Apache Tomcat Version 4.0 Milestone 5 ===================================== Release Notes ============= $Id$ ============ INTRODUCTION: ============ This document describes the changes that have been made in the current milestone release of Apache Tomcat, relative to the previous milestone release. Bug reports should be entered at the interim bug reporting system for Jakarta projects at: http://znutar.cortexity.com:8888/ Please use project codes "Catalina" and "Jasper" for servlet-related and JSP-related bug reports, respectively. ============ NEW FEATURES: ============ Feature Freeze for Tomcat 4.0 ----------------------------- This milestone release will be the last addition of significant new functionality to Tomcat 4.0. A cycle of beta releases is planned to begin shortly, moving towards a final release as soon as we are satisfied that all significant bugs have been found and fixed. Web Application Connector for Apache 1.3 ---------------------------------------- An initial version of the Web Connector for Apache 1.3 is included in this release! It has been lightly tested, primarily on Solaris and Linux platforms. You can expect that this connector will have bugs, and not be as stable as the remainder of Tomcat 4.0. To facilitate testing of updated versions of the web connector, the required files have been isolated, and new versions of these files will be published on a more frequent basis than Tomcat 4.0 releases. The files are as follows: * mod_webapp.so - The native code portion of the connector, which must be copied into your Apache configuration's "libexec" directory. This module is platform dependent, so be sure to acquire the version for your hardware and operating system platform. * warp.jar - The Java portion of the connector, which must be copied into the "server" directory of your Tomcat 4.0 installation. Like nearly all Java code, this module is platform and operating system independent. Brief instructions for building and configuring the web application connector are included at the bottom of the "conf/server.xml" file included with Tomcat 4.0. To build the native code portion, you will need a C compiler and make utility, such as those included in the GNU C Compiler (gcc) suite. In addition, your Apache must have been configured for dynamic module loading. New JNDI Naming Context ----------------------- Tomcat 4.0 now supports an optional JNDI naming context that supports lookup of entries referenced by , , and entries in the web application deployment descriptor. The programming approach to accessing these values is as described in the Java2 Enterprise Edition (J2EE) specification. The resource factories actually returned by these lookups are configured in the "conf/server.xml" file, nested inside a element. Documentation for how this is done will be published shortly. Note that this naming context support is enabled when Tomcat is run stand alone. If you are running an application server that embeds Tomcat inside it, you will be utilizing the application server's native naming support instead. Fortunately, there is no difference in the developer's programming model. Avalon and JMX Manageability ---------------------------- Optional components have been included that make it possible to embed Tomcat in a server framework based on the Avalon and JMX management frameworks. Additional work will occur in Tomcat 4.1 to make this manageability more fine grained. HTTP/1.1 Performance Improvements --------------------------------- A round of performance optimizations on the HTTP/1.1 connector significantly reduces the overhead that Tomcat 4.0 imposes on request processing. Improved Backwards Compatibility Support ---------------------------------------- The functionality that parses the web application deployment descriptor (web.xml) is now sensitive to which servlet specification version is being processed. In particular, some of the new 2.3 restrictions (such as the value for the entry being required to start with a "/") are no longer enforced on a 2.2 web application (because they were not enforced by Tomcat 3.1 or 3.2). XML Syntax for JSP Pages ------------------------ The Jasper compiler now fully supports the XML syntax for JavaServer Pages described in the JSP 1.2 Proposed Final Draft Specification. A page is recognized as being in XML syntax solely by the presence of a element. Miscellaneous Embeddability Improvements ---------------------------------------- A variety of enhancements to the internal architecture of Catalina improve the interface to application server facilities when Tomcat is embedded, or you write custom extensions. These changes are not directly visible to application components (servlets and filters). The changes include: * Event listeners that are called before and after Filters are invoked. * Event listeners that are called before and after Application Event Listeners are invoked. ========================== BUG FIXES AND IMPROVEMENTS: ========================== Build Script Fixes - The "catalina.bat" and "catalina.sh" scripts now use "%JAVA_HOME%\bin\java" and "$JAVA_HOME/bin/java", respectively, rather than assuming that a "java" execution environment found on the PATH environment variable is the correct one. The various "build.xml" scripts have been updated for Ant 1.2. (Jasper) TagLibrariesGlobal - The static variables in this class were being incorrectly shared across all web applications, instead of being local to each app. (Jasper) Error Message - Fix the non-intuitive error message when a user defined tag is not terminated on the current page. (Catalina) SSLServerSocketFactory - Use the platform-specific file separator character instead of a hard coded "/" character. (Catalina) Default Host Name - Work around a problem where the "Host:" header is not included in the request. Among other things, this makes it feasible to use Telnet as a way to submit requests to Tomcat. (WebDAV) Miscellaneous - Miscellaneous improvements and corrections to the WebDAV servlet and the default file-serving servlet. (Catalina) HTTP/1.1 Chunking - Improve the mechanisms used to determine whether chunking should be utilized. In addition, use of chunking can be completely disabled if it causes problems. (Catalina) Invoker - Make the invoker servlet work correctly when called underneath a RequestDispatcher path-based include. (WebDAV) Security - By default, operations that can modify the web site are disabled. They can be enabled in "conf/server.xml" and by setting appropriate usernames and roles. (Catalina) Version 0 Cookies - Correctly expire "version 0" cookies by setting an expiration time in the past. (Catalina) Session Cookies - When there are multiple session ID cookies active (for different web apps) on the same host, conform to the RFC 2109 requirements for ordering. This means that session cookies will work reliably even when context paths are nested inside each other. (Catalina) Class Loaders - Normalize "/../" occurrences out of the paths of class loader repositories. (Catalina) Class Loaders - Add a new "system" class loader that avoids problems when Catalina is loaded by a management system like Avalon. (Jasper) Error Pages - When "redirecting" to an error page to handle an exception, first try a "forward" and then an "include", in an attempt to display the error information even if the response has already been committed. (Jasper) Internationalization - Fix conversion of characters to Korean. (Catalina) HTTP/1.1 - Consume content bytes from the request even in the face of an error. (Catalina) POST Parameters - Fix URL decoding of request parameters submitted with a POST request. (Catalina) Static Resources - Case sensitivity is enforced, even on non case sensitive platforms, as required by the Servlet 2.3 Specification. (Jasper) XML Parsing - When parsing the tag library descriptor, leading and trailing spaces are now trimmed. (Jasper) Set Property - Correct handling when the request parameter value is an empty string. (Catalina) URL Rewriting - Intra-document references (i.e. those that start with "#") never need to be rewritten. (Jasper) Remove Attribute - Correct handling of pageContext.removeAttribute() in request scope. (Catalina) HTTP/1.1 - Avoid an ArrayIndexOutOfBounds exception if the client disconnects before starting a new request. (Catalina) HTTP/1.1 - Correct content length setting on a HEAD request. (Jasper) Jikes Compiler - Correct quoting of arguments when using Jikes as the compiler on Windows platforms. (Jasper) Page Exception - Implement the new JSP 1.2 variation of the PageContext.handlePageException() method. (Catalina) Access Log Valve - The optional Catalina component that creates web server like access logs has benefited from performance optimizations. (Catalina) Query String - Correct query string processing, which was broken by the performance optimizations on the HTTP/1.1 connector. (Catalina) Security - Catalina was incorrectly allowing JSP pages to be executed from the WEB-INF directory. (Catalina) Distributable - Correct handling of the element in the web application deployment descriptor. (Examples) Hyperlink - Correct the hyperlink for the source code display of the "Number Guess" example JSP page. (Catalina) HTTP/1.1 - Accept HTTP request and header lines that are delimited only by a linefeed character. The HTTP/1.1 specification says that both CR and linefeed are required, but encourages applications to be tolerant of incorrectly implemented clients. (Catalina) Get Resources - When you call getResource() on a non-existent resource, correctly return null. (Catalina) Configuration - Add additional comments to the "conf/server.xml" file that document how to change logger output file directories. (Jasper) Configuration - Correct handling of a declaration that pointed at a JAR file. (Jasper) Code Generators - Correct the "import" directives in the generated servlet to exactly match the defaults listed in the JSP specification. (Examples) Security - Correct a vulnerability that allowed the "show source" facility to potentially display sensitive files in the WEB-INF directory. (Catalina) JDBCRealm - Made this Realm implementation non-final so that it can be conveniently subclassed. (Catalina) Security - Correct the default file-serving servlet so that it will not serve files from WEB-INF when a double-slash URL is specified. (Catalina) Response Buffering - Fix a bug where the response class was not always aware that output bytes had been written, when they were still buffered by the PrintWriter. (Catalina) Initialization - Correctly initialize multiple entries in the "conf/server.xml" file, so that you can construct stand-alone and Apache-connected services at the same time. ============================== KNOWN PROBLEMS IN THIS RELEASE: ============================== URL Decoding Incomplete ----------------------- Currently, Catalina does not decode the values returned by getServletPath() and getPathInfo(), as required by the Servlet Specification. This will be dealt with after clarifications to the requirements are completed in the JSR-053 expert group. Redeploying From a Web Application Archive ------------------------------------------ If you attempt to undeploy, then redeploy, an application from the same web application archive file URL (where the URL refers to an actual WAR file, not to a directory), the redeploy will fail with error "zip file is closed". There appears to be a problem in the JDK's JarURLConnection class where JAR files are cached, even after they are closed, so that a request for a connection to the same URL returns the previous JarFile object instead of a new one. As a workaround, you should do one of the following: * Change the URL of the web application archive each time you redeploy. * Deploy from an unpacked directory (on the same server) instead of from a WAR file (this is often more convenient in a development environment anyway). Running Web Apps Under A Security Manager ----------------------------------------- Support for running individual web applications under the protection of a security manager has not yet been completed.