================================================================================ Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================================================ $Id$ ================================= Apache Tomcat 6.0 Patch Proposals ================================= RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT: [ start all new proposals below, under PATCHES PROPOSED. ] PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] * Fix the maven stuff for the maven repo. Before it does't find tomcat-juli.jar and the remoteRepository seems broken . http://people.apache.org/~jfclere/patches/maven.patch +1: jfclere -1: fhanik - easier to pass in the root path (lib/bin) to the macro instead of hacking around it if we remove the SCP auto feature, then there should be something to replace it with (http://ant.apache.org/manual/OptionalTasks/scp.html) -1: kkolinko: 1. Ignoring ${maven.repo.url} in does not look good, because that is a valuable argument, provided by deploy-snapshot, deploy-staging and deploy-release targets. I say/agree that there can be several implementations of this deploy action (ssh + key, local, ssh + pwd?), so maybe split it into several implementations and select one based on what property is defined. 2. It publishes wrong tomcat-juli.jar, as already noted, http://markmail.org/message/5sysomjlrfhcd3ec * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545 Truststores don't have to have passwords Based on a patch by 'smmwpf54' http://svn.apache.org/viewvc?view=revision&revision=910266 +1: markt -1: jfclere: Doc says it should use keystorePass (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html). so that would break existing configurations. markt: It shouldn't break existing configs. JSSE allows trust stores to be read without providing the password * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49030 Failure of one connector should not leave some connectors started and some ignored http://people.apache.org/~markt/patches/2010-06-14-bug49030.patch +1: markt -1: kkolinko: it breaks the fix for BZ 48625 https://issues.apache.org/bugzilla/show_bug.cgi?id=49030#c4 Alternative patch: https://issues.apache.org/bugzilla/attachment.cgi?id=25633 +1: kkolinko -1: * Configure Tomcat to use HttpOnly for session cookies by default http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch +1: kkolinko -0: markt - There wasn't consensus previously. - If you are going to change the default, do it in the code -1: * Backport a couple of loader fixes and enhancements: Expose the new WebappLoader flag in the VirtualWebappLoader, but allow alternative name searchVirtualFirst to make it consistent with the "virtual" terminology. Now you can decide, whether the virtual paths will be searched before the webapp or after it. If searched before, external resources take precendence over internal ones. Before that change one couldn't overwrite resources already present in the webapp. http://svn.apache.org/viewvc?view=revision&revision=936825 http://people.apache.org/~rjung/patches/2010-05-14-loader-backport-r936825.patch +1: rjung -1: -0: kkolinko: The patch itself is OK, but I think having a synonym will cause confusion. I'd prefer not to invent a new name, but mention the one that we already have when documenting virtualClasspath. Respect configurable search order in getURLs(). http://svn.apache.org/viewvc?view=revision&revision=936892 http://people.apache.org/~rjung/patches/2010-05-14-loader-backport-r936892.patch +1: rjung, kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49343 When ChannelException is thrown, remove listener from channel. http://svn.apache.org/viewvc?view=revision&revision=948402 +1: kfujino, kkolinko -1: kkolinko: Maybe "this.channel.removeChannelListener(this.rpcChannel);" call has to be replaced with "this.rpcChannel.breakdown();" Additional patch. "this.channel.removeChannelListener(this.rpcChannel);" call is replaced with "this.rpcChannel.breakdown();". http://svn.apache.org/viewvc?view=revision&revision=950922 +1: kfujino, kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49099 Provide a mechanism for including requests rejected by the CoyoteAdapter in the standard access log http://people.apache.org/~markt/patches/2010-07-07-bug49099.patch This is a backport of: r950587, r950809, r951018, r951093, r951447, r951892, r952295 +1: markt -1: kkolinko: 1) It would be nice to log requests using the timestamp when it was received (like HTTPD 2.0+ does), not when it was processed. If that is to be implemented, an additional parameter will be needed for the log() method in the AccessLog interface. I suppose that might be "long t1, long t2" instead of "long time". 2) I see no way to turn off this feature or filter the output. * Backport the CSRF prevention filter to Tomcat 6 and configure the Manager and Host Manager applications to use it. The configuration is such that the using the old roles (manager, admin) will work and will bypass the CSRF protection but using the new roles (manager-gui, admin-gui etc.) will not bypass the CSRF protection. http://people.apache.org/~markt/patches/2010-06-26-crsf-prevention-filter-tc6.patch +1: markt -1: * Add support for *.jar pattern in VirtualWebappLoader and perform trimming of the tokens. I propose the following patch, but without removing the "not for production" warning from JavaDoc: http://svn.apache.org/viewvc?rev=958615&view=rev +1: kkolinko -1: