================================================================================
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
================================================================================

$Revision$ $Date$

                         =================================
                         Apache Tomcat 5.5 Patch Proposals
                         =================================


PATCHES PROPOSED TO BACKPORT:
  [ New proposals should be added at the end of the list ]

* Better handling of lack of permission for context specific logging
  http://svn.apache.org/viewvc?rev=646543&view=rev
  +1: markt, rjung (when enhanced by the below added backport proposal)
   0: fhanik - silently swallow an error, and default to the default config file, yoavs: don't like silent swallowing
  -1:

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45576
  Add support for DIGEST to the JAASRealm
  http://svn.apache.org/viewvc?rev=684234&view=rev
  +1: markt, fhanik, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41407
  Add support for CLIENT-CERT to the JASSRealm. Builds on DIGEST patch above.
  http://svn.apache.org/viewvc?rev=684270&view=rev
  +1: markt, fhanik, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528
  Improved fix that hopefully addresses previous concerns
  http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?r1=685981&r2=687645&diff_format=h
  http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?r1=656035&r2=687503
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45666
  Prevent infinite loop on include
  http://svn.apache.org/viewvc?rev=690781&view=rev
  +1: markt, rjung, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45628
  http://svn.apache.org/viewvc?rev=691282&view=rev
  JARs without deps should always be fulfilled
  +1: markt, rjung, mturk
  -1: 

* Backport Logging of access control problems when setting up
  per context logging under the security manager.
  http://svn.apache.org/viewvc?rev=691675&view=rev
  http://svn.apache.org/viewvc?rev=691677&view=rev
  http://svn.apache.org/viewvc?rev=691887&view=rev
  The backport needs a couple of casts, because we don't
  have generics.
  Note: for some reason handlers for the root logger are
  registered twice, so the messages are output twice.
  This does not happen for tc6.0.x and should be seen as
  a different issue.
  +1: rjung, markt, mturk
  -1:

* Backport: Handle session suffix rewrite at JvmRouteBinderValve with parallel requests from same client
  http://svn.apache.org/viewvc?rev=693378&view=rev
  +1: pero, markt, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44382
  Use HttpOnly for session cookies. This is enabled by default. Feel free to
  caveat you vote with a preference for disabled by default.
  http://svn.apache.org/viewvc?rev=694992&view=rev
  +1: mark (prefer enabled, happy with disabled), rjung
  -1: 
  rjung: slightly prefer disabled for 5.5.x because of stability reasons
         and the risk of breaking existing apps. Happy with enabled for 6.0.x though.

* Correct wrong "No role found" debug message,
  logged in RealmBase even if a role was found.
  http://svn.apache.org/viewvc?rev=697158&view=rev
  +1: rjung, markt, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45026
  Never use empty reason phrase.
  http://svn.apache.org/viewvc?rev=697183&view=rev
  +1: rjung
  +1: markt (also required for other AJP connectors)
  +1: mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45880
  More careful use of File /r and and NOTICE file
  http://people.apache.org/~markt/patches/2008-09-24-bug45880.patch
  +1: markt, rjung
  -1: 
  rjung: Please add NOTICE to the uninstall section of the nsi file as well.

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45933
  Don't use xml parser from web-app to process tld files
  http://svn.apache.org/viewvc?rev=701355&view=rev
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42419
  Support changing of JSESSIONID cookie name and jsessionid path parameter name
  http://svn.apache.org/viewvc?rev=702219&view=rev
  +1: markt, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45996
  Add Accept-Range header to DefaultServlet response
  http://svn.apache.org/viewvc?rev=696408&view=rev
  +1: mark
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46105
  Correctly set URI encoding when replaying a request after FORM auth
  http://svn.apache.org/viewvc?rev=709294&view=rev
  +1: markt
  -1: 

* Fix thread safety issues in date formats
  http://svn.apache.org/viewvc?view=rev&revision=708160
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46408
  Correct potential invalid cast
  http://svn.apache.org/viewvc?rev=728032&view=rev
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=36923
  If EL is disabled, treat ${ as template text
  This patch includes a port of the work from TC6 that rmeoved the need for the
  text replacement hack as part of the EL processing.
  http://people.apache.org/~markt/patches/2009-01-01-bug36923.patch
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=37498
  Handle logging errors during undeployment triggered by deleting the base
  diretcory
  https://issues.apache.org/bugzilla/attachment.cgi?id=23069
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=37458
  Correct sync issue that leads to NPE in rare circumstances
  Patch provided by Konstantin Kolinko
  http://svn.apache.org/viewvc?rev=730735&view=rev
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=37515
  Add options for 1.6 and 1.7 source and target to JDT compiler
  http://svn.apache.org/viewvc?rev=731773&view=rev
  +1: markt
  -1: 

* Lock contention during cookie creation, implementation is single threaded
  http://people.apache.org/~fhanik/tomcat/datetool-lock-contention.patch
  This patch realizes that DateFormat is not thread safe, but uses them without the need for synchronization using thread locals
  +1: fhanik
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46606
  Make max depth configurable for WebDAV servlet
  http://svn.apache.org/viewvc?rev=740635&view=rev
  +1: markt
  -1:

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38197
  Take account of jsp:attribute elements when naming tag pools
  http://svn.apache.org/viewvc?rev=740675&view=rev
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38483
  Make access log valves thread safe
  http://people.apache.org/~markt/patches/2009-02-04-bug38483.patch
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38553
  Return 401 rather than 400 if client presents no certs for CLIENT-CERT auth
  http://svn.apache.org/viewvc?rev=740684&view=rev
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38570
  When checking docBase against appBase, make sure we check for an exact match
  against the appBase
  http://svn.apache.org/viewvc?rev=742677&view=rev
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39013
  When testing for invalid docBase, test for an exact match with the appBase
  dir
  http://svn.apache.org/viewvc?rev=742697&view=rev
  +1: markt, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39396
  Don't include TRACE in OPTIONS response unless we know it hasn't been
  disabled in the connector
  http://svn.apache.org/viewvc?rev=742714&view=rev
  +1: markt, mturk
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46717
  Hard to reproduce thread safety issue with session expiration
  http://svn.apache.org/viewvc?rev=708273&view=rev
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46770
  Headers send duplicate when using AJP and flush.
  mod_jk doesn't accept such a response (starting with version 1.2.27).
  Only a problem before 6.0.
  Patch backported from http://svn.eu.apache.org/viewvc?view=rev&revision=411577
  Patch available at https://issues.apache.org/bugzilla/attachment.cgi?id=23316
  +1: rjung, billbarker, mturk
  -1: