| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix/scode. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues. (I.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 9.0.0.M10" rtext="in development"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>59813</bug>: Ensure that circular relations of the Class-Path |
| attribute from JAR manifests will be processed correctly. (violetagg) |
| </fix> |
| <fix> |
| Ensure that reading the <code>singleThreadModel</code> attribute of a |
| <code>StandardWrapper</code> via JMX does not trigger initialisation of |
| the associated servlet. With some frameworks this can trigger an |
| unexpected initialisation thread and if initilisation is not thread-safe |
| the initialisation can then fail. (markt) |
| </fix> |
| <fix> |
| Compatibility with rewrite from httpd for non existing headers. |
| (jfclere) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in refactoring to enable injection of custom |
| keystores that broke the automatic conversion of OpenSSL style PEM |
| key and certificate files for use with JSSE TLS connectors. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When writing out a full web.xml file with JspC ensure that the encoding |
| used in the XML prolog matches the encoding used to write the contents |
| of the file. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for custom tags to ensure that the tag is |
| returned to the pool or released and destroyed once used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>59867</bug>: Correct the documentation provided by Manager's |
| 403.jsp. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| In order to avoid the unintended skip of <code>PoolCleaner</code>, |
| remove the check code of the execution interval in the task that has |
| been scheduled. (kfujino) |
| </fix> |
| <fix> |
| <bug>59850</bug>: Ensure that the <code>ResultSet</code> is closed when |
| enabling the <code>StatementCache</code> interceptor. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M9" rtext="2016-07-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>18500</bug>: Add limited support for wildcard host names and host |
| aliases. Names of the form <code>*.domainname</code> are now permitted. |
| Note that an exact host name match takes precedence over a wild card |
| host name match. (markt) |
| </fix> |
| <fix> |
| <bug>57705</bug>: Add debug logging for requests denied by the remote |
| host and remote address valves and filters. Based on a patch by Graham |
| Leggett. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>58588</bug> that removed the |
| entire <code>org.apache.juli</code> package from the embedded JARs |
| rendering them unusable. (markt) |
| </fix> |
| <add> |
| <bug>59399</bug>: Add a new option to the Realm implementations that |
| ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS |
| redirects to be controlled per Realm. (markt) |
| </add> |
| <fix> |
| <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication |
| attempts during the lock out period will no longer reset the lock out |
| timer to zero. (markt) |
| </fix> |
| <update> |
| Change the default of the |
| <code>sessionCookiePathUsesTrailingSlash</code> attribute of the |
| <code>Context</code> element to <code>false</code> since the problems |
| caused when a Servlet is mapped to <code>/*</code> are more significant |
| than the security risk of not enabling this option by default. (markt) |
| </update> |
| <fix> |
| Follow-up to <bug>59655</bug>. Improve the documentation for configuring |
| permitted cookie names. Patch provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| Do not attempt to start web resources during a web application's |
| initialisation phase since the web application is not fully configured |
| at that point and the web resources may not be correctly configured. |
| (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix a cause of multiple attempts to close the same socket. (markt) |
| </fix> |
| <scode> |
| Refactor the certifcate keystore and trust store generation to make it |
| easier for embedded users to inject their own key stores. (markt) |
| </scode> |
| <update> |
| Add a <code>maxConcurrentStreamExecution</code> on the HTTP/2 |
| protocol handler to allow restricting the amount of concurrent stream |
| that are being executed in a single connection. The default is to |
| not limit it. (remm) |
| </update> |
| <add> |
| <bug>59233</bug>: Add the ability to add TLS virtual hosts dynamically. |
| (markt) |
| </add> |
| <fix> |
| Correct a problem with <code>ServletRequest.getServerPort()</code> for |
| secure HTTP/2 connections that meant an incorrect value was retured when |
| using the default port. (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| Now the WebSocket implementation is not built directly on top of the |
| Servlet API and can use Tomcat internals, there is no need for the |
| dedicated WebSocket Executor. It has been replaced by the use of the |
| Connector/Endpoint provided Executor. (markt) |
| </scode> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Do not log an additional case of <code>IOException</code>s in the |
| error handler for the Drawboard WebSocket example when the root cause is |
| the client disconnecting since the logs add no value. (markt) |
| </fix> |
| <fix> |
| <bug>59642</bug>: Mention the <code>localDataSource</code> in the |
| <code>DataSourceRealm</code> section of the Realm How-To. (markt) |
| </fix> |
| <fix> |
| <bug>59672</bug>: Update the security considerations page of the |
| documentation web application to take account of the fact that the |
| Manager and HostManager applications now have a |
| <code>RemoteAddrValve</code> configured by default. (markt) |
| </fix> |
| <fix> |
| Follow-up to the fix for <bug>59399</bug>. Ensure that the new attribute |
| <code>transportGuaranteeRedirectStatus</code> is documented for all |
| <strong>Realm</strong>s. Also document the <code>NullRealm</code> and |
| when it is automatically created for an <strong>Engine</strong>. (markt) |
| </fix> |
| <fix> |
| Fix the description of <code>maxAge</code> attribute in jdbc-pool doc. |
| This attribute works both when a connection is returned and when a |
| connection is borrowed. (kfujino) |
| </fix> |
| <fix> |
| <bug>59774</bug>: Correct the <code>prefix</code> values in the the |
| documented examples for configuring the <code>AccessLogValve</code>. |
| Patch provided by Mike Noordermeer. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message when the ping has timed-out. (kfujino) |
| </add> |
| <fix> |
| If the ping message has been received at the |
| <code>AbstractReplicatedMap#leftOver</code> method, ensure that notify |
| the member is alive than ignore it. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix the duplicated connection release when connection verification |
| failed. (kfujino) |
| </fix> |
| <fix> |
| Ensure that do not remove the abandoned connection that has been already |
| released. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Remove JULI plus log4j extras and embedded artifacts from Maven release |
| script. (markt) |
| </fix> |
| <add> |
| Use the mirror network rather than the ASF master site to download the |
| current ASF dependencies. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.8 to |
| pick up the latest fixes and make 1.2.8 the minimum recommended version. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M8" rtext="2016-06-13"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Remove accidentally committed debug code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M7" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| RMI Target related memory leaks are avoidable which makes them an |
| application bug that needs to be fixed rather than a JRE bug to work |
| around. Therefore, start logging RMI Target related memory leaks on web |
| application stop. Add an option that controls if the check for these |
| leaks is made. Log a warning if running on Java 9 with this check |
| enabled but without the command line option it requires. (markt) |
| </fix> |
| <fix> |
| Ensure NPE will not be thrown during deployment when scanning jar files |
| without MANIFEST.MF file. (violetagg) |
| </fix> |
| <scode> |
| Remove the <code>clearReferencesStatic</code> option from |
| <code>StandardContext</code>. It was known to cause problems with some |
| libraries (such as log4j) and was only linked to suspected memory leaks |
| rather than known memory leaks. It had been disabled by default with no |
| increase in the reports of memory leaks for some time. (markt) |
| </scode> |
| <fix> |
| <bug>59604</bug>: Correct the assumption made in the URL decoding that |
| the default platform encoding is always compatible with ISO-8859-1. This |
| assumption is not always valid, e.g. on z/OS. (markt) |
| </fix> |
| <fix> |
| <bug>59608</bug>: Skip over any invalid <code>Class-Path</code> attribute |
| from JAR manifests. Log errors at debug level due to many bad libraries. |
| (remm) |
| </fix> |
| <fix> |
| Fix error message when failed to register MBean. (kfujino) |
| </fix> |
| <fix> |
| <bug>59655</bug>: Configure the cookie name validation to use RFC6265 |
| rules by default to align it with the default cookie parser. Document |
| the impact system properties have on cookie name validation. (mark) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that requests with HTTP method names that are not tokens (as |
| required by RFC 7231) are rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| When an asynchronous request is processed by the AJP connector, ensure |
| that request processing has fully completed before starting the next |
| request. (markt) |
| </fix> |
| <fix> |
| Improve handling of HTTP/2 stream resets. (markt) |
| </fix> |
| <add> |
| <bug>58750</bug>: The HTTP Server header is no longer set by default. A |
| Server header may be configured by setting the <code>server</code> |
| attribute on the <code>Connector</code>. A new <code>Connector</code> |
| attribute, <code>serverRemoveAppProvidedValues</code> may be used to |
| remove any Server header set by a web application. (markt) |
| </add> |
| <fix> |
| <bug>59564</bug>: Correct offset when reading into HTTP/2 input buffer |
| that could cause problems reading request bodies. (violetagg/markt) |
| </fix> |
| <fix> |
| Modify the handling of read/write timeouts so that the appropriate error |
| handling (<code>ReadListener.onError()</code>, |
| <code>WriteListener.onError()</code> or |
| <code>AsycnListener.onError()</code>) is called. (markt) |
| </fix> |
| <fix> |
| If an async dispatch results in the completion of request processing, |
| ensure that any remaining request body is swallowed before starting the |
| processing of the next request else the remaining body may be read as the |
| start of the next request leading to a 400 response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>59567</bug>: Fix NPE scanning webapps for TLDs when an exploded |
| JAR has an empty WEB-INF/classes/META-INF folder. (remm) |
| </fix> |
| <fix> |
| Fix a memory leak in the expression language implementation that caused |
| the class loader of the first web application to use expressions to be |
| pinned in memory. (markt) |
| </fix> |
| <fix> |
| <bug>59654</bug>: Improve error message when attempting to use a TLD |
| file from an invalid location. Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59659</bug>: Fix possible memory leak in WebSocket handling of |
| unexpected client disconnects. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>58891</bug>: Update the SSL how-to. Based on a suggestion by |
| Alexander Kjäll. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <scode> |
| <bug>58588</bug>: Remove the JULI extras package from the distribution. |
| It was only useful for switching Tomcat's internal logging to log4j |
| 1.2.x and that version of log4j is no longer supported. No additional |
| Tomcat code is required if switching Tomcat's internal logging to log |
| via log4j 2.x. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix a memory leak with the pool cleaner thread that retained a reference |
| to the web application class loader for the first web application to use |
| a connection pool. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus |
| additional fixes). (markt) |
| </update> |
| <scode> |
| Use UTF-8 with a standard prolog for all XML files. (markt) |
| </scode> |
| <fix> |
| <bug>58626</bug>: Add support for a new environment variable |
| (<code>USE_NOHUP</code>) that causes <code>nohup</code> to be used when |
| starting Tomcat. It is disabled by default except on HP-UX where it is |
| enabled by default since it is required when starting Tomcat at boot on |
| HP-UX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M6" rtext="2016-05-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that annotated web components packed in web fragments will be |
| processed when <code>unpackWARs</code> is enabled. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M5" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>48922</bug>: Apply a very small performance improvement to the |
| date formatting in Tomcat's internal request object. Based on a patch |
| provided by Ondrej Medek. (markt) |
| </fix> |
| <fix> |
| <bug>59206</bug>: Ensure NPE will not be thrown by |
| <code>o.a.tomcat.util.file.ConfigFileLoader</code> when |
| <code>catalina.base</code> is not specified. (violetagg) |
| </fix> |
| <fix> |
| <bug>59217</bug>: Remove duplication in the recycling of the path in |
| <code>o.a.tomcat.util.http.ServerCookie</code>. Patch is provided by |
| Kyohei Nakamura. (violetagg) |
| </fix> |
| <fix> |
| Fixed possible NPE in |
| <code>o.a.catalina.loader.WebappClassLoaderBase.getResourceAsStream</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59213</bug>: Async dispatches should be based off a wrapped |
| request. (remm) |
| </fix> |
| <fix> |
| Ensure that <code>javax.servlet.ServletRequest</code> and |
| <code>javax.servlet.ServletResponse</code> provided during |
| <code>javax.servlet.AsyncListener</code> registration are made |
| available via <code>javax.servlet.AsyncEvent.getSuppliedRequest</code> |
| and <code>javax.servlet.AsyncEvent.getSuppliedResponse</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59219</bug>: Ensure <code>AsyncListener.onError()</code> is called |
| if an <code>Exception</code> is thrown during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>59220</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| called if the async request times out and the response is already |
| committed. (markt) |
| </fix> |
| <fix> |
| <bug>59226</bug>: Process the <code>Class-Path</code> attribute from |
| JAR manifests for JARs on the class path excluding JARs packaged in |
| <code>WEB-INF/lib</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59255</bug>: Fix possible NPE in mapper. (kkolinko/remm) |
| </fix> |
| <fix> |
| <bug>59256</bug>: <code>slf4j-taglib*.jar</code> should not be excluded |
| from the standard JAR scanning by default. (violetagg) |
| </fix> |
| <fix> |
| Clarify the log message that specifying both urlPatterns and value |
| attributes in @WebServlet and @WebFilter annotations is not allowed. |
| (violetagg) |
| </fix> |
| <fix> |
| Ensure the exceptions caused by Valves will be available in the log |
| files so that they can be evaluated when |
| <code>o.a.catalina.valves.ErrorReportValve.showReport</code> is |
| disabled. Patch is provided by Svetlin Zarev. (violetagg) |
| </fix> |
| <fix> |
| Remove unused <code>distributable</code> attribute that is defined as |
| <code>TransientAttribute</code> of <code>Manager</code> in StoreConfig. |
| (kfujino) |
| </fix> |
| <fix> |
| Fix handling of Cluster Receiver in StoreConfig. The <code>bind</code> |
| and <code>host</code> attributes define as |
| <code>TransientAttribute</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>59261</bug>: <code>ServletRequest.getAsyncContext()</code> now |
| throws an <code>IllegalStateException</code> as required by the Servlet |
| specification if the request is not in asynchronous mode when called. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59269</bug>: Correct the implementation of |
| <code>PersistentManagerBase</code> so that <code>minIdleSwap</code> |
| functions as designed and sessions are swapped out to keep the active |
| session count below <code>maxActiveSessions</code>. (markt) |
| </fix> |
| <update> |
| Update the implementation of the the proposed Servlet 4.0 API to provide |
| mapping type information for the current request to reflect discussions |
| within the EG. (markt) |
| </update> |
| <fix> |
| Correctly configure the base path for a resources directory provided by |
| an expanded JAR file. Patch provided by hengyunabc. (markt) |
| </fix> |
| <add> |
| When multiple compressed formats are available and the client does not |
| express a preference, use the server order to determine the preferred |
| format. Based on a patch by gmokki. (markt) |
| </add> |
| <fix> |
| <bug>59284</bug>: Allow the Tomcat provided JASPIC |
| <code>SimpleServerAuthConfig</code> to pick up module configuration |
| properties from either the property set passed to its constructor or |
| from the properties passed in the call to <code>getAuthContext</code>. |
| Based on a patch by Thomas Maslen. (markt) |
| </fix> |
| <fix> |
| <bug>59310</bug>: Do not add a <code>Content-Length: 0</code> header for |
| custom responses to <code>HEAD</code> requests that do not set a |
| <code>Content-Length</code> value. (markt) |
| </fix> |
| <fix> |
| When normalizing paths, improve the handling when paths end with |
| <code>/.</code> or <code>/..</code> and ensure that input and output are |
| consistent with respect to whether or not they end with <code>/</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59317</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURI()</code> returns an encoded URI |
| rather than a decoded URI after a dispatch. (markt) |
| </fix> |
| <fix> |
| Use the correct URL for the fragment when reporting errors processing |
| a <code>web-fragment.xml</code> file from a JAR located in an unpacked |
| WAR. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>JarScanner</code> only uses the explicit call-back to |
| process <code>WEB-INF/classes</code> and only when configured to treat |
| the contents of <code>WEB-INF/classes</code> as a possible exploded JAR. |
| (markt) |
| </fix> |
| <scode> |
| Remove the <code>java2DDisposerProtection</code> option from the |
| <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java |
| 7 onwards and Tomcat 9 requires Java 8 so the option is unnecessary. |
| (markt) |
| </scode> |
| <scode> |
| Remove the <code>securityPolicyProtection</code> option from the |
| <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java |
| 8 onwards and Tomcat 9 requires Java 8 so the option is unnecessary. |
| (markt) |
| </scode> |
| <scode> |
| Remove the <code>securityLoginConfigurationProtection</code> option from |
| the <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in |
| Java 8 onwards and Tomcat 9 requires Java 8 so the option is |
| unnecessary. (markt) |
| </scode> |
| <fix> |
| Ensure that the value for the header <code>X-Frame-Options</code> is |
| constructed correctly according to the specification when |
| <code>ALLOW-FROM</code> option is used. (violetagg) |
| </fix> |
| <fix> |
| Fix an <code>IllegalArgumentException</code> if the first use of an |
| internal <code>Response</code> object requires JASPIC authentication. |
| (markt) |
| </fix> |
| <fix> |
| Do not trigger unnecessary session ID changes when using JASPIC and the |
| user is authenticated using cached credentials. (markt) |
| </fix> |
| <fix> |
| <bug>59437</bug>: Ensure that the JASPIC <code>CallbackHandler</code> is |
| thread-safe. (markt) |
| </fix> |
| <fix> |
| <bug>59449</bug>: In <code>ContainerBase</code>, ensure that the process |
| to remove a child container is the reverse of the process to add one. |
| Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improves OpenSSL engine robustness when SSL allocation fails for |
| some reason. (remm) |
| </fix> |
| <fix> |
| OpenSSL engine code cleanups. (remm) |
| </fix> |
| <fix> |
| Align cipher configuration parsing with current OpenSSL master. (markt) |
| </fix> |
| <update> |
| Change the default for <code>honorCipherOrder</code> to |
| <code>false</code>. With the current default TLS configuration, it is no |
| longer necessary for this to be <code>true</code> for a reasonably |
| secure configuration. (markt) |
| </update> |
| <add> |
| Add a new environment variable <code>JSSE_OPTS</code> that is intended |
| to be used to pass JVM wide configuration to the JSSE implementation. |
| The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code> |
| which protects against weak Diffie-Hellman keys. (markt) |
| </add> |
| <fix> |
| <bug>58970</bug>: Fix a connection counting bug in the NIO connector |
| that meant some dropped connections were not removed from the current |
| connection count. (markt) |
| </fix> |
| <fix> |
| <bug>59289</bug>: Do not recycle upgrade processors in unexpected close |
| situations. (remm) |
| </fix> |
| <fix> |
| <bug>59295</bug>: Use <code>Locale.toLanguageTag()</code> to construct |
| the <code>Content-Language</code> HTTP header to ensure the locale is |
| correctly represented. Patch provided by zikfat. (markt) |
| </fix> |
| <update> |
| <bug>59295</bug>: Add support for using pem encoded certificates with |
| JSSE SSL. Submitted by Emmanuel Bourg with additional tweaks. (remm) |
| </update> |
| <fix> |
| Make the TLS certificate chain available to clients when using |
| JSSE+OpenSSL with the certificate chain stored in a Java KeyStore. |
| (markt) |
| </fix> |
| <fix> |
| Work around <a herf="https://github.com/openssl/openssl/issues/188">a |
| known issue in OpenSSL</a> that does not permit the TLS handshake to be |
| failed if the ALPN negotiation fails. (markt) |
| </fix> |
| <update> |
| <bug>59421</bug>: Add direct HTTP/2 connection support. (remm) |
| </update> |
| <fix> |
| Correctly handle a call to <code>AsyncContext.complete()</code> from a |
| non-container thread when non-blocking I/O is being used. (markt) |
| </fix> |
| <fix> |
| <bug>59451</bug>: Correct Javadoc for <code>MessageBytes</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| <bug>59450</bug>: Correctly handle the case where the |
| <code>LegacyCookieProcessor</code> is configured with |
| <code>allowHttpSepsInV0</code> set to <code>false</code> and |
| <code>forwardSlashIsSeparator</code> set to <code>true</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When scanning JARs for TLDs, correctly handle the (rare) case where a |
| JAR has been exploded into <code>WEB-INF/classes</code> and the web |
| application is deployed as a packed WAR. (markt) |
| </fix> |
| <fix> |
| <bug>59640</bug>: NPEs with not found TLDs. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59189</bug>: Explicitly release the native memory held by the |
| <code>Inflater</code> and <code>Deflater</code> when using |
| PerMessageDeflate and the WebSocket session ends. Based on a patch by |
| Henrik Olsson. (markt) |
| </fix> |
| <fix> |
| Restore the <code>WsServerContainer.doUpgrade()</code> method which was |
| accidentally removed since it is not used by Tomcat. (markt) |
| </fix> |
| <fix> |
| Fix a regression caused by the connector refactoring and ensure that the |
| thread context class loader is set to the to the web application |
| classloader when processing WebSocket messages on the server. (markt) |
| </fix> |
| <fix> |
| Ensure that a client disconnection triggers the error handling for the |
| associated WebSocket end point. (markt) |
| </fix> |
| <add> |
| Make WebSocket client more robust when handling errors during the close |
| of a WebSocket session. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>59218</bug>: Correct the path to <code>jaspic-providers.xml</code> |
| in Jaspic How-To. Patch is provided by Tatsuya Bessho. (violetagg) |
| </fix> |
| <fix> |
| Remove button that has accidentally been added to the host manager. |
| Submitted by Coty Sutherland. (remm) |
| </fix> |
| <fix> |
| Update in the documentation the link to the maven repository where |
| Tomcat snapshot artifacts are deployed. (markt/violetagg) |
| </fix> |
| <fix> |
| Clarify in the documentation that calls to |
| <code>ServletContext.log(String, Throwable)</code> or |
| <code>GenericServlet.log(String, Throwable)</code> are logged at the |
| SEVERE level. (violetagg) |
| </fix> |
| <fix> |
| Correct a typo in SSL/TLS Configuration How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Avoid NPE when a proxy node failed to retrieve a backup entry. (kfujino) |
| </fix> |
| <add> |
| Add the flag indicating that member is a localMember. (kfujino) |
| </add> |
| <fix> |
| Fix potential NPE that depends on the setting order of attributes of |
| static member when using the static cluster. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to |
| <code>ChannelInterceptor</code>. (kfujino) |
| </add> |
| <fix> |
| As with the multicast cluster environment, in the static cluster |
| environment, the local member inherits properties from the cluster |
| receiver. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to each Channel |
| services. (kfujino) |
| </add> |
| <add> |
| Add name to channel in order to identify channels. In tomcat cluster |
| environment, it is set the cluster name + "-Channel" as default value. |
| (kfujino) |
| </add> |
| <add> |
| Add the channel name to the thread which is invoked by channel services |
| in order to identify the associated channel. (kfujino) |
| </add> |
| <fix> |
| Ensure that clear the channel instance from channel services when |
| stopping channel. (kfujino) |
| </fix> |
| <add> |
| Implement map state in the replication map. (kfujino) |
| </add> |
| <fix> |
| Ensure that the ping is not executed during the start/stop of the |
| replication map. (kfujino) |
| </fix> |
| <fix> |
| In ping processing in the replication map, send not the |
| <code>INIT</code> message but the newly introduced <code>PING</code> |
| message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>59211</bug>: Add hamcrest to Eclipse classpath. Patch is provided |
| by Huxing Zhang. (violetagg) |
| </fix> |
| <update> |
| <bug>59276</bug>: Update optional Checkstyle library to 6.17. |
| (kkolinko) |
| </update> |
| <update> |
| <bug>59280</bug>: Update the NSIS Installer used to build the |
| Windows Installers to version 2.51. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.7 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR |
| 1.5.2. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M4" rtext="2016-03-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that <code>/WEB-INF/classes</code> is never processed as a web |
| fragment. (markt) |
| </fix> |
| <update> |
| Switch default connector when native is installed. Unless configured |
| otherwise, the NIO endpoint will be used by default. If SSL is |
| configured, OpenSSL will be used rather than JSSE. (remm) |
| </update> |
| <fix> |
| Correct a regression in the fix for <bug>58867</bug>. When configuring a |
| Context to use an external directory for the <code>docBase</code>, and |
| that directory happens to be located along side the original WAR, use |
| the directory as the <code>docBase</code> rather than expanding the |
| WAR into the <code>appBase</code> and using the newly created expanded |
| directory as the <code>docBase</code>. (markt) |
| </fix> |
| <add> |
| <bug>58351</bug>: Make the server build date and server version number |
| accessible via JMX. Patch provided by Huxing Zhang. (markt) |
| </add> |
| <add> |
| <bug>58988</bug>: Special characters in the substitutions for the |
| RewriteValve can now be quoted with a backslash. (fschumacher) |
| </add> |
| <fix> |
| <bug>58999</bug>: Fix class and resource name filtering in |
| WebappClassLoader. It throws a StringIndexOutOfBoundsException if the |
| name is exactly "org" or "javax". (rjung) |
| </fix> |
| <add> |
| Add JASPIC (JSR-196) support. (markt) |
| </add> |
| <add> |
| Make checking for var and map replacement in RewriteValve a bit stricter |
| and correct detection of colon in var replacement. (fschumacher) |
| </add> |
| <fix> |
| Refactor the web application class loader to reduce the impact of JAR |
| scanning on the memory footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Fix some resource leaks in the error handling for accessing files from |
| JARs and WARs. (markt) |
| </fix> |
| <fix> |
| Refactor the JAR and JAR-in-WAR resource handling to reduce the memory |
| footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Refactor the web.xml parsing so a new parser is created every time the |
| web application starts rather than creating and caching the parser when |
| the Context is created. This enables the parser to take account of |
| modified Context configuration parameters and reduces (slightly) the |
| memory footprint of a running Tomcat instance. (markt) |
| </fix> |
| <update> |
| Switch the web application class loader to the |
| <code>ParallelWebappClassLoader</code> by default. (markt) |
| </update> |
| <fix> |
| <bug>57809</bug>: Remove the custom context attribute that held the |
| effective web.xml. Components needing access to configuration |
| information may access it via the Servlet API. (markt) |
| </fix> |
| <fix> |
| Refactor JAR scanning to reduce memory footprint. (markt) |
| </fix> |
| <fix> |
| <bug>59001</bug>: Correctly handle the case when Tomcat is installed on |
| a path where one of the segments ends in an exclamation mark. (markt) |
| </fix> |
| <fix> |
| Expand the fix for <bug>59001</bug> to cover the special sequences used |
| in Tomcat's custom jar:war: URLs. (markt) |
| </fix> |
| <fix> |
| <bug>59043</bug>: Avoid warning while expiring sessions associated with |
| a single sign on if <code>HttpServletRequest.logout()</code> is used. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59054</bug>: Ensure that using the |
| <code>CrawlerSessionManagerValve</code> in a distributed environment |
| does not trigger an error when the Valve registers itself in the |
| session. (markt) |
| </fix> |
| <fix> |
| Add socket properties support to storeconfig. (remm) |
| </fix> |
| <fix> |
| Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm) |
| </fix> |
| <fix> |
| <bug>59065</bug>: Correct the timing of the check for colons in paths |
| on non-Windows systems implemented in <code>catalina.sh</code> so it |
| works correctly with Cygwin. Patch provided by Ed Randall. (markt) |
| </fix> |
| <fix> |
| When a Host is configured with an appBase that does not exist, create |
| the appBase before trying to expand an external WAR file into it. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59115</bug>: When using the Servlet 3.0 file upload, the submitted |
| file name may be provided as a token or a quoted-string. If a |
| quoted-string, unquote the string before returning it to the user. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59123</bug>: Close <code>NamingEnumeration</code> objects used by |
| the <code>JNDIRealm</code> once they are no longer required. |
| (fschumacher/markt) |
| </fix> |
| <add> |
| Implement the proposed Servlet 4.0 API to provide mapping type |
| information for the current request. (markt) |
| </add> |
| <fix> |
| <bug>59138</bug>: Correct a false positive warning for ThreadLocal |
| related memory leaks when the key class but not the value class has been |
| loaded by the web application class loader. (markt) |
| </fix> |
| <add> |
| <bug>59017</bug>: Make the pre-compressed file support in the Default |
| Servlet generic so any compression may be used rather than just gzip. |
| Patch provided by Mikko Tiihonen. (markt) |
| </add> |
| <fix> |
| <bug>59145</bug>: Don't log an invalid warning when a user logs out of |
| a session associated with SSO. (markt) |
| </fix> |
| <fix> |
| <bug>59150</bug>: Add an additional flag on APR listener to allow |
| disabling automatic use of OpenSSL. (remm) |
| </fix> |
| <fix> |
| <bug>59151</bug>: Fix a regression in the fix for <bug>56917</bug> that |
| added additional (and arguably unnecessary) validation to the provided |
| redirect location. (markt) |
| </fix> |
| <fix> |
| <bug>59154</bug>: Fix a <code>NullPointerException</code> in the |
| <code>JAASMemoryLoginModule</code> resulting from the introduction of |
| the <code>CredentialHandler</code> to <code>Realm</code>s. |
| (schultz/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Handle the case in the NIO2 connector where the required TLS buffer |
| sizes increase after the connection has been initiated. (markt/remm) |
| </fix> |
| <fix> |
| Bad processing of handshake errors in NIO2. (remm) |
| </fix> |
| <fix> |
| Use JSSE session configuration options with OpenSSL. (remm) |
| </fix> |
| <fix> |
| <bug>59015</bug>: Fix potential cause of endless APR Poller loop during |
| shutdown if the Poller experiences an error during the shutdown process. |
| (markt) |
| </fix> |
| <fix> |
| Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with |
| the current OpenSSL implementation. (markt) |
| </fix> |
| <fix> |
| <bug>59081</bug>: Retain the user defined cipher order when defining |
| ciphers. (markt) |
| </fix> |
| <fix> |
| <bug>59089</bug>: Correctly ignore HTTP headers that include non-token |
| characters in the header name. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update to the Eclipse JDT Compiler 4.5.1. (markt) |
| </update> |
| <fix> |
| <bug>57583</bug>: Improve the performance of |
| <code>javax.servlet.jsp.el.ScopedAttributeELResolver</code> when |
| resolving attributes that do not exist. This improvement only works when |
| Jasper is used with with Tomcat's EL implementation. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Fix a timing issue on session close that could result in an exception |
| being thrown for an incomplete message even through the message was |
| completed. (markt) |
| </fix> |
| <fix> |
| Correctly handle compression of partial messages when the final message |
| fragment has a zero length payload. (markt) |
| </fix> |
| <fix> |
| <bug>59119</bug>: Correct read logic for WebSocket client when using |
| secure connections. (markt) |
| </fix> |
| <fix> |
| <bug>59134</bug>: Correct client connect logic for secure connections |
| made through a proxy. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct an error in the documentation of the expected behaviour for |
| automatic deployment. If a WAR is updated and an expanded directory is |
| present, the directory will always be deleted and recreated by expanding |
| the WAR if <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>48674</bug>: Implement an option within the Host Manager web |
| application to persist the current configuration. Based on a patch by |
| Coty Sutherland. (markt) |
| </fix> |
| <fix> |
| <bug>58935</bug>: Remove incorrect references in the documentation to |
| using <code>jar:file:</code> URLs with the Manager application. (markt) |
| </fix> |
| <fix> |
| Correct the description of the |
| <code>ServletRequest.getServerPort()</code> in Proxy How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <add> |
| The Manager and Host Manager applications are now only accessible via |
| <code>localhost</code> by default. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| If promoting a proxy node to a primary node when getting a session, |
| notify the change of the new primary node to the original backup node. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>58283</bug>: Change the default download location for libraries |
| during the build process from <code>/usr/share/java</code> to |
| <code>${user.home}/temp</code>. Patch provided by Ahmed Hosni. (markt) |
| </fix> |
| <fix> |
| <bug>59031</bug>: When using the Windows uninstaller, do not remove the |
| contents of any directories that have been symlinked into the Tomcat |
| directory structure. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.5 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Modify the default <code>tomcat-users.xml</code> file to make it harder |
| for users to configure the entries intended for use with the examples |
| web application for the Manager application. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M3" rtext="2016-02-05"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to configure multiple JUnit test class patterns with the build |
| property <code>test.name</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Protect initialization of <code>ResourceLinkFactory</code> when |
| running with a SecurityManager. (kkolinko) |
| </fix> |
| <fix> |
| Correct a thread safety issue in the filtering of session attributes |
| based on the implementing class name of the value object. (markt) |
| </fix> |
| <fix> |
| Fix class loader decision on the delegation for class loading and |
| resource lookup and make it faster too. (rjung) |
| </fix> |
| <fix> |
| <bug>58768</bug>: Log a warning if a redirect fails because of an |
| invalid location. (markt) |
| </fix> |
| <scode> |
| <bug>58827</bug>: Remove remains of JSR-77 implementation. (markt) |
| </scode> |
| <fix> |
| <bug>58946</bug>: Ensure that the request parameter map remains |
| immutable when processing via a RequestDispatcher. (markt) |
| </fix> |
| <fix> |
| <bug>58905</bug>: Ensure that <code>Tomcat.silence()</code> silences the |
| correct logger and respects the current setting. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in the connector refactoring in 9.0.0.M2 that broke |
| TLS support for the APR/native connector. (remm) |
| </fix> |
| <fix> |
| Correct an NPE when listing the enabled ciphers (e.g. via the Manager |
| web application) for a TLS enabled APR/native connector. (markt) |
| </fix> |
| <add> |
| New configuration option <code>ajpFlush</code> for the AJP connectors |
| to disable the sending of AJP flush packets. (rjung) |
| </add> |
| <fix> |
| Handle the case in the NIO connector where the required TLS buffer sizes |
| increase after the connection has been initiated. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M2" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Refactor creation of <code>MapperListener</code> to ensure that the |
| <code>Mapper</code> used is the <code>Mapper</code> associated with the |
| <code>Service</code> for which the listener was created. (markt) |
| </scode> |
| <add> |
| Move the functionality that provides redirects for context roots and |
| directories where a trailing <code>/</code> is added from the Mapper to |
| the <code>DefaultServlet</code>. This enables such requests to be |
| processed by any configured Valves and Filters before the redirect is |
| made. This behaviour is configurable via the |
| <code>mapperContextRootRedirectEnabled</code> and |
| <code>mapperDirectoryRedirectEnabled</code> attributes of the Context |
| which may be used to restore the previous behaviour. (markt) |
| </add> |
| <scode> |
| Refactor <code>Service.getContainer()</code> to return an |
| <code>Engine</code> rather than a <code>Container</code>. (markt) |
| </scode> |
| <fix> |
| <bug>34319</bug>: Only load those keys in <code>StoreBase.processExpire</code> |
| from JDBCStore, that are old enough, to be expired. Based on a patch |
| by Tom Anderson. (fschumacher) |
| </fix> |
| <add> |
| <bug>56917</bug>: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later |
| redirects to use relative URIs. This is controlled by a new attribute |
| <code>useRelativeRedirects</code> on the <strong>Context</strong> and |
| defaults to <code>true</code>. (markt) |
| </add> |
| <fix> |
| <bug>58629</bug>: Allow an embedded Tomcat instance to start when the |
| <code>Service</code> has no <code>Engine</code> configured. (markt) |
| </fix> |
| <fix> |
| Correctly notify the MapperListener associated with a Service if the |
| Engine for that Service is changed. (markt) |
| </fix> |
| <add> |
| Make a web application's CredentialHandler available through a context |
| attribute. This allows a web application to use the same algorithm |
| for validating or generating new stored credentials from cleartext |
| ones. (schultz) |
| </add> |
| <fix> |
| <bug>58635</bug>: Enable break points to be set within agent code when |
| running Tomcat with a Java agent. Based on a patch by Huxing Zhang. |
| (markt) |
| </fix> |
| <fix> |
| Fixed potential NPE in <code>HostConfig</code> while deploying an |
| application. Issue reported by coverity scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58655</bug>: Fix an <code> IllegalStateException</code> when |
| calling <code>HttpServletResponse.sendRedirect()</code> with the |
| <code>RemoteIpFilter</code>. This was caused by trying to correctly |
| generate the absolute URI for the redirect. With the fix for |
| <bug>56917</bug>, redirects may now be relative making the |
| <code>sendRedirect()</code> implementation for the |
| <code>RemoteIpFilter</code> much simpler. This also addresses issues |
| where the redirect may not have behaved as expected when redirecting |
| from http to https to from https to http. (markt) |
| </fix> |
| <fix> |
| <bug>58657</bug>: Exceptions in a Servlet 3.1 <code>ReadListener</code> |
| or <code>WriteListener</code> do not need to be immediately fatal to the |
| connection. Allow an error response to be written. (markt) |
| </fix> |
| <fix> |
| Correct implementation of |
| <code>validateClientProvidedNewSessionId</code> so client provided |
| session IDs may be rejected if validation is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>58701</bug>: Reset the <code>instanceInitialized</code> field in |
| <code>StandardWrapper</code> when unloading a Servlet so that a new |
| instance may be correctly initialized. (markt) |
| </fix> |
| <update> |
| Add a new flag <code>aprPreferred</code> to the Apr listener. if set to |
| <code>false</code>, when using the connector defaults, it will use |
| NIO + OpenSSL if tomcat-native is available, rather than the APR |
| connector. (remm) |
| </update> |
| <fix> |
| Add path parameter handling to |
| <code>HttpServletRequest.getContextPath()</code>. This is a follow-up to |
| the fix for <bug>57215</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>58692</bug>: Make <code>StandardJarScanner</code> more robust. Log |
| a warning if a class path entry cannot be scanned rather than triggering |
| the failure of the web application. Includes a test case written by |
| Derek Abdine. (markt) |
| </fix> |
| <fix> |
| <bug>58702</bug>: Ensure an access log entry is generated if the client |
| aborts the connection. (markt) |
| </fix> |
| <fix> |
| Fixed various issues reported by Findbugs. (violetagg) |
| </fix> |
| <fix> |
| <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code> |
| header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by |
| Jacopo Cappellato. (markt) |
| </fix> |
| <fix> |
| Add the <code>StatusManagerServlet</code> to the list of Servlets that |
| can only be loaded by privileged applications. (markt) |
| </fix> |
| <fix> |
| Simplify code and fix messages in |
| <code>org.apache.catalina.core.DefaultInstanceManager</code> class. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58751</bug>: Correctly handle the case where an |
| <code>AsyncListener</code> dispatches to a Servlet on an asynchronous |
| timeout and the Servlet uses <code>sendError()</code> to trigger an |
| error page. Includes a test case based on code provided by Andy |
| Wilkinson.(markt) |
| </fix> |
| <fix> |
| Ensure that the proper file encoding if specified will be used when |
| a readme file is served by DefaultServlet. (violetagg) |
| </fix> |
| <fix> |
| Fix declaration of <code>localPort</code> attribute of Connector MBean: |
| it is read-only. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58766</bug>: Make skipping non-class files during annotation |
| scanning faster by checking the file name first. Improve debug logging. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58836</bug>: Correctly merge query string parameters when |
| processing a forwarded request where the target includes a query string |
| that contains a parameter with no value. (markt/kkolinko) |
| </fix> |
| <fix> |
| Make sure that shared Digester is reset in an unlikely error case |
| in <code>HostConfig.deployWAR()</code>. (kkolinko) |
| </fix> |
| <add> |
| Extend the feature available in the cluster session manager |
| implementations that enables session attribute replication to be |
| filtered based on attribute name to all session manager implementations. |
| Note that configuration attribute name has changed from |
| <code>sessionAttributeFilter</code> to |
| <code>sessionAttributeNameFilter</code>. Apply the filter on load as |
| well as unload to ensure that configuration changes made while the web |
| application is stopped are applied to any persisted data. (markt) |
| </add> |
| <add> |
| Extend the session attribute filtering options to include filtering |
| based on the implementation class of the value and optional |
| <code>WARN</code> level logging if an attribute is filtered. These |
| options are available for all of the Manager implementations that ship |
| with Tomcat. When a <code>SecurityManager</code> is used filtering will |
| be enabled by default. (markt) |
| </add> |
| <scode> |
| Remove <code>distributable</code> and <code>maxInactiveInterval</code> |
| from the <code>Manager</code> interface because the attributes are never |
| used. The equivalent attributes from the <code>Context</code> always |
| take precedence. (markt) |
| </scode> |
| <fix> |
| <bug>58867</bug>: Improve checking on Host start for WAR files that have |
| been modified while Tomcat has stopped and re-expand them if |
| <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58900</bug>: Correctly undeploy symlinked resources and prevent an |
| infinite cycle of deploy / undeploy. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>58621</bug>: The certificate chain cannot be set using the main |
| certificate attribute, so restore the certificate chain property. (remm) |
| </fix> |
| <fix> |
| Allow a new SSL config type where a connector can use either JSSE or |
| OpenSSL. Both could be allowed, but it would likely create support |
| issues. This type is used by the OpenSSL implementation for NIOx. (remm) |
| </fix> |
| <fix> |
| Improve upgrade context classloader handling by using Context.bind and |
| unbind. (remm) |
| </fix> |
| <add> |
| Improve OpenSSL keystore/truststore configuration by using the code |
| from the JSSE implementation. (remm, jfclere) |
| </add> |
| <fix> |
| Fix a potential loop when a client drops the connection unexpectedly. |
| (markt) |
| </fix> |
| <add> |
| OpenSSL renegotiation support for client certificate authentication. |
| (remm) |
| </add> |
| <fix> |
| Fix NIO connector renegotiation. (remm) |
| </fix> |
| <fix> |
| <bug>58659</bug>: Fix a potential deadlock during HTTP/2 processing when |
| the connection window size is limited. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136#c25</bug>: Change default value of |
| <code>quoteAttributeEL</code> setting in Jasper to be <code>true</code> |
| for better compatibility with other implementations and older versions |
| of Tomcat. Add command line option <code>-no-quoteAttributeEL</code> in |
| JspC. (kkolinko) |
| </fix> |
| <fix> |
| Fix handling of missing messages in |
| <code>org.apache.el.util.MessageFactory</code>. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Enable an explicit configuration of local member in the static cluster |
| membership. (kfujino) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>DeltaSession</code>. |
| Reported by coverity scan. (fschumacher) |
| </fix> |
| <fix> |
| In order to avoid that the heartbeat thread and the background thread to |
| run <code>Channel.heartbeat</code> simultaneously, if |
| <code>heartbeatBackgroundEnabled</code> of <code>SimpleTcpCluster</code> |
| set to <code>true</code>, ensure that the heartbeat thread does not |
| start. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>55006</bug>: The WebSocket client now honors the |
| <code>java.net.java.net.ProxySelector</code> configuration (using the |
| HTTP type) when establishing WebSocket connections to servers. Based on |
| a patch by Niki Dokovski. (markt) |
| </add> |
| <fix> |
| <bug>58624</bug>: Correct a potential deadlock if the WebSocket |
| connection is closed when a message write is in progress. (markt) |
| </fix> |
| <fix> |
| <bug>57489</bug>: Ensure <code>onClose()</code> is called when a |
| WebSocket connection is closed even if the sending of the close message |
| fails. Includes test cases by Barry Coughlan. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| <bug>58631</bug>: Correct the continuation character use in the Windows |
| Service How-To page of the documentation web application. (markt) |
| </fix> |
| <fix> |
| Correct the SSL documentation for deprecated attributes to point to the |
| correct, new location for attributes related to individual certificates. |
| (markt) |
| </fix> |
| <fix> |
| Correct some typos in the JNDI resources How-To. (markt) |
| </fix> |
| <fix> |
| Don't create session unnecessarily in the Manager application. (markt) |
| </fix> |
| <fix> |
| Don't create session unnecessarily in the Host Manager application. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58723</bug>: Clarify documentation and error messages for the text |
| interface of the manager to make clear that version must be used with |
| path when referencing contexts deployed using parallel deployment. |
| (markt) |
| </fix> |
| <add> |
| Document <code>test.threads</code> option in BUILDING.txt. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the static member is registered to the add suspect list even |
| if the static member that is registered to the remove suspect list has |
| disappeared. (kfujino) |
| </fix> |
| <fix> |
| When using a static cluster, add the members that have been cached in |
| the membership service to the map members list in order to ensure that |
| the map member is a static member. (kfujino) |
| </fix> |
| <fix> |
| Add support for the startup notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ignore the unnecessary member remove operation from different domain. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the shutdown notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Correct evaluation of system property |
| <code>org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader</code>. |
| It was basically ignored before. Reported by coverity scan. (fschumacher) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>ConnectionPool</code> and |
| <code>PooledConnection</code>. Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.14.1. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.4 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2e and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows Installers to |
| version 2.50. (markt/kkolinko) |
| </update> |
| <update> |
| Update the internal fork of Commons BCEL to r1725718 to align with the |
| refactoring for BCEL 6, the next major BCEL release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1725730 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1725738 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1725746 (1.9 plus |
| additional fixes). (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M1" rtext="2015-11-17"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Make Java 8 the minimum required version to build and run Tomcat 9. |
| (markt) |
| </add> |
| <update> |
| Remove support for Comet. (markt) |
| </update> |
| <update> |
| Tighten up the default file permissions for the <code>.tar.gz</code> |
| distribution so no files or directories are world readable by default. |
| Configure Tomcat to run with a default umask of <code>0027</code> which |
| may be overridden by setting <code>UMASK</code> in |
| <code>setenv.sh</code>. (markt) |
| </update> |
| <update> |
| Remove native code (Windows Service Wrapper, APR/native connector) |
| support for Windows Itanium. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| The default HTTP cookie parser has been changed to |
| <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code>. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Remove support for the HTTP BIO and AJP BIO connectors. (markt) |
| </update> |
| <scode> |
| Refactor HTTP upgrade and AJP implementations to reduce duplication. |
| (markt) |
| </scode> |
| <add> |
| Add support for HPACK header encoding and decoding, contributed |
| by Stuart Douglas. (remm) |
| </add> |
| <add> |
| <bug>57108</bug>: Add support for Server Name Indication (SNI). There |
| has been significant changes to the SSL configuration in server.xml to |
| support this. (markt) |
| </add> |
| <add> |
| Add SSL engine for JSSE backed by OpenSSL. Includes ALPN support. |
| Based on code contributed by Numa de Montmollin and derived from code |
| developed by Twitter and Netty. (remm) |
| </add> |
| <fix> |
| RFC 7230 states that clients should ignore reason phrases in HTTP/1.1 |
| response messages. Since the reason phrase is optional, Tomcat no longer |
| sends it. As a result the system property |
| <code>org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER</code> is no |
| longer used and has been removed. (markt) |
| </fix> |
| <update> |
| The minimum required Tomcat Native version has been increased to 1.2.2. |
| The 1.2.x branch includes ALPN and SNI support which are required for |
| HTTP/2. (markt) |
| </update> |
| <add> |
| Add support for HTTP/2 including server push. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Clarify the handling of Copy message and Copy nodes. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Support the use of the <code>threads</code> attribute on Ant's |
| junit task. Note that using this with a value of greater than one will |
| disable Cobertura code coverage. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| </body> |
| </document> |