
      </fix>
2973
      <fix>
2974
        Correctly handle multiple <code>accept-language</code> headers rather
2975
        than just using the first header to determine the user&apos;s preferred
2976
        Locale. (markt)
2977
      </fix>
2978
      <fix>
2979
        <bug>56848</bug>: Improve handling of <code>accept-language</code>
2980
        headers. (markt)
2981
      </fix>
2982
      <fix>
2983
        <bug>56857</bug>: Fix thread safety issue when calling ServletContext
2984
        methods while running under a security manager. (markt)
2985
      </fix>
2986
    </changelog>
2987
  </subsection>
2988
  <subsection name="Coyote">
2989
    <changelog>
2990
      <fix>
2991
        Fix NIO2 sendfile state tracking and error handling to fix
2992
        various corruption issues. (remm)
2993
      </fix>
2994
      <fix>
2995
        Missing timeout for NIO2 sendfile writes. (remm)
2996
      </fix>
2997
      <fix>
2998
        Allow inline processing for NIO2 sendfile and optimize keepalive
2999
        behavior. (remm)
3000
      </fix>
3001
      <fix>
3002
        Fix excessive NIO2 sendfile direct memory use in some cases, sendfile
3003
        will now instead use the regular socket write buffer as configured.
3004
        (remm)
3005
      </fix>
3006
      <fix>
3007
        <bug>56661</bug>: Fix <code>getLocalAddr()</code> for AJP connectors.
3008
        The complete fix is only available with a recent AJP forwarder like
3009
        the forthcoming mod_jk 1.2.41. (rjung)
3010
      </fix>
3011
      <fix>
3012
        Use default ciphers defined as
3013
        <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> so
3014
        that no weak ciphers are enabled by default. (remm)
3015
      </fix>
3016
      <fix>
3017
        <bug>56780</bug>: Enable Tomcat to start when using SSL with an IBM JRE
3018
        in strict SP800-131a mode. (markt)
3019
      </fix>
3020
      <fix>
3021
        <bug>56810</bug>: Remove use of Java 8 specific API calls in unit tests
3022
        for OpenSSL to JSSE cipher conversion. (markt)
3023
      </fix>
3024
    </changelog>
3025
  </subsection>
3026
  <subsection name="Jasper">
3027
    <changelog>
3028
      <fix>
3029
        <bug>56709</bug>: Fix system property name in a log message. Submitted
3030
        by Robert Kish. (remm)
3031
      </fix>
3032
      <fix>
3033
        <bug>56797</bug>: When matching a method in an EL expression, do not
3034
        treat bridge methods as duplicates of the method they bridge to. In this
3035
        case always call the target of the bridge method. (markt)
3036
      </fix>
3037
    </changelog>
3038
  </subsection>
3039
  <subsection name="WebSocket">
3040
    <changelog>
3041
      <fix>
3042
        <bug>56746</bug>: Allow secure WebSocket client threads to use the
3043
        current context class loader rather than explicitly setting it to the
3044
        class loader that loaded the WebSocket implementation. This allows
3045
        WebSocket client connections from within web applications to access,
3046
        amongst other things, the JNDI resources associated with the web
3047
        application. (markt)
3048
      </fix>
3049
    </changelog>
3050
  </subsection>
3051
  <subsection name="Web applications">
3052
    <changelog>
3053
      <fix>
3054
        Correct the label in the list of sessions by idle time for the bin that
3055
        represents the idle time immediately below the maximum permitted idle
3056
        time when using the expire command of the Manager application. (markt)
3057
      </fix>
3058
    </changelog>
3059
  </subsection>
3060
  <subsection name="jdbc-pool">
3061
    <changelog>
3062
      <fix>
3063
        <bug>53088</bug>: More identifiable thread name. (fhanik)
3064
      </fix>
3065
      <fix>
3066
        <bug>53200</bug>: Selective logging for slow versus failed queries.
3067
        (fhanik)
3068
      </fix>
3069
      <fix>
3070
        <bug>53853</bug>: More flexible classloading. (fhanik)
3071
      </fix>
3072
      <fix>
3073
        <bug>54225</bug>: Disallow empty init SQL. (fhanik)
3074
      </fix>
3075
      <fix>
3076
        <bug>54227</bug>: Evaluate max age upon borrow. (fhanik)
3077
      </fix>
3078
      <fix>
3079
        <bug>54235</bug>: Disallow nested pools exploitating using data source.
3080
        (fhanik)
3081
      </fix>
3082
      <fix>
3083
        <bug>54395</bug>: Fix JDBC interceptor parsing bug. (fhanik)
3084
      </fix>
3085
      <fix>
3086
        <bug>54537</bug>: Performance improvement in
3087
        <code>StatementFinalizer</code>. (fhanik)
3088
      </fix>
3089
      <fix>
3090
        <bug>54978</bug>: Make sure proper connection validation always happens,
3091
        regardless of config. (fhanik)
3092
      </fix>
3093
      <fix>
3094
        <bug>56318</bug>: Ability to trace statement creation in
3095
        <code>StatementFinalizer</code>. (fhanik)
3096
      </fix>
3097
      <fix>
3098
        <bug>56789</bug>: getPool() returns the actual pool, always. (fhanik)
3099
      </fix>
3100
    </changelog>
3101
  </subsection>
3102
  <subsection name="Other">
3103
    <changelog>
3104
      <add>
3105
        <bug>56788</bug>: Display the full version in the list of installed
3106
        applications when installed via the Windows installer package. Patch
3107
        provided by Alexandre Garnier. (markt)
3108
      </add>
3109
      <add>
3110
        <bug>56829</bug>: Add the ability for users to define their own values
3111
        for <code>_RUNJAVA</code> and <code>_RUNJDB</code> environment
3112
        variables. Be more strict with executable filename on Windows
3113
        (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
3114
      </add>
3115
    </changelog>
3116
  </subsection>
3117
</section>
3118
<section name="Tomcat 8.0.10 (markt)" rtext="not released">
3119
  <subsection name="Catalina">
3120
    <changelog>
3121
      <fix>
3122
        <bug>44312</bug>: Log an error if there is a conflict between Host and
3123
        Alias names. Improve host management methods in <code>Mapper</code>
3124
        to avoid occasionally removing a wrong host. Check that host management
3125
        operations are performed on the host and not on an alias. (kkolinko)
3126
      </fix>
3127
      <scode>
3128
        <bug>56611</bug>: Refactor code to remove inefficient calls to
3129
        <code>Method.isAnnotationPresent()</code>. Based on a patch by Jian Mou.
3130
        (markt/kkolinko)
3131
      </scode>
3132
      <fix>
3133
        Fix regression in
3134
        <code>StandardContext.removeApplicationListener()</code>, introduced by
3135
        the fix for bug <bug>56588</bug>. (kkolinko)
3136
      </fix>
3137
      <fix>
3138
        <bug>56653</bug>: Fix concurrency issue with lists of contexts in
3139
        <code>Mapper</code> when stopping Contexts. (kkolinko)
3140
      </fix>
3141
      <fix>
3142
        <bug>56657</bug>: When using parallel deployment, if the same session id
3143
        matches different versions of a web application, prefer the latest
3144
        version. Ensure that remapping selects the version that we expect.
3145
        (kkolinko)
3146
      </fix>
3147
      <fix>
3148
        Assert that mapping result object is empty before performing mapping
3149
        work in <code>Mapper</code>. (kkolinko)
3150
      </fix>
3151
      <scode>
3152
        Remove <code>context</code> and <code>wrapper</code> fields in
3153
        <code>Request</code> class and deprecate their setters. (kkolinko)
3154
      </scode>
3155
      <fix>
3156
        <bug>56658</bug>: Avoid delay between registrations of mappings for
3157
        context and for its servlets. (kkolinko)
3158
      </fix>
3159
      <fix>
3160
        <bug>56665</bug>: Correct the generation of the effective web.xml when
3161
        elements contain an empty string as value. (violetagg)
3162
      </fix>
3163
      <fix>
3164
        Fix storeconfig exception routing issues, so that a major problem
3165
        should avoid configuration overwrite. (remm)
3166
      </fix>
3167
      <fix>
3168
        Add configuration fields for header names in SSLValve. (remm)
3169
      </fix>
3170
      <fix>
3171
        <bug>56666</bug>: When clearing the SSO cookie use the same values for
3172
        domain, path, httpOnly and secure as were used to set the SSO cookie.
3173
        (markt)
3174
      </fix>
3175
      <fix>
3176
        <bug>56677</bug>: Ensure that
3177
        <code>HttpServletRequest.getServletContext()</code> returns the correct
3178
        value during a cross-context dispatch. (markt)
3179
      </fix>
3180
      <fix>
3181
        <bug>56684</bug>: Ensure that Tomcat does not shut down if the socket
3182
        waiting for the shutdown command experiences a
3183
        <code>SocketTimeoutException</code>. (markt)
3184
      </fix>
3185
      <fix>
3186
        <bug>56693</bug>: Fix various issues in the static resource cache
3187
        implementation where the cache retained a stale entry after the
3188
        successful completion of an operation that always invalidates the cache
3189
        entry such as a delete operation.
3190
        (markt)
3191
      </fix>
3192
      <fix>
3193
        When the current PathInfo is modified as a result of dispatching a
3194
        request, ensure that a call to
3195
        <code>HttpServletRequest.getPathTranslated()</code> returns a value that
3196
        is based on the modified PathInfo. (markt)
3197
      </fix>
3198
      <fix>
3199
        <bug>56698</bug>: When persisting idle sessions, only persist newly idle
3200
        sessions. Patch provided by Felix Schumacher. (markt)
3201
      </fix>
3202
    </changelog>
3203
  </subsection>
3204
  <subsection name="Coyote">
3205
    <changelog>
3206
      <fix>
3207
        <bug>56663</bug>: Fix edge cases demonstrated by ByteCounter relating
3208
        to data available, remaining and extra write events, mostly occurring
3209
        with non blocking Servlet 3.1. (remm)
3210
      </fix>
3211
      <fix>
3212
        Avoid possible NPE stopping endpoints that are not started (stop
3213
        shouldn't do anything in that case). (remm)
3214
      </fix>
3215
      <add>
3216
        <bug>56704</bug>: Add support for OpenSSL syntax for ciphers when
3217
        using JSSE SSL connectors. Submitted by Emmanuel Hugonnet. (remm)
3218
      </add>
3219
      <update>
3220
        Allow to configure <code>maxSwallowSize</code> attribute of an HTTP
3221
        connector via JMX. (kkolinko)
3222
      </update>
3223
    </changelog>
3224
  </subsection>
3225
  <subsection name="Jasper">
3226
    <changelog>
3227
      <fix>
3228
        <bug>56543</bug>: Update to the Eclipse JDT Compiler 4.4. (violetagg)
3229
      </fix>
3230
      <fix>
3231
        <bug>56652</bug>: Add support for method parameters that use arrays and
3232
        varargs to <code>ELProcessor.defineFunction()</code>.(markt)
3233
      </fix>
3234
    </changelog>
3235
  </subsection>
3236
  <subsection name="WebSocket">
3237
    <changelog>
3238
      <add>
3239
        Add support for the <code>permessage-deflate</code> extension. This is
3240
        currently limited to decompressing incoming messages on the server side.
3241
        It is expected that support will be extended to outgoing messages and to
3242
        the client side shortly. (markt)
3243
      </add>
3244
    </changelog>
3245
  </subsection>
3246
  <subsection name="Web applications">
3247
    <changelog>
3248
      <fix>
3249
        Attempt to obfuscate session cookie values associated with other web
3250
        applications when viewing HTTP request headers with the Cookies example
3251
        from the examples web application. This reduces the opportunity to use
3252
        this example for malicious purposes should the advice to remove the
3253
        examples web application from security sensitive systems be ignored.
3254
        (markt)
3255
      </fix>
3256
      <fix>
3257
        <bug>56694</bug>: Remove references to <code>Manager</code> attribute
3258
        <code>checkInterval</code> from documentation and Javadoc since it no
3259
        longer exists. Based on a patch by Felix Schumacher. Also remove other
3260
        references to <code>checkInterval</code> that are no longer valid.
3261
        (markt)
3262
      </fix>
3263
    </changelog>
3264
  </subsection>
3265
  <subsection name="Other">
3266
    <changelog>
3267
      <update>
3268
        Update the API stability section of the release notes now that Tomcat 8
3269
        has had its first stable release. (markt)
3270
      </update>
3271
      <update>
3272
        Improve <code>build.xml</code> so that when Eclipse JDT Compiler is
3273
        updated, it will delete the old JAR from <code>build/lib</code>
3274
        directory. (kkolinko)
3275
      </update>
3276
      <scode>
3277
        Simplify implementation of "setproxy" target in <code>build.xml</code>.
3278
        (kkolinko)
3279
      </scode>
3280
      <update>
3281
        Update optional Checkstyle library to 5.7. (kkolinko)
3282
      </update>
3283
      <update>
3284
        <bug>56596</bug>: Update to Tomcat Native Library version 1.1.31 to
3285
        pick up the Windows binaries that are based on OpenSSL 1.0.1h. (markt)
3286
      </update>
3287
      <fix>
3288
        <bug>56685</bug>: Add quotes necessary for <code>daemon.sh</code> to
3289
        work correctly on Solaris. Based on a suggestion by lfuka. (markt)
3290
      </fix>
3291
      <update>
3292
        Update package renamed Apache Commons Pool2 to r1609323 to pick various
3293
        bug fixes. (markt)
3294
      </update>
3295
      <update>
3296
        Update package renamed Apache Commons DBCP2 to r1609329 to pick up a
3297
        minor bug fix. (markt)
3298
      </update>
3299
      <update>
3300
        Update package renamed Apache Commons FileUpload to r1596086 to pick
3301
        various bug fixes. (markt)
3302
      </update>
3303
    </changelog>
3304
  </subsection>
3305
</section>
3306
<section name="Tomcat 8.0.9 (markt)" rtext="2014-06-24">
3307
  <subsection name="Catalina">
3308
    <changelog>
3309
      <fix>
3310
        <bug>55282</bug>: Ensure that one and the same application listener is
3311
        added only once when starting the web application. (violetagg)
3312
      </fix>
3313
      <fix>
3314
        <bug>55975</bug>: Apply consistent escaping for double quote and
3315
        backslash characters when escaping cookie values. (markt)
3316
      </fix>
3317
      <scode>
3318
        <bug>56387</bug>: Improve the code that handles an attempt to load a
3319
        class after a web application has been stopped. Use common code to handle
3320
        this case regardless of the access path and don't throw an exception
3321
        purely to log a stack trace. (markt)
3322
      </scode>
3323
      <scode>
3324
        <bug>56399</bug>: Improve implementation of CoyoteAdapter.checkRecycled()
3325
        to do not use an exception for flow control. (kkolinko)
3326
      </scode>
3327
      <add>
3328
        <bug>56461</bug>: New <code>failCtxIfServletStartFails</code> attribute
3329
        on Context and Host configuration to force the context startup to fail
3330
        if a load-on-startup servlet fails its startup. (slaurent)
3331
      </add>
3332
      <add>
3333
        <bug>56526</bug>: Improved the <code>StuckThreadDetectionValve</code> to
3334
        optionally interrupt stuck threads to attempt to unblock them.
3335
        (slaurent)
3336
      </add>
3337
      <fix>
3338
        <bug>56545</bug>: Pre-load two additional classes, the loading of which
3339
        may otherwise be triggered by a web application which in turn would
3340
        trigger an exception when running under a security manager. (markt)
3341
      </fix>
3342
      <update>
3343
        <bug>56546</bug>: Reduce logging level for stack traces of stuck web
3344
        application threads printed by WebappClassLoader.clearReferencesThreads()
3345
        from error to info. (kkolinko)
3346
      </update>
3347
      <scode>
3348
        Refactor and simplify common code in object factories in
3349
        <code>org.apache.catalina.naming</code> package, found thanks to Simian
3350
        (Similarity Analyser) tool. Improve handling of Throwable.
3351
        (markt/kkolinko)
3352
      </scode>
3353
      <fix>
3354
        Relax cookie naming restrictions. Cookie attribute names used in the
3355
        <code>Set-Cookie</code> header may be used unambiguously as cookie
3356
        names. The restriction that prevented such usage has been removed.
3357
        (jboynes/markt)
3358
      </fix>
3359
      <fix>
3360
        Further relax cookie naming restrictions. Version 0 (a.k.a Netscape
3361
        format) cookies may now use names that start with the <code>$</code>
3362
        character. (jboynes/markt)
3363
      </fix>
3364
      <fix>
3365
        Restrict cookie naming so that the <code>=</code> character is no longer
3366
        permitted in a version 0 (a.k.a. Netscape format) cookie name. While
3367
        Tomcat allowed this, browsers always truncated the name at the
3368
        <code>=</code> character leading to a mis-match between the cookie the
3369
        server set and the cookie returned by the browser. (jboynes/markt)
3370
      </fix>
3371
      <add>
3372
        Add a simple <code>ServiceLoader</code> based discovery mechanism to the
3373
        JULI <code>LogFactory</code> to make it easier to use JULI and Tomcat
3374
        components that depend on JULI (such as Jasper) independently from
3375
        Tomcat. Patch provided by Greg Wilkins. (markt)
3376
      </add>
3377
      <fix>
3378
        <bug>56578</bug>: Correct regression in the fix for <bug>56339</bug>
3379
        that prevented sessions from expiring when using clustering. (markt)
3380
      </fix>
3381
      <fix>
3382
        <bug>56588</bug>: Remove code previously added to enforce the
3383
        requirements of section 4.4 of the Servlet 3.1 specification. The code
3384
        is no longer required now that Jasper initialization has been refactored
3385
        and TLD defined listeners are added via a different code path that
3386
        already enforces the specification requirements. (markt)
3387
      </fix>
3388
      <fix>
3389
        <bug>56600</bug>: In WebdavServlet: Do not waste time generating
3390
        response for broken PROPFIND request. (kkolinko)
3391
      </fix>
3392
      <fix>
3393
        Provide a better error message when asynchronous operations are not
3394
        supported by a filter or servlet. Patch provided by Romain Manni-Bucau.
3395
        (violetagg)
3396
      </fix>
3397
      <fix>
3398
        <bug>56606</bug>: User entries in <code>tomcat-users.xml</code> file
3399
        are recommended to use "username" attribute rather than legacy "name"
3400
        attribute. Fix inconsistencies in Windows installer, examples. Update
3401
        digester rules and documentation for <code>MemoryRealm</code>.
3402
        (markt/kkolinko)
3403
      </fix>
3404
    </changelog>
3405
  </subsection>
3406
  <subsection name="Coyote">
3407
    <changelog>
3408
      <fix>
3409
        <bug>56518</bug>: When using NIO, do not attempt to write to the socket
3410
        if the thread is marked interrupted as this will lead to a connection
3411
        limit leak. This fix was based on analysis of the issue by hanyong.
3412
        (markt)
3413
      </fix>
3414
      <fix>
3415
        <bug>56521</bug>: Re-use the asynchronous write buffer between writes to
3416
        reduce allocation and GC overhead. Based on a patch by leonzhx. Also
3417
        make the buffer size configurable and remove copying of data within
3418
        buffer when the buffer is only partially written on a subsequent write.
3419
        (markt)
3420
      </fix>
3421
      <fix>
3422
        Ensure that a request without a body is correctly handled during Comet
3423
        processing. This fixes the Comet chat example. (markt)
3424
      </fix>
3425
      <fix>
3426
        Fix input concurrency issue in NIO2 upgrade. (remm)
3427
      </fix>
3428
      <fix>
3429
        Correct a copy/paste error and return a 500 response rather than a 400
3430
        response when an internal server error occurs on early stages of
3431
        request processing. (markt)
3432
      </fix>
3433
      <scode>
3434
        <bug>56582</bug>: Use switch(actionCode) in processors instead of a
3435
        chain of "elseif"s. (kkolinko)
3436
      </scode>
3437
      <fix>
3438
        <bug>56582#c1</bug>: Implement DISPATCH_EXECUTE action for AJP
3439
        connectors. (kkolinko)
3440
      </fix>
3441
      <fix>
3442
        Fix CVE-2014-0227:
3443
        Various improvements to ChunkedInputFilter including clean-up, i18n for
3444
        error messages and adding an error flag to allow subsequent attempts at
3445
        reading after an error to fail fast. (markt)
3446
      </fix>
3447
      <fix>
3448
        If request contains an unrecognized Expect header, respond with error
3449
        417 (Expectation Failed), according to RFC2616 chapter 14.20. (markt)
3450
      </fix>
3451
      <fix>
3452
        When an error occurs after the response has been committed close the
3453
        connection immediately rather than attempting to finish the response to
3454
        make it easier for the client to differentiate between a complete
3455
        response and one that failed part way though. (markt)
3456
      </fix>
3457
      <scode>
3458
        Remove the beta tag from the NIO2 connectors. (remm)
3459
      </scode>
3460
      <fix>
3461
        <bug>56620</bug>: Avoid bogus access log entries when pausing the NIO
3462
        HTTP connector and ensure that access log entries generated by error
3463
        conditions use the correct request start time. (markt)
3464
      </fix>
3465
      <fix>
3466
        Improve configuration of cache sizes in the endpoint. (markt)
3467
      </fix>
3468
      <add>
3469
        Fix CVE-2014-0230:
3470
        Add a new limit, defaulting to 2MB, for the amount of data Tomcat will
3471
        swallow for an aborted upload. The limit is configurable by
3472
        <code>maxSwallowSize</code> attribute of an HTTP connector. (markt)
3473
      </add>
3474
    </changelog>
3475
  </subsection>
3476
  <subsection name="Jasper">
3477
    <changelog>
3478
      <fix>
3479
        <bug>56334#c15</bug>: Fix a regression in EL parsing when quoted string
3480
        follows a whitespace. (kkolinko/markt)
3481
      </fix>
3482
      <update>
3483
        <bug>56543</bug>: Update to the Eclipse JDT Compiler 4.4RC4 to pick up
3484
        some fixes for Java 8 support. (markt/kkolinko)
3485
      </update>
3486
      <fix>
3487
        <bug>56561</bug>: Avoid <code>NoSuchElementException</code> while
3488
        handling attributes with empty string value. (violetagg)
3489
      </fix>
3490
      <scode>
3491
        Do not configure a <code>JspFactory</code> in the
3492
        <code>JasperInitializer</code> if one has already been set as might be
3493
        the case in some embedding scenarios. (markt)
3494
      </scode>
3495
      <add>
3496
        Add a simple implementation of <code>InstanceManager</code> and have
3497
        Jasper use it if no other <code>InstanceManager</code> is provided. This
3498
        makes it easier to use Jasper independently from Tomcat. Patch provided
3499
        by Greg Wilkins. (markt)
3500
      </add>
3501
      <fix>
3502
        <bug>56568</bug>: Allow any HTTP method when a JSP is being used as an
3503
        error page. (markt)
3504
      </fix>
3505
      <update>
3506
        <bug>56581</bug>: If an error on a JSP page occurs when response has
3507
        already been committed, do not clear the buffer of JspWriter, but flush
3508
        it. It will make more clear where the error occurred. (kkolinko)
3509
      </update>
3510
      <fix>
3511
        <bug>56612</bug>: Correctly parse two consecutive escaped single quotes
3512
        when used in UEL expression in a JSP. (markt)
3513
      </fix>
3514
      <update>
3515
        Move code that parses EL expressions within JSP template text from
3516
        <code>Parser</code> to <code>JspReader</code> class for better
3517
        performance. (kkolinko)
3518
      </update>
3519
      <fix>
3520
        <bug>56636</bug>: Correctly identify the required method when specified
3521
        via <code>ELProcessor.defineFunction(String,String,String,String)</code>
3522
        when using Expression Language. (markt)
3523
      </fix>
3524
      <fix>
3525
        <bug>56638</bug>: When using
3526
        <code>ELProcessor.defineFunction(String,String,String,String)</code> and
3527
        no function name is specified, use the method name as the function name
3528
        as required by the specification. (markt)
3529
      </fix>
3530
    </changelog>
3531
  </subsection>
3532
  <subsection name="WebSocket">
3533
    <changelog>
3534
      <scode>
3535
        <bug>56446</bug>: Clearer handling of exceptions when calling a method
3536
        on a POJO based WebSocket endpoint. Based on a suggestion by Eugene
3537
        Chung. (markt)
3538
      </scode>
3539
      <fix>
3540
        When a WebSocket client attempts to write to a closed connection, handle
3541
        the resulting <code>IllegalStateException</code> in a manner consistent
3542
        with the handling of an <code>IOException</code>. (markt)
3543
      </fix>
3544
      <fix>
3545
        Add more varied endpoints for echo testing. (remm)
3546
      </fix>
3547
      <fix>
3548
        <bug>56577</bug>: Improve the executor configuration used for the
3549
        callbacks associated with asynchronous writes. (markt)
3550
      </fix>
3551
    </changelog>
3552
  </subsection>
3553
  <subsection name="Web applications">
3554
    <changelog>
3555
      <fix>
3556
        Set the path for cookies created by the examples web application so they
3557
        only returned to the examples application. This reduces the opportunity
3558
        for using such cookies for malicious purposes should the advice to
3559
        remove the examples web application from security sensitive systems be
3560
        ignored. (markt/kkolinko)
3561
      </fix>
3562
      <fix>
3563
        Attempt to obfuscate session cookie values associated with other web
3564
        applications when viewing HTTP request headers with the Request Header
3565
        example from the examples web application. This reduces the opportunity
3566
        to use this example for malicious purposes should the advice to remove
3567
        the examples web application from security sensitive systems be ignored.
3568
        (markt)
3569
      </fix>
3570
      <add>
3571
        Add options for all of the WebSocket echo endpoints to the WebSocket
3572
        echo example in the examples web application. (markt)
3573
      </add>
3574
      <fix>
3575
        Ensure that the asynchronous WebSocket echo endpoint in the examples
3576
        web application always waits for the previous message to complete before
3577
        it sends the next. (markt)
3578
      </fix>
3579
    </changelog>
3580
  </subsection>
3581
  <subsection name="Other">
3582
    <changelog>
3583
      <update>
3584
        Update package renamed Apache Commons DBCP2 to r1596858. (markt)
3585
      </update>
3586
    </changelog>
3587
  </subsection>
3588
</section>
3589
<section name="Tomcat 8.0.8 (markt)" rtext="beta, 2014-05-21">
3590
  <subsection name="Catalina">
3591
    <changelog>
3592
      <fix>
3593
        <bug>56536</bug>: Ensure that
3594
        <code>HttpSessionBindingListener.valueUnbound()</code> uses the correct
3595
        class loader when the <code>SingleSignOn</code> valve is used. (markt)
3596
      </fix>
3597
    </changelog>
3598
  </subsection>
3599
  <subsection name="Jasper">
3600
    <changelog>
3601
       <fix>
3602
         <bug>56529</bug>: Avoid <code>NoSuchElementException</code> while handling
3603
         attributes with empty string value in custom tags. Patch provided by
3604
         Hariprasad Manchi. (violetagg)
3605
       </fix>
3606
    </changelog>
3607
  </subsection>
3608
</section>
3609
<section name="Tomcat 8.0.7 (markt)" rtext="not released">
3610
  <subsection name="Catalina">
3611
    <changelog>
3612
      <fix>
3613
        <bug>56523</bug>: When using SPNEGO authentication, log the exceptions
3614
        associated with failed user logins at debug level rather than error
3615
        level. (markt)
3616
      </fix>
3617
    </changelog>
3618
  </subsection>
3619
  <subsection name="Coyote">
3620
    <changelog>
3621
      <add>
3622
        <bug>56399</bug>: Assert that both Coyote and Catalina request objects
3623
        have been properly recycled. (kkolinko)
3624
      </add>
3625
    </changelog>
3626
  </subsection>
3627
  <subsection name="Jasper">
3628
    <changelog>
3629
      <fix>
3630
        <bug>56522</bug>: When setting a value for a
3631
        <code>ValueExpression</code>, ensure that the expected coercions take
3632
        place such as a <code>null</code> string being coerced to an empty
3633
        string. (markt)
3634
      </fix>
3635
    </changelog>
3636
  </subsection>
3637
  <subsection name="Other">
3638
    <changelog>
3639
      <fix>
3640
        Copy missing resources file from Apache Commons DBCP 2 to packaged
3641
        renamed copy of DBCP 2. (markt)
3642
      </fix>
3643
    </changelog>
3644
  </subsection>
3645
</section>
3646
<section name="Tomcat 8.0.6 (markt)" rtext="not released">
3647
  <subsection name="Catalina">
3648
    <changelog>
3649
      <fix>
3650
        Fix extension validation which was broken by refactoring for new
3651
        resources implementation. (markt)
3652
      </fix>
3653
      <fix>
3654
        Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected
3655
        immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8
3656
        decoder tests to account for UTF-8 decoding improvements in Java 8.
3657
        The custom UTF-8 decoder is still required due to bugs in the UTF-8
3658
        decoder provided by Java. Java 8&apos;s decoder is better than Java
3659
        7&apos;s but it is still buggy. (markt)
3660
      </fix>
3661
      <fix>
3662
        <bug>56027</bug>: Add more options for managing FIPS mode in the
3663
        AprLifecycleListener. (schultz/kkolinko)
3664
      </fix>
3665
      <fix>
3666
        <bug>56320</bug>: Fix a file descriptor leak in the default servlet when
3667
        sendfile is used. (markt)
3668
      </fix>
3669
      <fix>
3670
        <bug>56321</bug>: When a WAR is modified, undeploy the web application
3671
        before deleting any expanded directory as the undeploy process may
3672
        refer to classes that need to be loaded from the expanded directory. If
3673
        the expanded directory is deleted first, any attempt to load a new class
3674
        during undeploy will fail. (markt)
3675
      </fix>
3676
      <fix>
3677
        <bug>56327</bug>: Enable AJP as well as HTTP connectors to be created
3678
        via JMX. Patch by kiran. (markt)
3679
      </fix>
3680
      <fix>
3681
        <bug>56339</bug>: Avoid an infinite loop if an application calls
3682
        <code>session.invalidate()</code> from the session destroyed event for
3683
        that session. (markt)
3684
      </fix>
3685
      <scode>
3686
        <bug>56365</bug>: Simplify file name pattern matching code in
3687
        <code>StandardJarScanner</code>. Improve documentation. (kkolinko)
3688
      </scode>
3689
      <fix>
3690
        Ensure that the static resource cache is able to detect when a cache
3691
        entry is invalidated by being overridden by a new resource in a
3692
        different <code>WebResourceSet</code>. (markt)
3693
      </fix>
3694
      <fix>
3695
        <bug>56369</bug>: Ensure that removing an MBean notification listener
3696
        reverts all the operations performed when adding an MBean notification
3697
        listener. (markt)
3698
      </fix>
3699
      <scode>
3700
        Improve implementation of <code>Lifecycle</code> for
3701
        <code>WebappClassLoader</code>. State is now correctly reported rather
3702
        than always reporting as <code>NEW</code>. (markt)
3703
      </scode>
3704
      <add>
3705
        <bug>56382</bug>: Information about finished deployment and its execution
3706
        time is added to the log files. Patch is provided by Danila Galimov.
3707
        (violetagg)
3708
      </add>
3709
      <add>
3710
        <bug>56383</bug>: Properties for disabling server information and error
3711
        report are added to the <code>org.apache.catalina.valves.ErrorReportValve</code>.
3712
        Based on the patch provided by Nick Bunn. (violetagg/kkolinko)
3713
      </add>
3714
      <fix>
3715
        <bug>56390</bug>: Fix JAR locking issue with JARs containing TLDs and
3716
        the TLD cache that prevented the undeployment of web applications when
3717
        the WAR was deleted. (markt)
3718
      </fix>
3719
      <fix>
3720
        Fix CVE-2014-0119:
3721
        Only create XML parsing objects if required and fix associated potential
3722
        memory leak in the default Servlet.
3723
        Extend XML factory, parser etc. memory leak protection to cover some
3724
        additional locations where, theoretically, a memory leak could occur.
3725
        (markt)
3726
      </fix>
3727
      <fix>
3728
        Modify generic exception handling so that
3729
        <code>StackOverflowError</code> is not treated as a fatal error and can
3730
        handled and/or logged as required. (markt)
3731
      </fix>
3732
      <fix>
3733
        <bug>56409</bug>: Avoid <code>StackOverflowError</code> on non-Windows
3734
        systems if a file named <code>\</code> is encountered when scanning for
3735
        TLDs. (markt)
3736
      </fix>
3737
      <add>
3738
        <bug>56430</bug>: Extend checks for suspicious URL patterns to include
3739
        patterns of the form <code>*.a.b</code> which are not valid patterns for
3740
        extension mappings. (markt)
3741
      </add>
3742
      <fix>
3743
        <bug>56441</bug>: Raise the visibility of exceptions thrown when a
3744
        problem is encountered calling a getter or setter on a component
3745
        attribute. The logging level is raised from debug to warning. (markt)
3746
      </fix>
3747
      <add>
3748
        <bug>56463</bug>: Property for disabling server information is added to
3749
        the <code>DefaultServlet</code>. Server information is presented in the
3750
        response sent to the client when directory listings is enabled.
3751
        (violetagg)
3752
      </add>
3753
      <fix>
3754
        <bug>56472</bug>: Allow NamingContextListener to clean up on stop if its
3755
        start failed. (kkolinko)
3756
      </fix>
3757
      <fix>
3758
        <bug>56481</bug>: Work around case insensitivity issue in
3759
        <code>URLClassLoader</code> exposed by some recent refactoring. (markt)
3760
      </fix>
3761
      <add>
3762
        <bug>56492</bug>: Avoid eclipse debugger pausing on uncaught exceptions
3763
        when tomcat renews its threads. (slaurent)
3764
      </add>
3765
      <add>
3766
        Add the <code>org.apache.naming</code> package to the packages requiring
3767
        code to have the <code>defineClassInPackage</code> permission when
3768
        running under a security manager. (markt)
3769
      </add>
3770
      <fix>
3771
        Make the naming context tokens for containers more robust by using a
3772
        separate object. Require RuntimePermission when introducing a new token.
3773
        (markt/kkolinko)
3774
      </fix>
3775
      <fix>
3776
        <bug>56501</bug>: <code>HttpServletRequest.getContextPath()</code>
3777
        should return the undecoded context path used by the user agent. (markt)
3778
      </fix>
3779
      <fix>
3780
        Minor fixes to <code>ThreadLocalLeakPreventionListener</code>. Do not
3781
        trigger threads renewal for failed contexts. Do not ignore
3782
        <code>threadRenewalDelay</code> setting. Improve documentation. (kkolinko)
3783
      </fix>
3784
      <fix>
3785
        Correct regression introduced in <rev>1239520</rev> that broke loading
3786
        of users from <code>tomcat-users.xml</code> when using the
3787
        <code>JAASMemoryLoginModule</code>. (markt)
3788
      </fix>
3789
      <fix>
3790
        Correct regression introduced in <rev>797162</rev> that broke
3791
        authentication of users when using the
3792
        <code>JAASMemoryLoginModule</code>. (markt)
3793
      </fix>
3794
    </changelog>
3795
  </subsection>
3796
  <subsection name="Coyote">
3797
    <changelog>
3798
      <fix>
3799
        More cleanup of NIO2 endpoint shutdown. (remm)
3800
      </fix>
3801
      <fix>
3802
        <bug>56336</bug>: AJP output corruption and errors. (remm)
3803
      </fix>
3804
      <fix>
3805
        Handle various cases of incomplete writes in NIO2. (remm)
3806
      </fix>
3807
      <scode>
3808
        Code cleanups and i18n in NIO2. (remm)
3809
      </scode>
3810
      <fix>
3811
        Fix extra onDataAvailable calls in the NIO2 connector. (remm)
3812
      </fix>
3813
      <fix>
3814
        Fix gather writes in NIO2 SSL. (remm)
3815
      </fix>
3816
      <scode>
3817
        Upgrade the NIO2 connectors to beta, but still not ready for production. (remm)
3818
      </scode>
3819
      <scode>
3820
        Fix code duplication between NIO and NIO2. (remm)
3821
      </scode>
3822
      <fix>
3823
        <bug>56348</bug>: Fix slow asynchronous read when read was performed on
3824
        a non-container thread. (markt)
3825
      </fix>
3826
      <fix>
3827
        <bug>56416</bug>: Correct documentation for default value of socket
3828
        linger for the AJP and HTTP connectors. (markt)
3829
      </fix>
3830
      <fix>
3831
        Fix possible corruption if doing keepalive after a comet request. (remm)
3832
      </fix>
3833
      <fix>
3834
        <bug>56518</bug>: Fix connection limit latch leak when a non-container
3835
        thread is interrupted during asynchronous processing. (markt)
3836
      </fix>
3837
    </changelog>
3838
  </subsection>
3839
  <subsection name="Jasper">
3840
    <changelog>
3841
      <fix>
3842
        <bug>56334</bug>: Fix a regression in the handling of back-slash
3843
        escaping introduced by the fix for <bug>55735</bug>. (markt/kkolinko)
3844
      </fix>
3845
      <fix>
3846
        <bug>56425</bug>: Improve method matching for EL expressions. When
3847
        looking for matching methods, an exact match between parameter types is
3848
        preferred followed by an assignable match followed by a coercible match.
3849
        (markt)
3850
      </fix>
3851
      <fix>
3852
        Correct the handling of back-slash escaping in the EL parser and no
3853
        longer require that <code>\$</code> or <code>\#</code> must be followed
3854
        by <code>{</code> in order for the back-slash escaping to take effect.
3855
        (markt)
3856
      </fix>
3857
    </changelog>
3858
  </subsection>
3859
  <subsection name="Cluster">
3860
    <changelog>
3861
      <scode>
3862
        Remove the implementation of
3863
        <code>org.apache.catalina.LifecycleListener</code> from
3864
        <code>org.apache.catalina.ha.tcp.SimpleTcpCluster</code>.
3865
        <code>SimpleTcpCluster</code> does not work as
3866
        <code>LifecycleListener</code>, it works as nested components of Host or
3867
        Engine. (kfujino)
3868
      </scode>
3869
      <fix>
3870
        Remove cluster and replicationValve from cluster manager template. These
3871
        instance are not necessary to template. (kfujino)
3872
      </fix>
3873
      <fix>
3874
        Add support for cross context session replication to
3875
        <code>org.apache.catalina.ha.session.BackupManager</code>. (kfujino)
3876
      </fix>
3877
      <fix>
3878
        Remove the unnecessary cross context check. It does not matter whether
3879
        the context that is referenced by other context is set to
3880
        <code>crossContext</code>=true. The context that refers to the different
3881
        context must be set to <code>crossContext</code>=true. (kfujino)
3882
      </fix>
3883
      <scode>
3884
        Move to <code>org.apache.catalina.ha.session.ClusterManagerBase</code>
3885
        common logics of
3886
        <code>org.apache.catalina.ha.session.BackupManager</code> and
3887
        <code>org.apache.catalina.ha.session.DeltaManager</code>. (kfujino)
3888
      </scode>
3889
      <scode>
3890
        Simplify the code of <code>o.a.c.ha.tcp.SimpleTcpCluster</code>. In
3891
        order to add or remove cluster valve to Container, use pipeline instead
3892
        of <code>IntrospectionUtils</code>. (kfujino)
3893
      </scode>
3894
      <fix>
3895
        There is no need to set cluster instance when
3896
        <code>SimpleTcpCluster.unregisterClusterValve</code> is called.
3897
        Set null than cluster instance for cleanup. (kfujino)
3898
      </fix>
3899
    </changelog>
3900
  </subsection>
3901
  <subsection name="WebSocket">
3902
    <changelog>
3903
      <fix>
3904
        <bug>56343</bug>: Avoid a NPE if Tomcat&apos;s Java WebSocket 1.0
3905
        implementation is used with the Java WebSocket 1.0 API JAR from the
3906
        reference implementation. (markt)
3907
      </fix>
3908
      <fix>
3909
        Increase the default maximum size of the executor used by the WebSocket
3910
        implementation for call backs associated with asynchronous writes from
3911
        10 to 200. (markt)
3912
      </fix>
3913
      <add>
3914
        Add a warning if the thread group created for WebSocket asynchronous
3915
        write call backs can not be destroyed when the web application is
3916
        stopped. (markt)
3917
      </add>
3918
      <fix>
3919
        Ensure that threads created to support WebSocket clients are stopped
3920
        when no longer required. This will happen automatically for WebSocket
3921
        client connections initiated by web applications but stand alone clients
3922
        must call <code>WsWebSocketContainer.destroy()</code>. (markt)
3923
      </fix>
3924
      <fix>
3925
        <bug>56449</bug>: When creating a new session, add the message handlers
3926
        to the session before calling <code>Endpoint.onOpen()</code> so the
3927
        message handlers are in place should the <code>onOpen()</code> method
3928
        trigger the sending of any messages. (markt)
3929
      </fix>
3930
      <fix>
3931
        <bug>56458</bug>: Report WebSocket sessions that are created over secure
3932
        connections as secure rather than as not secure. (markt)
3933
      </fix>
3934
      <fix>
3935
        Stop threads used for secure WebSocket client connections when they are
3936
        no longer required and give them better names for easier debugging while
3937
        they are running. (markt)
3938
      </fix>
3939
    </changelog>
3940
  </subsection>
3941
  <subsection name="Web applications">
3942
    <changelog>
3943
      <fix>
3944
        Add Support for <code>copyXML</code> attribute of Host to Host Manager.
3945
        (kfujino)
3946
      </fix>
3947
      <fix>
3948
        Ensure that "name" request parameter is used as a application base of
3949
        host if "webapps" request parameter is not set when adding host in
3950
        HostManager Application. (kfujino)
3951
      </fix>
3952
      <fix>
3953
        Correct documentation on Windows service options, aligning it with
3954
        Apache Commons Daemon documentation. (kkolinko)
3955
      </fix>
3956
      <fix>
3957
        <bug>56418</bug>: Ensure that the Manager web application does not
3958
        report success for a web application deployment that fails. (slaurent)
3959
      </fix>
3960
      <update>
3961
        Improve valves documentation. Split valves into groups. (kkolinko)
3962
      </update>
3963
      <fix>
3964
        <bug>56513</bug>: Make the documentation crystal clear that using
3965
        sendfile will disable any compression that Tomcat may otherwise have
3966
        applied to the response. (markt)
3967
      </fix>
3968
    </changelog>
3969
  </subsection>
3970
  <subsection name="Other">
3971
    <changelog>
3972
      <scode>
3973
        Review source code and take advantage of Java 7&apos;s
3974
        try-with-resources syntax where possible. (markt)
3975
      </scode>
3976
      <fix>
3977
        Align DisplayName of Tomcat installed by <code>service.bat</code> with
3978
        one installed by the *.exe installer. Print a warning in case if neither
3979
        server nor client jvm is found by <code>service.bat</code>. (kkolinko)
3980
      </fix>
3981
      <update>
3982
        <bug>56363</bug>: Update to version 1.1.30 of Tomcat Native library.
3983
        (schultz)
3984
      </update>
3985
      <update>
3986
        Update package renamed Apache Commons BCEL to r1593495 to pick up some
3987
        additional changes for Java 7 support and some code clean up. (markt)
3988
      </update>
3989
      <update>
3990
        Update package renamed Apache Commons FileUpload to r1569132 to pick up
3991
        some small improvements (e.g. better <code>null</code> protection) and
3992
        some code clean up. (markt)
3993
      </update>
3994
      <update>
3995
        Update package renamed Apache Commons Codec to r1586336 to pick up some
3996
        Javadoc fixes and some code clean up. (markt)
3997
      </update>
3998
      <scode>
3999
        Switch to including Apache Commons DBCP via a package renamed svn copy
4000
        rather than building from a source release for consistency with other
4001
        Commons packages and to allow faster releases to fix DBCP related
4002
        issues. (markt)
4003
      </scode>
4004
      <update>
4005
        Update package renamed Apache Commons Pool2 and DBCP2 to r1593563 to
4006
        pick various bug fixes. (markt)
4007
      </update>
4008
      <add>
4009
        In tests: allow to configure directory where JUnit reports and access
4010
        log are written to. (kkolinko)
4011
      </add>
4012
    </changelog>
4013
  </subsection>
4014
</section>
4015
<section name="Tomcat 8.0.5 (markt)" rtext="beta, 2014-03-27">
4016
  <subsection name="Catalina">
4017
    <changelog>
4018
      <fix>
4019
        Rework the fix for <bug>56190</bug> as the previous fix did not recycle
4020
        the request in all cases leading to mis-routing of requests. (markt)
4021
      </fix>
4022
      <fix>
4023
        Allow web applications to package tomcat-jdbc.jar and their JDBC driver
4024
        of choice in the web application. (markt)
4025
      </fix>
4026
      <fix>
4027
        <bug>56293</bug>: Cache resources loaded by the class loader from
4028
        <code>/META-INF/services/</code> for better performance for repeated
4029
        look ups. (markt)
4030
      </fix>
4031
    </changelog>
4032
  </subsection>
4033
  <subsection name="Coyote">
4034
    <changelog>
4035
      <fix>
4036
        Fix possibly incomplete final flush with NIO2 when using non blocking
4037
        mode. (remm)
4038
      </fix>
4039
      <fix>
4040
        Cleanup NIO2 endpoint shutdown. (remm)
4041
      </fix>
4042
      <fix>
4043
        Fix rare race condition notifying onWritePossible in the NIO2
4044
        HTTP/1.1 connector. (remm)
4045
      </fix>
4046
    </changelog>
4047
  </subsection>
4048
  <subsection name="Jasper">
4049
    <changelog>
4050
      <fix>
4051
        <bug>54475</bug>: Add Java 8 support to SMAP generation for JSPs. Patch
4052
        by Robbie Gibson. (markt)
4053
      </fix>
4054
    </changelog>
4055
  </subsection>
4056
  <subsection name="Web applications">
4057
    <changelog>
4058
      <fix>
4059
        <bug>56273</bug>: If the Manager web application does not perform an
4060
        operation because the web application is already being serviced, report
4061
        an error rather than reporting success. (markt)
4062
      </fix>
4063
      <fix>
4064
        <bug>56304</bug>: Add a note to the documentation about not using
4065
        WebSocket with BIO HTTP in production. (markt)
4066
      </fix>
4067
    </changelog>
4068
  </subsection>
4069
</section>
4070
<section name="Tomcat 8.0.4 (markt)" rtext="not released">
4071
  <subsection name="Catalina">
4072
    <changelog>
4073
      <fix>
4074
        Restore the ability to use the <code>addURL()</code> method of the
4075
        web application class loader to add external resources to the web
4076
        application. (markt)
4077
      </fix>
4078
      <fix>
4079
        Improve the robustness of web application undeployment based on some
4080
        code analysis triggered by the report for <bug>54315</bug>. (markt)
4081
      </fix>
4082
      <fix>
4083
        <bug>56125</bug>: Correctly construct the URL for a resource that
4084
        represents the root of a JAR file. (markt)
4085
      </fix>
4086
      <fix>
4087
        Generate a valid root element for the effective web.xml for a web
4088
        application for all supported versions of web.xml. (markt)
4089
      </fix>
4090
      <add>
4091
        Make it easier for applications embedding and/or extending Tomcat to
4092
        modify the <code>javaseClassLoader</code> attribute of the
4093
        <code>WebappClassLoader</code>. (markt)
4094
      </add>
4095
      <fix>
4096
        Add missing support for <code>&lt;deny-uncovered-http-methods&gt;</code>
4097
        element when merging web.xml files. (markt)
4098
      </fix>
4099
      <fix>
4100
        Improve merging process for web.xml files to take account of the
4101
        elements and attributes supported by the Servlet version of the merged
4102
        file. (markt)
4103
      </fix>
4104
      <fix>
4105
        Avoid <code>NullPointerException</code> in resource cache when making an
4106
        invalid request for a resource outside of the web application. (markt)
4107
      </fix>
4108
      <fix>
4109
        Remove an unnecessary null check identified by FindBugs. (markt)
4110
      </fix>
4111
      <add>
4112
        In WebappClassLoader, when reporting threads that are still running
4113
        while web application is being stopped, print their stack traces to
4114
        the log. (kkolinko)
4115
      </add>
4116
      <fix>
4117
        <bug>56190</bug>: The response should be closed (i.e. no further output
4118
        is permitted) when a call to <code>AsyncContext.complete()</code> takes
4119
        effect. (markt)
4120
      </fix>
4121
      <fix>
4122
        <bug>56236</bug>: Enable Tomcat to work with alternative Servlet and
4123
        JSP API JARs that package the XML schemas in such as way as to require
4124
        a dependency on the JSP API before enabling validation for web.xml.
4125
        Tomcat has no such dependency. (markt)
4126
      </fix>
4127
      <fix>
4128
        <bug>56244</bug>: Fix MBeans descriptor for WebappClassLoader MBean.
4129
        (kkolinko)
4130
      </fix>
4131
      <add>
4132
        Add a work around for validating XML documents (often TLDs) that use
4133
        just the file name to refer to refer to the JavaEE schema on which they
4134
        are based. (markt)
4135
      </add>
4136
      <add>
4137
        Add methods of get the idle time from last client access time to
4138
        <code>org.apache.catalina.Session</code>. (kfujino)
4139
      </add>
4140
      <fix>
4141
        <bug>56246</bug>: Fix NullPointerException in MemoryRealm when
4142
        authenticating an unknown user. (markt)
4143
      </fix>
4144
      <fix>
4145
        <bug>56248</bug>: Allow the deployer to update an existing WAR file
4146
        without undeploying the existing application if the update flag is set.
4147
        This allows any existing custom context.xml for the application to be
4148
        retained. To update an application and remove any existing context.xml
4149
        simply undeploy the old version of the application before deploying the
4150
        new version. (markt)
4151
      </fix>
4152
      <fix>
4153
        <bug>56253</bug>: When listing resources that are provided by a JAR, fix
4154
        possible <code>StringIndexOutOfBoundsException</code>s. Add some unit
4155
        tests for this and similar scenarios and fix the additional issues those
4156
        unit tests identified. Based on a patch by Larry Isaacs. (markt)
4157
      </fix>
4158
      <fix>
4159
        Fix CVE-2014-0096:
4160
        Redefine the <code>globalXsltFile</code> initialisation parameter of the
4161
        DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf.
4162
        Prevent user supplied XSLTs used by the DefaultServlet from defining
4163
        external entities. (markt)
4164
      </fix>
4165
    </changelog>
4166
  </subsection>
4167
  <subsection name="Coyote">
4168
    <changelog>
4169
      <fix>
4170
        In some circumstances asynchronous requests could time out too soon.
4171
        (markt)
4172
      </fix>
4173
      <fix>
4174
        <bug>56172</bug>: Avoid possible request corruption when using the AJP
4175
        NIO connector and a request is sent using more than one AJP message.
4176
        Patch provided by Amund Elstad. (markt)
4177
      </fix>
4178
      <add>
4179
        Add experimental NIO2 connector. Based on code developed by
4180
        Nabil Benothman. (remm)
4181
      </add>
4182
      <fix>
4183
        Fix CVE-2014-0075:
4184
        Improve processing of chuck size from chunked headers. Avoid overflow
4185
        and use a bit shift instead of a multiplication as it is marginally
4186
        faster. (markt/kkolinko)
4187
      </fix>
4188
      <fix>
4189
        Fix CVE-2014-0095:
4190
        Correct regression introduced in 8.0.0-RC2 as part of the Servlet 3.1
4191
        non-blocking IO support that broke handling of requests with an explicit
4192
        content length of zero. (markt/kkolinko)
4193
      </fix>
4194
      <fix>
4195
        Fix CVE-2014-0099:
4196
        Fix possible overflow when parsing long values from a byte array.
4197
        (markt)
4198
      </fix>
4199
    </changelog>
4200
  </subsection>
4201
  <subsection name="Jasper">
4202
    <changelog>
4203
      <fix>
4204
        Change the default compiler source and compiler target versions to 1.7
4205
        since Tomcat 8 requires a minimum of Java 7. (markt)
4206
      </fix>
4207
      <fix>
4208
        <bug>56179</bug>: Fix parsing of EL expressions that contain unnecessary
4209
        parentheses. (markt)
4210
      </fix>
4211
      <fix>
4212
        <bug>56177</bug>: Handle dependency tracking for TLDs when using JspC
4213
        with a tag library JAR that is located outside of the web application.
4214
        (markt)
4215
      </fix>
4216
      <fix>
4217
        Remove an unnecessary null check identified by FindBugs. (markt)
4218
      </fix>
4219
      <fix>
4220
        <bug>56199</bug>: Restore validateXml option for JspC which determines
4221
        if web.xml will be parsed with a validating parser. (markt)
4222
      </fix>
4223
      <fix>
4224
        <bug>56223</bug>: Throw an <code>IllegalStateException</code> if a call
4225
        is made to <code>ServletContext.setInitParameter()</code> after the
4226
        ServletContext has been initialized. (markt)
4227
      </fix>
4228
      <fix>
4229
        <bug>56265</bug>: Do not escape values of dynamic tag attributes
4230
        containing EL expressions. (kkolinko)
4231
      </fix>
4232
      <fix>
4233
        Make the default compiler source and target versions for JSPs Java 7
4234
        since Tomcat 8 requires Java 7 as a minimum. (markt)
4235
      </fix>
4236
      <update>
4237
        <bug>56283</bug>: Update to the Eclipse JDT Compiler P20140317-1600
4238
        which adds support for Java 8 syntax to JSPs. Add support for value
4239
        "1.8" for the <code>compilerSourceVM</code> and
4240
        <code>compilerTargetVM</code> options. (markt)
4241
      </update>
4242
    </changelog>
4243
  </subsection>
4244
  <subsection name="WebSocket">
4245
    <changelog>
4246
      <fix>
4247
        Avoid a possible deadlock when one thread is shutting down a connection
4248
        while another thread is trying to write to it. (markt)
4249
      </fix>
4250
      <fix>
4251
        Avoid NPE when flushing batched messages. (markt)
4252
      </fix>
4253
    </changelog>
4254
  </subsection>
4255
  <subsection name="Web Applications">
4256
    <changelog>
4257
      <add>
4258
        <bug>56093</bug>: Add the SSL Valve to the documentation web
4259
        application. (markt)
4260
      </add>
4261
      <fix>
4262
        <bug>56217</bug>: Improve readability by using left alignment for the
4263
        table cell containing the request information on the Manager application
4264
        status page. (markt)
4265
      </fix>
4266
      <fix>
4267
        Fixed <code>java.lang.NegativeArraySizeException</code> when using
4268
        "Expire sessions" command in the manager web application on a
4269
        context where the session timeout is disabled. (kfujino)
4270
      </fix>
4271
      <fix>
4272
         Add support for <code>LAST_ACCESS_AT_START</code> system property to
4273
         Manager web application. (kfujino)
4274
      </fix>
4275
    </changelog>
4276
  </subsection>
4277
  <subsection name="Other">
4278
    <changelog>
4279
      <fix>
4280
        <bug>56115</bug>: Expose the <code>httpusecaches</code> property of
4281
        Ant&apos;s <code>get</code> task as some users may need to change the
4282
        default. Based on a suggestion by Anthony. (markt)
4283
      </fix>
4284
      <fix>
4285
        <bug>56143</bug>: Improve <code>service.bat</code> so that it can be
4286
        launched from a non-UAC console. This includes using a single call to
4287
        <code>tomcat8.exe</code> to install the Windows service rather than
4288
        three calls, and using command line arguments instead of environment
4289
        variables to pass the settings. (markt/kkolinko)
4290
      </fix>
4291
      <scode>
4292
        Simplify Windows *.bat files: remove %OS% checks, as current java does
4293
        not run on ancient non-NT operating systems. (kkolinko)
4294
      </scode>
4295
      <fix>
4296
        Align options between <code>service.bat</code> and <code>exe</code>
4297
        Windows installer. For <code>service.bat</code> the changes are in
4298
        --Classpath, --DisplayName, --StartPath, --StopPath. For
4299
        <code>exe</code> installer the changes are in --JvmMs, --JvmMx options,
4300
        which are now 128 Mb and 256 Mb respectively instead of being empty.
4301
        Explicitly specify --LogPath path when uninstalling Windows service,
4302
        avoiding default value for that option. (kkolinko)
4303
      </fix>
4304
      <fix>
4305
        <bug>56137</bug>: Explicitly use NIO connector in SSL example in
4306
        server.xml so it doesn't break if APR is enabled. (markt)
4307
      </fix>
4308
      <fix>
4309
        <bug>56139</bug>: Avoid a web application class loader leak in some unit
4310
        tests when running on Windows. (markt)
4311
      </fix>
4312
      <fix>
4313
        Correct build script to avoid building JARs with empty packages. (markt)
4314
      </fix>
4315
      <add>
4316
        Allow to limit JUnit test run to a number of selected test case
4317
        methods. (kkolinko)
4318
      </add>
4319
      <update>
4320
        Update Commons Pool 2 to 2.2. (markt)
4321
      </update>
4322
      <update>
4323
        Update Commons DBCP 2 to the 2.0 release. (markt)
4324
      </update>
4325
      <fix>
4326
        <bug>56189</bug>: Remove used file cpappend.bat from the distribution.
4327
        (markt)
4328
      </fix>
4329
      <fix>
4330
        <bug>56204</bug>: Remove unnecessary dependency between tasks in the
4331
        build script. (markt)
4332
      </fix>
4333
      <fix>
4334
         Add definition of <code>org.apache.catalina.ant.FindLeaksTask</code>.
4335
         (kfujino)
4336
      </fix>
4337
      <fix>
4338
         Implement <code>org.apache.catalina.ant.VminfoTask</code>,
4339
         <code>org.apache.catalina.ant.ThreaddumpTask</code> and
4340
         <code>org.apache.catalina.ant.SslConnectorCiphersTask</code>. (kfujino)
4341
      </fix>
4342
      <add>
4343
         Add the option to the Apache Ant tasks to ignore the constraint of the
4344
         first line of the response message that must be "OK -"
4345
         (<code>ignoreResponseConstraint</code> in <code>AbstractCatalinaTask</code>).
4346
         Default is false. (kfujino)
4347
      </add>
4348
    </changelog>
4349
  </subsection>
4350
</section>
4351
<section name="Tomcat 8.0.3 (markt)" rtext="beta, 2014-02-11">
4352
  <subsection name="Other">
4353
    <changelog>
4354
      <fix>
4355
        Fix build of Apache Commons DBCP2 classes. (kkolinko)
4356
      </fix>
4357
      <update>
4358
        Update Commons DBCP 2 to snapshot 170 dated 07 Feb 2014. This enables
4359
        DBCP to work with a SecurityManager such that only DBCP needs to be
4360
        granted the necessary permissions to communicate with the database.
4361
        (markt)
4362
      </update>
4363
    </changelog>
4364
  </subsection>
4365
</section>
4366
<section name="Tomcat 8.0.2 (markt)" rtext="not released">
4367
  <subsection name="Catalina">
4368
    <changelog>
4369
      <fix>
4370
        <bug>56082</bug>: Fix a concurrency bug in JULI&apos;s LogManager
4371
        implementation. (markt)
4372
      </fix>
4373
      <fix>
4374
        <bug>56085</bug>: <code>ServletContext.getRealPath(String)</code> should
4375
        return <code>null</code> for invalid input rather than throwing an
4376
        <code>IllegalArgumentException</code>. (markt)
4377
      </fix>
4378
      <fix>
4379
        Fix WebDAV support that was broken by the refactoring for the new
4380
        resources implementation. (markt)
4381
      </fix>
4382
      <scode>
4383
        Simplify Catalina.initDirs(). (kkolinko)
4384
      </scode>
4385
      <fix>
4386
        <bug>56096</bug>: When the attribute <code>rmiBindAddress</code> of the
4387
        JMX Remote Lifecycle Listener is specified it's value will be used when
4388
        constructing the address of a JMX API connector server. Patch is
4389
        provided by Jim Talbut. (violetagg)
4390
      </fix>
4391
      <fix>
4392
        When environment entry with one and the same name is defined in the web
4393
        deployment descriptor and with annotation then the one specified in the
4394
        web deployment descriptor is with priority. (violetagg)
4395
      </fix>
4396
      <fix>
4397
        Fix passing the value of false for <code>xmlBlockExternal</code> option
4398
        of Context to Jasper, as the default was changed in 8.0.1. (kkolinko)
4399
      </fix>
4400
    </changelog>
4401
  </subsection>
4402
  <subsection name="Coyote">
4403
    <changelog>
4404
      <fix>
4405
        Enable non-blocking reads to take place on non-container threads.
4406
        (markt)
4407
      </fix>
4408
    </changelog>
4409
  </subsection>
4410
  <subsection name="Cluster">
4411
    <changelog>
4412
      <scode>
4413
        Simplify the code of
4414
        <code>o.a.c.ha.tcp.SimpleTcpCluster.createManager(String)</code>.
4415
        Remove unnecessary class cast. (kfujino)
4416
      </scode>
4417
    </changelog>
4418
  </subsection>
4419
  <subsection name="Web applications">
4420
    <changelog>
4421
      <fix>
4422
        In Manager web application improve handling of file upload errors.
4423
        Display a message instead of error 500 page. Simplify. (kkolinko)
4424
      </fix>
4425
    </changelog>
4426
  </subsection>
4427
  <subsection name="Other">
4428
    <changelog>
4429
      <fix>
4430
        <bug>56104</bug>: Correct the version number on the welcome page of the
4431
        Windows installer. (markt)
4432
      </fix>
4433
      <update>
4434
        Update Commons DBCP 2 to snapshot 168 dated 05 Feb 2014. (markt)
4435
      </update>
4436
      <fix>
4437
        Fix CVE-2014-0050, a denial of service with a malicious, malformed
4438
        Content-Type header and multipart request processing. Fixed by merging
4439
        latest code (r1565159) from Commons FileUpload. (markt)
4440
      </fix>
4441
    </changelog>
4442
  </subsection>
4443
</section>
4444
<section name="Tomcat 8.0.1 (markt)" rtext="beta, 2014-02-02">
4445
  <subsection name="Catalina">
4446
    <changelog>
4447
      <fix>
4448
        Change default value of <code>xmlBlockExternal</code> attribute of
4449
        Context. It is <code>true</code> now. (kkolinko)
4450
      </fix>
4451
    </changelog>
4452
  </subsection>
4453
  <subsection name="Coyote">
4454
    <changelog>
4455
      <fix>
4456
        Correct regression in the fix for <bug>55996</bug> that meant that
4457
        asynchronous requests might timeout too early. (markt)
4458
      </fix>
4459
    </changelog>
4460
  </subsection>
4461
  <subsection name="Jasper">
4462
    <changelog>
4463
      <fix>
4464
        Change default value of the <code>blockExternal</code> attribute of
4465
        JspC task. The default value is <code>true</code>. Add support for
4466
        <code>-no-blockExternal</code> switch when JspC is run as a
4467
        standalone application. (kkolinko)
4468
      </fix>
4469
    </changelog>
4470
  </subsection>
4471
  <subsection name="WebSocket">
4472
    <changelog>
4473
      <fix>
4474
        Do not return an empty string for the
4475
        <code>Sec-WebSocket-Protocol</code> HTTP header when no sub-protocol has
4476
        been requested or no sub-protocol could be agreed as RFC6455 requires
4477
        that no <code>Sec-WebSocket-Protocol</code> header is returned in this
4478
        case. (markt)
4479
      </fix>
4480
    </changelog>
4481
  </subsection>
4482
</section>
4483
<section name="Tomcat 8.0.0 (markt)" rtext="not released">
4484
  <subsection name="Catalina">
4485
    <changelog>
4486
      <add>
4487
        Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes
4488
        contributions from Nick Williams and Jeremy Boynes. (markt)
4489
      </add>
4490
      <add>
4491
        Implement JSR 245 MR2 - JSP 2.3. (markt)
4492
      </add>
4493
      <add>
4494
        Implement JSR 341 - Unified Expression Language 3.0. (markt)
4495
      </add>
4496
      <add>
4497
        Implement JSR 356 - WebSockets. The JSR 356 implementation includes
4498
        contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski.
4499
        (markt)
4500
      </add>
4501
      <update>
4502
        <bug>46727</bug>: Refactor default servlet to make it easier to
4503
        sub-class to implement finer grained control of the file encoding. Based
4504
        on a patch by Fred Toth. (markt)
4505
      </update>
4506
      <add>
4507
        <bug>45995</bug>: Align Tomcat with Apache httpd and perform MIME type
4508
        mapping based on file extension in a case insensitive manner. (markt)
4509
      </add>
4510
      <scode>
4511
        Remove duplicate code that converted a Host&apos;s appBase attribute to
4512
        a canonical file. (markt)
4513
      </scode>
4514
      <scode>
4515
        <bug>51408</bug>: Replace calls to <code>Charset.defaultCharset()</code>
4516
        with an explicit reference to the ISO-8859-1 Charset. (markt)
4517
      </scode>
4518
      <scode>
4519
        Refactor initialization code to use a single, consistent approach to
4520
        determining the Catalina home (binary) and base (instance) directories.
4521
        The search order for home is <code>catalina.home</code> system property,
4522
        parent of current directory if boootstrap.jar is present and finally
4523
        current working directory. The search order for Catalina base is
4524
        <code>catalina.base</code> system property falling back to the value for
4525
        Catalina home. (markt)
4526
      </scode>
4527
      <update>
4528
        <bug>52092</bug>: JULI now uses the <code>OneLineFormatter</code> and
4529
        <code>AsyncFileHandler</code> by default. (markt)
4530
      </update>
4531
      <fix>
4532
        <bug>52558</bug>: Refactor <code>CometConnectionManagerValve</code> so
4533
        that it does not prevent the session from being serialized in when
4534
        running in a cluster. (markt)
4535
      </fix>
4536
      <fix>
4537
        <bug>52767</bug>: Remove reference to MySQL specific autoReconnect
4538
        property in <code>JDBCAccessLogValve</code>. (markt)
4539
      </fix>
4540
      <scode>
4541
        Make the Mapper type-safe. Hosts, Contexts and Wrappers are no
4542
        longer handled as plain objects, instead they keep their type.
4543
        Code using the Mapper doesn't need to cast objects returned by
4544
        the mapper. (rjung)
4545
      </scode>
4546
      <scode>
4547
        Move Manager, Loader and Resources from Container to Context since
4548
        Context is the only place they are used. The documentation already
4549
        states (and has done for some time) that Context is the only valid
4550
        location for these nested components. (markt)
4551
      </scode>
4552
      <scode>
4553
        Move the Mapper from the Connector to the Service since the Mapper is
4554
        identical for all Connectors of a given Service and it is common for
4555
        there to be multiple Connectors for a Service (http, https and ajp).
4556
        This means there is now only ever one Mapper per Service rather than
4557
        possibly multiple identically configured Mapper objects. (markt)
4558
      </scode>
4559
      <scode>
4560
        Remove the per Context Mapper objects and use the Mapper from the
4561
        Service. This removes the need to maintain two copies of the mappings
4562
        for Servlets and Filters. (markt)
4563
      </scode>
4564
      <add>
4565
        Implement a new Resources implementation that merges Aliases,
4566
        VirtualLoader, VirtualDirContext, JAR resources and external
4567
        repositories into a single framework rather than a separate one for each
4568
        feature. (markt)
4569
      </add>
4570
      <add>
4571
        URL rewrite valve, similar in functionality to mod_rewrite. (remm)
4572
      </add>
4573
      <add>
4574
        Port storeconfig functionality, which can persist to server.xml and
4575
        context.xml runtime container configuration changes. (remm)
4576
      </add>
4577
      <add>
4578
        <bug>54095</bug>: Add support to the Default Servlet for serving
4579
        gzipped versions of static resources directly from disk as an
4580
        alternative to Tomcat compressing them on each request. Patch by
4581
        Philippe Marschall. (markt)
4582
      </add>
4583
      <fix>
4584
        <bug>54708</bug>: Change the name of the working directory for the ROOT
4585
        application (located under $CATALINA_BASE/work by default) from _ to
4586
        ROOT. (markt)
4587
      </fix>
4588
      <add>
4589
        Change default configuration so that a change to the global web.xml file
4590
        will trigger a reload of all web applications. (markt)
4591
      </add>
4592
      <fix>
4593
        <bug>55101</bug>: Make BASIC authentication more tolerant of whitespace.
4594
        Patch provided by Brian Burch. (markt)
4595
      </fix>
4596
      <fix>
4597
        <bug>55166</bug>: Move JSP descriptor and tag library descriptor schemas
4598
        to servlet-api.jar to enable relative references between the schemas to
4599
        be correctly resolved. (markt)
4600
      </fix>
4601
      <scode>
4602
        Refactor the descriptor parsing code into a separate module that can be
4603
        used by both Catalina and Jasper. Includes patches provided by Jeremy
4604
        Boynes. (violetagg/markt)
4605
      </scode>
4606
      <scode>
4607
        <bug>55246</bug>: Move TLD scanning to a ServletContainerInitializer
4608
        provided by Jasper. Includes removal of TldConfig lifecycle listener and
4609
        associated Context properties. (jboynes)
4610
      </scode>
4611
      <add>
4612
        <bug>55317</bug>: Facilitate weaving by allowing ClassFileTransformer to
4613
        be added to WebappClassLoader. Patch by Nick Williams. (markt)
4614
      </add>
4615
      <fix>
4616
        <bug>55620</bug>: Enable Tomcat to start when either $CATALINA_HOME
4617
        and/or $CATALINA_BASE contains a comma character. Prevent Tomcat from
4618
        starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon
4619
        on Windows. Prevent Tomcat from starting when $CATALINA_HOME and/or
4620
        $CATALINA_BASE contains a colon on Linux/FreeBSD/etc. (markt)
4621
      </fix>
4622
      <scode>
4623
        Initialize the JSP runtime in Jasper's initializer to avoid need for a
4624
        Jasper-specific lifecycle listener. <code>JasperListener</code> has been
4625
        removed. (jboynes)
4626
      </scode>
4627
      <fix>
4628
        Change ordering of elements of JMX objects names so components are
4629
        grouped more logically in JConsole. Generally, components are now
4630
        grouped by Host and then by Context. (markt)
4631
      </fix>
4632
      <add>
4633
        Context listener to allow better EE and framework integration. (remm)
4634
      </add>
4635
      <fix>
4636
        <bug>57896</bug>: Support defensive copying of "cookie" header so that
4637
        unescaping double quotes in a cookie value does not corrupt original
4638
        value of "cookie" header. This is an opt-in feature, enabled by
4639
        <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code>
4640
        system property. (remm/kkolinko)
4641
      </fix>
4642
    </changelog>
4643
  </subsection>
4644
  <subsection name="Coyote">
4645
    <changelog>
4646
      <add>
4647
        Experimental support for SPDY. Includes contributions from Sheldon Shao.
4648
        (costin)
4649
      </add>
4650
      <scode>
4651
        The default connector is now the Java NIO connector even when specifying
4652
        HTTP/1.1 as protocol (fhanik)
4653
      </scode>
4654
      <scode>
4655
        Update default value of pollerThreadCount for the NIO connector. The new
4656
        default value will never go above 2 regardless of available processors.
4657
        (fhanik)
4658
      </scode>
4659
      <fix>
4660
        <bug>54010</bug>: Remove some unnecessary code (duplicate calls to
4661
        configure the scheme as https for AJP requests originally received over
4662
        HTTPS). (markt)
4663
      </fix>
4664
      <scode>
4665
        Refactor char encoding/decoding using NIO APIs. (remm)
4666
      </scode>
4667
      <update>
4668
        Change the default URIEncoding for all connectors from ISO-8859-1 to
4669
        UTF-8. (markt)
4670
      </update>
4671
    </changelog>
4672
  </subsection>
4673
  <subsection name="Jasper">
4674
    <changelog>
4675
      <scode>
4676
        Simplify API of <code>ErrorDispatcher</code> class by using varargs.
4677
        (kkolinko)
4678
      </scode>
4679
      <scode>
4680
        Update Jasper to use the new common web.xml parsing code. Includes
4681
        patches by Jeremy Boynes. (markt/violetagg)
4682
      </scode>
4683
      <add>
4684
        Create test cases for JspC. Patch by Jeremy Boynes. (markt)
4685
      </add>
4686
      <scode>
4687
        <bug>55246</bug>: TLD scanning is now performed by JasperInitializer
4688
        (a ServletContainerInitializer) removing the need for support within the
4689
        Servlet container itself. The scan is now performed only once rather than
4690
        in two passes reducing startup time. (jboynes)
4691
      </scode>
4692
      <fix>
4693
        <bug>55251</bug>: Do not allow JspC task to fail silently if the web.xml
4694
        or web.xml fragment can not be generated. (markt)
4695
      </fix>
4696
    </changelog>
4697
  </subsection>
4698
  <subsection name="Cluster">
4699
    <changelog>
4700
      <scode>
4701
        Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage.
4702
        (kfujino)
4703
      </scode>
4704
      <scode>
4705
        Modify method signature in ReplicationValve. Cluster instance is not
4706
        necessary to argument of method. (kfujino)
4707
      </scode>
4708
      <scode>
4709
        Remove unused <code>expireSessionsOnShutdown</code> attribute in
4710
        <code>org.apache.catalina.ha.session.BackupManager</code>. (kfujino)
4711
      </scode>
4712
    </changelog>
4713
  </subsection>
4714
  <subsection name="Web applications">
4715
    <changelog>
4716
      <add>
4717
        Extend the diagnostic information provided by the Manager web
4718
        application to include details of the configured SSL ciphers suites for
4719
        each connector. (markt)
4720
      </add>
4721
      <update>
4722
        <bug>48550</bug>: Update examples web application to use UTF-8. (markt)
4723
      </update>
4724
      <update>
4725
        <bug>55383</bug>: Improve the design and correct the HTML markup of
4726
        the documentation web application. Patches provided by Konstantin
4727
        Preißer. (markt)
4728
      </update>
4729
    </changelog>
4730
  </subsection>
4731
  <subsection name="Tribes">
4732
    <changelog>
4733
      <scode>
4734
        Refactor <code>AbstractReplicatedMap</code> to use generics. A key
4735
        side-effect of this is that the class now implements
4736
        <code>Map&lt;K,V&gt;</code> rather than extends
4737
        <code>ConcurrentMap</code>. (markt)
4738
      </scode>
4739
    </changelog>
4740
  </subsection>
4741
  <subsection name="Other">
4742
    <changelog>
4743
      <scode>
4744
        Remove unused, deprecated code. (markt)
4745
      </scode>
4746
      <scode>
4747
        Remove static info String and associated getInfo() method where present.
4748
        (markt)
4749
      </scode>
4750
      <update>
4751
        (<rev>1353242</rev>, <rev>1353410</rev>):
4752
        Remove Ant tasks <code>jasper2</code> and <code>jkstatus</code>.
4753
        The correct names are <code>jasper</code> and <code>jkupdate</code>.
4754
        (kkolinko)
4755
      </update>
4756
      <fix>
4757
        <bug>53529</bug>: Clean-up the handling of
4758
        <code>InterruptedException</code> throughout the code base. (markt)
4759
      </fix>
4760
      <add>
4761
        <bug>54899</bug>: Provide an initial implementation of NetBeans support.
4762
        Patch provided by Brian Burch. (markt)
4763
      </add>
4764
      <fix>
4765
        <bug>55166</bug>: Move the JSP descriptor and tag library descriptor
4766
        schema definition files from jsp-api.jar to servlet-api.jar so relative
4767
        includes between the J2EE, Servlet and JSP schemas are correctly
4768
        resolved. (markt)
4769
      </fix>
4770
      <fix>
4771
        <bug>55372</bug>: When starting Tomcat with the <code>jpda</code> option
4772
        to enable remote debugging, by default only listen on localhost for
4773
        connections from a debugger. Prior to this change, Tomcat listened on
4774
        all known addresses. (markt)
4775
      </fix>
4776
    </changelog>
4777
  </subsection>
4778
</section>
4779
</body>
4780
</document>
(-)webapps/docs/config/http.xml (-3 / +6 lines)
Lines 1017-1023 Link Here
1017
    <attribute name="crlFile" required="false">
1017
    <attribute name="crlFile" required="false">
1018
      <p>The certificate revocation list to be used to verify client
1018
      <p>The certificate revocation list to be used to verify client
1019
      certificates. If not defined, client certificates will not be checked
1019
      certificates. If not defined, client certificates will not be checked
1020
      against a certificate revocation list.</p>
1020
      against a certificate revocation list. The file may be specified using a
1021
      URL, an absolute path or a relative (to CATAINA_BASE) path.</p>
1021
    </attribute>
1022
    </attribute>
1022
1023
1023
    <attribute name="keyAlias" required="false">
1024
    <attribute name="keyAlias" required="false">
Lines 1042-1048 Link Here
1042
      the file "<code>.keystore</code>" in the operating system home
1043
      the file "<code>.keystore</code>" in the operating system home
1043
      directory of the user that is running Tomcat. If your
1044
      directory of the user that is running Tomcat. If your
1044
      <code>keystoreType</code> doesn't need a file use <code>""</code>
1045
      <code>keystoreType</code> doesn't need a file use <code>""</code>
1045
      (empty string) for this parameter.</p>
1046
      (empty string) for this parameter. The file may be specified using a
1047
      URL, an absolute path or a relative (to CATAINA_BASE) path.</p>
1046
    </attribute>
1048
    </attribute>
1047
1049
1048
    <attribute name="keystorePass" required="false">
1050
    <attribute name="keystorePass" required="false">
Lines 1136-1142 Link Here
1136
      <p>The trust store file to use to validate client certificates. The
1138
      <p>The trust store file to use to validate client certificates. The
1137
      default is the value of the <code>javax.net.ssl.trustStore</code> system
1139
      default is the value of the <code>javax.net.ssl.trustStore</code> system
1138
      property. If neither this attribute nor the default system property is
1140
      property. If neither this attribute nor the default system property is
1139
      set, no trust store will be configured.</p>
1141
      set, no trust store will be configured. The file may be specified using a
1142
      URL, an absolute path or a relative (to CATAINA_BASE) path.</p>
1140
    </attribute>
1143
    </attribute>
1141
1144
1142
    <attribute name="truststorePass" required="false">
1145
    <attribute name="truststorePass" required="false">
(-)webapps/docs/config/realm.xml (-2 / +2 lines)
Lines 811-818 Link Here
811
      </attribute>
811
      </attribute>
812
812
813
      <attribute name="pathname" required="false">
813
      <attribute name="pathname" required="false">
814
        <p>Absolute or relative (to $CATALINA_BASE) pathname to the XML file
814
        <p>URL, absolute path or relative path (to $CATALINA_BASE) for the XML
815
        containing our user information.  See below for details on the
815
        file containing our user information.  See below for details on the
816
        XML element format required.  If no pathname is specified, the
816
        XML element format required.  If no pathname is specified, the
817
        default value is <code>conf/tomcat-users.xml</code>.</p>
817
        default value is <code>conf/tomcat-users.xml</code>.</p>
818
      </attribute>
818
      </attribute>
(-)webapps/docs/jndi-resources-howto.xml (-2 / +3 lines)
Lines 471-478 public class MyBean2 { Link Here
471
          pathname="conf/tomcat-users.xml"
471
          pathname="conf/tomcat-users.xml"
472
          readonly="false" />]]></source>
472
          readonly="false" />]]></source>
473
473
474
    <p>The <code>pathname</code> attribute can be absolute or relative. If
474
    <p>The <code>pathname</code> attribute can be a URL, an absolute path or a
475
    relative, it is relative to <code>$CATALINA_BASE</code>.</p>
475
    relative path. If relative, it is relative to <code>$CATALINA_BASE</code>.
476
    </p>
476
477
477
    <p>The <code>readonly</code> attribute is optional and defaults to
478
    <p>The <code>readonly</code> attribute is optional and defaults to
478
    <code>true</code> if not supplied. If the XML is writeable then it will be
479
    <code>true</code> if not supplied. If the XML is writeable then it will be

Return to bug 56777