Tomcat 6.0.36 (jfclere)
Catalina
++++++++
update 48692: Provide option to parse
application/x-www-form-urlencoded PUT requests. (schultz)
add 50306: New StuckThreadDetectionValve to detect requests
that take a long time to process, which might indicate that
their processing threads are stuck. Based on a patch
provided by TomLu. (kkolinko)
fix 50570: Enable FIPS mode to be set in AprLifecycleListener.
Based upon a patch from Chris Beckey. Note that this mode
requires tomcat-native 1.1.23 or later linked to a
FIPS-capable OpenSSL library, which one has to build by
themselves. (schultz/kkolinko)
fix Improve synchronization and error handling in
AprLifecycleListener. Do not allow to change SSL options
if SSL has already been initialized. (schultz/kkolinko)
fix 52225: Fix ClassCastException when adding an alias for an
existing host via JMX. (kkolinko)
fix 52293: Correctly handle the case when antiResourceLocking
is enabled at the Context level when unpackWARs is disabled
at the Host level. Correctly handle multi-level contexts
when antiResourceLocking is enabled. Patch by Justin Miller.
(kkolinko)
fix Do not throw IllegalArgumentException from parseParameters()
call when chunked POST request is too large, but treat it
like an IO error. The FailedRequestFilter filter can be
used to detect this condition. (kkolinko)
fix 52384: Do not fail with parameter parsing when debug
logging is enabled. (kkolinko)
fix Do not flag extra '&' characters in parameters as
parse errors. (kkolinko)
fix 52488: Correct typos: exipre -> expire. Based on a patch
by prockter. (markt)
fix Reduce log level for the message about hitting
maxParameterCount limit from WARN to INFO. Fix limit
comparison to allow exactly maxParameterCount parameters,
as documentation says, instead of (maxParameterCount-1).
(kkolinko)
fix Slightly improve performance of UDecoder.convert(). Align
%2f handling between implementations. (kkolinko)
add Add denyStatus attribute to RequestFilterValve
(RemoteAddrValve, RemoteHostValve valves). It allows to
use different HTTP response code when rejecting denied
request. E.g. 404 instead of 403. (kkolinko)
add Add SetCharacterEncodingFilter (similar to the one
contained in the examples web application) to the
org.apache.catalina.filters package so that it is
available for all web applications. (kkolinko)
add 52500: Added configurable mechanism to retrieve user
names from X509 client certificates. Based on a patch
provided by Michael Furman. (schultz/kkolinko)
fix 52719: Fix a theoretical resource leak in the JAR
validation that checks for non-permitted classes in
web application JARs. (markt)
fix 52830: Correct JNDI lookups when using javax.naming.Name
to identify the resource rather than a java.lang.String.
(markt)
add 52850: Extend memory leak prevention and detection
code to work with IBM as well as Oracle JVMs. Based on
a patch provided by Rohit Kelapure. (kkolinko)
add 52996: In StandardThreadExecutor: Add the ability to
configure a job queue size (maxQueueSize attribute).
Add a variant of execute method that allows to specify
a timeout for how long we want to try to add something
to the queue. Based on a patch by Rüdiger Plüm. (kkolinko)
fix 53047: If a JDBCRealm or DataSourceRealm is configured
for an all roles mode that only requires authorization
(and no roles) and no role table or column is defined,
don't populate the Principal's roles. (markt/kkolinko)
fix 53050: Fix handling of entropy value when initializing
session id generator in session manager. Based on proposal
by Andras Rozsa. (kkolinko)
fix 53056: Add APR version number to tcnative version INFO
log message. (schultz)
fix 53057: Add OpenSSL version number INFO log message
when initializing. (schultz)
fix 53071: Use the message from the Throwable for the error
report generated by the ErrorReportValve if none was
specified via sendError(). Use the standard text for
HTTP error codes. (markt/rjung)
update 53230: Change session managers to throw
TooManyActiveSessionsException instead of
IllegalStateException when the maximum number of sessions
has been exceeded and a new session will not be created.
(schultz/kkolinko)
fix 53267: Ensure that using the GC Daemon Protection feature
of the JreMemoryLeakPreventionListener does not trigger
a full GC every hour. (markt/kkolinko)
fix 53531: Fix ExpandWar.expand to check the return value
of File.mkdir and File.mkdirs. (schultz)
fix Make the CSRF nonce cache in CsrfPreventionFilter
serializable so that it can be replicated across a cluster
and/or persisted across Tomcat restarts. (markt)
fix 53584: Ignore path parameters when comparing URIs for
FORM authentication. This prevents users being prompted
twice for passwords when logging in when session IDs
are being encoded as path parameters. (markt)
fix Various improvements to the DIGEST authenticator
including 52954, the disabling caching of an authenticated
user in the session by default, tracking server rather
than client nonces and better handling of stale nonce
values. (markt)
fix Remove unneeded handling of FORM authentication in
RealmBase. (kkolinko)
fix 53800: FileDirContext.list() did not provide correct paths
for subdirectories. Patch provided by Kevin Wooten.
(kkolinko)
fix 53830: Better handling of Manager.randomFile default
value on Windows. (kkolinko)
fix Improve session management in CsrfPreventionFilter.
(kkolinko)
Coyote
++++++
fix 42181: Better handling of edge conditions in chunk
header processing. (kkolinko)
update 51477: Support all SSL protocol combinations in the
APR/native connector. This only works when using the
native library version 1.1.21 or later. (rjung)
fix 52055 (comment 14): Correctly reset
ChunkedInputFilter.needCRLFParse flag when the filter
is recycled. (kkolinko)
fix 52606: Ensure replayed POST bodies are available when
using AJP. (markt)
fix 52858: Fix high CPU load with SSL, NIO and sendfile
when client breaks the connection before reading all
the requested data. (fhanik/kkolinko)
fix 53119: Prevent buffer overflow errors being reported
when a client disconnects before the response has been
fully written from an AJP connection using the APR/native
connector. (kkolinko)
fix Improve InternalNioInputBuffer.parseHeaders(). (kkolinko)
add Implement maxHeaderCount attribute on Connector.
It is equivalent of LimitRequestFields directive of
Apache HTTPD. Default value is 100. (kkolinko)
fix In JkCoyoteHandler connector for AJP/1.3 protocol
(in JkMain.setProperty()): Fix setting of properties
when connector has already started for properties that
have aliases. E.g. it now allows to change maxHeaderCount
attribute on Connector MBean via JMX. (kkolinko)
fix 53725: Fix possible corruption of GZIP'd output. (kkolinko)
Jasper
++++++
fix 48097 (comment 7), 53366 (comment 1): If JSP page
unexpectedly fails to initialize PageContext instance,
write exception to the logs instead of silent swallowing.
(kkolinko)
fix 52335: Only handle <\% and not \% as escaped in
template text. (markt)
fix 52666: Correct coercion order in EL when processing the
equality and inequality operators. (markt)
fix 53001: Revert the fix for 46915 since the use case
described in the bug is invalid since it breaks the EL
specification. (markt)
fix 53032: Modify JspC so it extends org.apache.tools.ant.Task
enabling it to work with features such as namespaces
within build.xml files. (markt)
Cluster
+++++++
fix Replicate principal in ClusterSingleSignOn. (kfujino)
fix 53513: Fix race condition between the processing of
session sync message and transfer complete message. (kfujino)
fix 53606: Fix potential NPE in TcpPingInterceptor. Based
on a patch by F. Arnoud. (markt)
fix 53607: To avoid NPE, set TCP PING data to ChannelMessage.
Patch provided by F.Arnoud (kfujino)
fix Fix a behavior of TcpPingInterceptor#useThread. Do not
start a ping thread when useThread is set to false. (kfujino)
Web applications
++++++++++++++++
fix 52243: Improve windows service documentation to clarify
how to include # and/or ; in the value of an environment
variable that is passed to the service. (markt)
fix 52515: Make it clear in the Realm how-to in the
documentation web application that digested password
storage when using DIGEST authentication requires that
MD5 digests are used. (markt)
fix 52641: Remove mentioning of ldap.jar from docs. Patch
provided by Felix Schumacher. (rjung)
fix Remove obsolete bug warning from windows service
documentation page. (rjung)
fix 52983: Remove unnecessary code that makes switching to
other authentication methods difficult. (markt)
fix 53158: Fix documented defaults for DBCP. Patch provided
by ph.dezanneau at gmail.com. (rjung)
update Update JavaSE documentation links to point to the current
docs.oracle.com site, instead of obsolete ones
(download.oracle.com, java.sun.com). (kkolinko)
update 53289: Clarify ResourceLink example that uses
DataSource.getConnection(username, password) method.
Not all data source implementations support it. (kkolinko)
fix Prevent the custom error pages for the Manager and
Host Manager applications from being accessed directly.
Configure custom pages for error codes 401 and 403
in Host Manager application. (markt/kkolinko)
fix Correct documentation for enableLookups attribute of
a Connector. By default DNS lookups are disabled. (kkolinko)
fix Fix several HTML markup errors in servlets of examples
web application. (kkolinko)
update Change the index page of ROOT webapp to mention
"manager-gui" role instead of "manager" one. (kkolinko)
fix 53473: Correct the allowed values for the SSI option
isVirtualWebappRelative which are true or false. (markt)
fix 53664: Minor JNDI Howto document enhancement concerning
mail properties. Patch provided by Mark Eggers. (schultz)
fix 53601: Clarify that to build Apache Tomcat 6 from sources
a Java 5 JDK is recommended. (kkolinko)
fix 53793: Change links on the list of applications in the
Manager to point to /appname/ instead of /appname. (kkolinko)
Other
+++++
fix 49402, 52124: Fix Maven publishing script: make sure it
finds tomcat-juli.jar and use later version of wagon-ssh.
(jfclere)
fix Update Apache Commons Daemon to 1.0.10. It resolves
52548 which meant that services created with service.bat
did not set the catalina.home and catalina.base system
properties. (markt, kkolinko)
update Update Apache Commons Pool to 1.5.7. (kkolinko)
update 52579: Add a note about Sun's Charset.decode() bug to
the RELEASE-NOTES file. (kkolinko)
update 52805: Update to Eclipse JDT Compiler 3.7.2. (kkolinko)
update Update the native component of the APR/native connectors
to 1.1.23 and take advantage of the simplified distribution.
(kkolinko)
fix When building a Windows installer do not copy whole
"res" folder to output/dist, but only the files that
we need. Apply fixcrlf filter only after the files are
copied, so that INSTALLLICENSE file had correct line
ends. (kkolinko)
update Remove res/License.rtf. The file that is actually shown
by the Windows installer is res/INSTALLLICENSE. (kkolinko)
update Improve RUNNING.txt. (kkolinko)
update Align the script that deploys Maven jars for Tomcat
(res/maven/mvn-pub.xml) with the Tomcat 7 version, making
full use of Nexus. (markt)
add 53034: Add project.url and project.licenses sections to
the POMs for the Maven artifacts. (kkolinko)
fix 53454: Return correct content-length header for HEAD
requests when content length is greater than 2GB. (markt)
acc5cb1c66