================================================================================
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
================================================================================

$Id$

                         =================================
                         Apache Tomcat 6.0 Patch Proposals
                         =================================


RELEASE SHOWSTOPPERS:


PATCHES ACCEPTED TO BACKPORT:
  [ start all new proposals below, under PATCHES PROPOSED. ]


PATCHES PROPOSED TO BACKPORT:
  [ New proposals should be added at the end of the list ]

* Backport cleanup of semantics of thisAccessedTime and
  lastAccessedTime for sessions:
  - preparational whitespace changes
    http://svn.apache.org/viewvc?rev=711695&view=rev
  - Give thisAccessedTime and lastAccessedTime for sessions
    a clear semantics:
    http://svn.apache.org/viewvc?rev=711711&view=rev
    - thisAccessedTime will be updated at the beginning and
      at the end of session use
    - lastAccessedTime will only be updated at the end of
      session use
    This means:
    - lastAccessedTime is the last access time of a session
      disregarding any request still being processed on.
      So this is good to use even from within a request
      to detect when its own session has been used last before.
    - thisAccessedTime already gets updated when a new request
      disregarding any request still being processed on.
      So this is better for any idleness check or information.
    - thisAccessedTime >= lastAccessedTime always
  - Port from StandardSession to DeltaSession
    http://svn.apache.org/viewvc?rev=711714&view=rev
  - Expose thisAccessedTime via the session interface
    and ManagerBase, so we can use it from outside the session.
    http://svn.apache.org/viewvc?rev=711716&view=rev
  - Make the classes checking session idleness use thisAccessedTime.
    http://svn.apache.org/viewvc?rev=711720&view=rev
    This is not for invalidation, only for displaying
    idle times and making persistance decisions.
  +1: rjung
   0: billbarker: generally agree with remm that this is too big of a change for the stable branch
                 but could agree to some of it if it was split into parts
   0: markt: Agree with Bill - smaller parts would be better
  -1: remm: no for TC 6.0
  -1: funkman : api change in Session.java for .x.x release

* Fix the maven stuff for the maven repo.
  Before it does't find tomcat-juli.jar and the remoteRepository seems broken .
  http://people.apache.org/~jfclere/patches/maven.patch
  +1: jfclere
  -1: fhanik - easier to pass in the root path (lib/bin) to the macro instead of hacking around it
               if we remove the SCP auto feature, then there should be something to replace it with
               (http://ant.apache.org/manual/OptionalTasks/scp.html)  

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
  Truststores don't have to have passwords
  Based on a patch by 'smmwpf54'
  http://svn.apache.org/viewvc?view=revision&revision=910266
  +1: markt
  -1: jfclere: Doc says it should use keystorePass (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html).
               so that would break existing configurations.
      markt: It shouldn't break existing configs. JSSE allows trust stores to be
             read without providing the password

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48589
  Make JNDIRealm easier to extend
  Based on a patch by Candid Dauth
  http://svn.apache.org/viewvc?rev=910485&view=rev
  http://svn.apache.org/viewvc?rev=918489&view=rev (review feedback)
  +1: markt, kkolinko
  -1: 

  Additional patch:
  http://svn.apache.org/viewvc?rev=918803&view=rev
  +1: kkolinko, markt
  -1:

* Improve log messages when a potential leak is detected by including the name
  of the offending context
  http://svn.apache.org/viewvc?view=revision&revision=920298
  +1: markt, kkolinko
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48629
  Allow user names as well as DNs to be used with the nested role search
  Add roleNested to the docs
  Patch provided by Felix Schumacher
  http://svn.apache.org/viewvc?rev=920422&view=rev
  +1: markt, kkolinko
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48661
  Make error page behaviour consistent. If a response has been committed, include
  the error page
  http://svn.apache.org/viewvc?rev=920449&view=rev
  +1: markt, kkolinko
  -1: 

* Revisit https://issues.apache.org/bugzilla/show_bug.cgi?id=48701
  Allow TagVariableInfo as well as VariableInfo to introduce objects later used
  by <jsp:getProperty> - JSP.5.3
  http://svn.apache.org/viewvc?rev=920532&view=rev
  http://svn.apache.org/viewvc?rev=920907&view=rev (review comment)
  +1: markt
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48729
  Return roles defined by both userRoleName and roleName mechanisms
  Patch provided by 'eric'
  +1: markt, kkolinko
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48737
  Don't assume paths that start with /META-INF/... are always in JARs. This is
  not true for some IDEs
  Patch provided by Fabrizio Giustina
  http://svn.apache.org/viewvc?rev=920840&view=rev
  +1: markt, kkolinko
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48760
  Ensure multiple threads do not end up with the same InputStream
  http://svn.apache.org/viewvc?rev=920858&view=rev
  +1: markt, kkolinko
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48701
  Add system property to allow disabling enforcement of JSP.5.3
  The spec recommends, but does not require this enforcement.
  http://svn.apache.org/viewvc?rev=920880&view=rev
  +1: kkolinko
  -1:

* Address https://issues.apache.org/bugzilla/show_bug.cgi?id=48007#c5
  Improve exception processing in CustomObjectInputStream#resolveClass(),
  to help find the cause behind BZ 48007.
  http://svn.apache.org/viewvc?rev=920912&view=rev
  +1: kkolinko
  -1: