================================================================================
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
================================================================================

$Id$

                         =================================
                         Apache Tomcat 5.5 Patch Proposals
                         =================================


PATCHES PROPOSED TO BACKPORT:
  [ New proposals should be added at the end of the list ]


* Remove JSSE13Factory, JSSE13SocketFactory classes,
  because
    - TC 5.5 runs on JRE 1.4+ and that comes bundled with JSSE 1.4,
      so these classes are no more needed.
    - JSSE13SocketFactory directly references com.sun.net.* classes in its
      source code without using reflection, and that causes compilation failure
      with my IDE/JRE settings.
  1)
    svn delete connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13Factory.java
    svn delete connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
  2)
    http://people.apache.org/~kkolinko/patches/2010-03-06_tc55_remove_JSSE13Factory_v2.patch
  +1: kkolinko, markt
  -O: jim
  -1:

* Configure Tomcat to use HttpOnly for session cookies by default
  http://people.apache.org/~kkolinko/patches/2010-04-21_tc55_context_httpOnly.patch
  +1: kkolinko
  -0: markt - Consensus was for disabled in 5.5.x
              http://svn.apache.org/viewvc?view=revision&revision=749019
  -1:

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49521
  http://people.apache.org/~kkolinko/patches/2010-07-17_tc55_bug49521.patch
  - Disable scanning for a free port in Jk AJP/1.3 connector by default.
  - Do not change maxPort field value of ChannelSocket in its #setPort()
    and #init() methods.
  - Add support for "maxPort" attribute on a <Connector> element as a synonym
    for channelSocket.maxPort
  +1: kkolinko, markt
  -1:
  -0: rjung, jim
  rjung: Should we really change default behaviour for a mature version?
  kkolinko: (I think that hardly anyone uses that feature, and if it is needed,
  one can reenable it now by setting the maxPort attribute.
  It is possible to make this configurable without changing the default
  -- see attachment 25657 in BZ 49521, but I do not think that it is worth it.)
  jim: Also not comfortable with such a change this late in the game
       regarding default behavior of a stable branch.