Apache Tomcat Version 4.0 Beta 3 ================================= Release Notes ============= $Id$ ============ INTRODUCTION: ============ This document describes the changes that have been made in the current beta release of Apache Tomcat, relative to the previous release. Bug reports should be entered at the interim bug reporting system for Jakarta projects at: http://nagoya.apache.org/bugzilla/ Please use project codes "Catalina" and "Jasper" for servlet-related and JSP-related bug reports, respectively. ------------------------ Important Security Notes: ------------------------ This release includes fixes for security vulnerabilities that have been reported against Tomcat 4.0 beta 2: * Fixes to a similar vulnerability that was included in Tomcat 4.0-b2 is also included here. * "Tomcat 4.0-b2 for winnt/2000 show ".jsp" source vulnerability" (BugTraq reference CSA-200110), which would cause JSP source to be displayed on a URL like: http://localhost:8080/examples/jsp/snp/snoop%252ejsp on all platforms, not just Windows. The same vulnerability was fixed in the new server-side include facility. Any user who has downloaded Tomcat 4.0 beta 2 is encouraged to upgrade to beta 3 to fix these security vulnerabilities. ============ NEW FEATURES: ============ --------------------- Catalina New Features: --------------------- ------------------- Jasper New Features: ------------------- -------------------- Webapps New Features: -------------------- ========================== BUG FIXES AND IMPROVEMENTS: ========================== ------------------ Catalina Bug Fixes: ------------------ Bootstrap: Make sure bootstrap.jar has only the minimum classes it needs to run, and do not duplicate classes in catalina.jar. DirContextURLConnection: Implement getPermission so that a FilePermission is used to enforce security rather than the default AllPermission. HttpConnector/StandardServer: Ensure that the server socket ignores and logs SocketPermission AccessControlExceptions. StandardHost: Ignore the "directory exists" exception when context startup tries to expand a WAR file that is already expanded. Extension: Do not throw NullPointerException if a JAR file with no manifest file is added to the set of repositories for a StandardClassLoader. ---------------- Jasper Bug Fixes: ---------------- ----------------- Webapps Bug Fixes: ----------------- Manager: Correct message format for the "list" command's response. ============================ KNOWN ISSUES IN THIS RELEASE: ============================ ------------------------------------------ Redeploying From a Web Application Archive: ------------------------------------------ If you attempt to undeploy, then redeploy, an application from the same web application archive file URL (where the URL refers to an actual WAR file, not to a directory), the redeploy will fail with error "zip file is closed". There appears to be a problem in the JDK's JarURLConnection class where JAR files are cached, even after they are closed, so that a request for a connection to the same URL returns the previous JarFile object instead of a new one. As a workaround, you should do one of the following: * Change the URL of the web application archive each time you redeploy. * Deploy from an unpacked directory (on the same server) instead of from a WAR file (this is often more convenient in a development environment anyway). -------------------------- Tomcat 4.0 and XML Parsers: -------------------------- Previous versions of Tomcat 4.0 exposed the XML parser used by Jasper (the JAXP/1.1 reference implementation) to web applications. This is no longer the case, because Jasper loads its parser with a new class loader instead. Keep the following points in mind when considering how to use XML parsers in Tomcat 4.0 and your web applications: * If you wish to make the JAXP/1.1 RI XML parser available to all web applications, simply move the "jaxp.jar" and "crimson.jar" files from the "$TOMCAT_HOME/jasper" directory to the "$TOMCAT_HOME/lib" directory. * If you wish to make another XML parser that is JAXP/1.1-compatible available to all web applications, install that parser into the "$TOMCAT_HOME/lib" directory and remove "jaxp.jar" and "crimson.jar" from the "$TOMCAT_HOME/jasper" directory. It has been reported that Xerces 1.3.1 can be used in this fashion, but 2.x alpha releases can not be. * If you wish to use an XML parser (such as Xerces) in the WEB-INF/lib directory of your web application, this should now be possible, because of the modified JAXP 1.1 parser mentioned below. WARNING: Tomcat 4.0 now ships with a modified version of the JAXP/1.1 (Final) "jaxp.jar" and "crimson.jar" files in the "jasper" subdirectory. The "sealed" attribute has been removed from the manifest file for these two JARs, to avoid "package sealing violation" errors that were caused by them in a JDK 1.3 environment. You MUST NOT replace these files with a different (or later) release of JAXP, unless that later release has had the sealed attribute removed, or you will encounter "package sealing violation" errors when trying to use a different XML parser in a web application.