jakarta-tomcat-4.0.1

Apache Tomcat Version 4.0 Beta 6 ================================= Release Notes ============= $Id: RELEASE-NOTES-4.0-B6.txt,v 1.3 2001/07/20 06:13:49 craigmcc Exp $ ============ INTRODUCTION: ============ This document describes the changes that have been made in the current beta release of Apache Tomcat, relative to the previous release. Bug reports should be entered at the bug reporting system for Jakarta projects at: http://nagoya.apache.org/bugzilla/ Please report bugs and feature requests under product name "Tomcat 4". ----> SECURITY NOTE: This version of Tomcat fixes a security vulnerability ----> that was first reported on July 16, 2001, related to unnormalized request ----> URI paths bypassing security constraints defined in the web application ----> deployment descriptor. Users who rely on container managed security are ----> *strongly* urged to update to this release of Tomcat 4.0. ----> UPCOMING CHANGE NOTICE: In a future beta release of Tomcat 4.0, it ----> is likely that the default operational mode will be to run Tomcat ----> under a security manager (rather than the current default of not ----> using one). This may necessitate editing the policy permissions ----> file ($CATALINA_HOME/conf/catalina.policy) if your web applications ----> require permissions that are not enabled by default (such as connecting ----> to network ports). You are urged to test your applications with ----> Tomcat 4.0-b5 running under the security manager now, so that this ----> upcoming change will not be disruptive. To do so, start Tomcat 4.0 ----> with the command "$CATALINA_HOME/bin/catalina.sh start -security" ----> (Unix) or "%CATALINA_HOME%\bin\catalina start -security" (Windows). ============ NEW FEATURES: ============ -------------------- General New Features: -------------------- Tomcat 4.0-beta-6 includes a new, experimental, installer for the Windows platform. This installer operates in a manner similar to installers for other applications on Windows, and also lets you install support for executing Tomcat as a Service under Windows NT. This version of the download is packaged as a ".exe" file, and contains the same contents as a standard Tomcat binary distribution. Please try this new installer out and give us your feedback. --> NOTE: A known issue with this capability is that stopping Tomcat --> service can take so long that it fails and logs an error in the --> NT event log. The solution to this problem will be to make the --> server shutdown time shorter so that the timeout is not exceeded. Tomcat 4.0-beta-6 now includes an updated version of the Java side of the MOD_WEBAPP connector, used to run Tomcat behind Apache. Binary versions of the MOD_WEBAPP connector for various platforms will be published (in the same directory where you downloaded Tomcat-4.0-beta-6 shortly). Catalina and Jasper now utilize copies of the web application deployment descriptor and tag library descriptor from the servlet.jar file that is included (generated from the "jakarta-servletapi-4" repository) instead of including their own copies. This avoids the risk of having Tomcat use versions of the DTDs that are out of synchronization with the servlet API classes. Updated the build process to make it easier to build Tomcat 4.0 from the source distribution. Rather than requiring environment variables to be created, the new scheme allows the use of "build.properties" files (in either the Tomcat source directory or the user home directory) to define property values. You can use all standard Ant property replacement expressions in these definitions. As a result, the "build.bat" and "build.sh" scripts are no longer necessary; simply run the "ant" command directly. See the install instructions for more information. The build scripts have been enhanced to support the compilation and execution of unit tests for the JUnit unit testing framework <http://www.junit.org>. A small set of initial tests have been checked in to illustrate the use of this new feature. --------------------- Catalina New Features: --------------------- Catalina is now in conformance to the requirements of the Servlet 2.3 Proposed Final Draft 3 Specification, available at: http://java.sun.com/products/servlet/download.html Created a new Java SecurityManager permission called JndiPermission for use in setting security policy for file based JNDI named resources. Started creating developer-oriented documentation for Catalina in an XML format that should be compatible with whatever presentation technology that we select. Initial effort is to create "functional specification" documents that capture the functionality of the default file-serving servlet, the "invoker" servlet that handles anonymous servlet requests (/servlet/*), JDBCRealm, and JNDIRealm. You can now optionally specify that DNS lookups should be performed when an application servlet calls request.getRemoteHost(). To enable the lookup, set the enableLookups property on the corresponding <Connector> element to "true" (which is also the default). To disable lookups, set this attribute to "false" instead. A new Loader, and corresponding class loader, for web applications (org.apache.catalina.loader.WebappLoader and org.apache.catalina.loader.WebappClassLoader) has been created and made the default, replacing StandardLoader and StandardClassLoader. It implements the following new features: * Supports reloading of classes in /WEB-INF/lib/*.jar as well as /WEB-INF/classes. * Recognizes JAR files added to /WEB-INF/lib while the web app is running. * Substantially improved efficiency (and therefore faster class loading performance). * Correctly scans /WEB-INF/classes before /WEB-INF/lib/*.jar in all cases, as required by the Servlet 2.3 PFD3 specification. ------------------- Jasper New Features: ------------------- Jasper is now in conformance to the requirements of the JSP 1.2 Proposed Final Draft 3 Specification http://java.sun.com/products/jsp/download.html All remaining areas where Jasper (or Jasper-generated code) refered to java.io.File objects have been removed, so that JSP-based applications can be run directly from a WAR file. The JSP page compiler now has enhanced compile-time error reporting. If Jasper detects a Java compilation error on the generated page, it will include information highlighting the line(s) within your source page where the actual error actually occurred. -------------------- Webapps New Features: -------------------- Created a version of the Manager servlet that supports an HTML interface for easier administration. To use it, change the <servlet> definition (in the web.xml file of the Manager application) from org.apache.catalina.servlets.ManagerServlet to org.apache.catalina.servlets.HTMLManagerServlet. Included support for executing external CGI scripts. To execute them, create scripts (or executable programs) inside your web application, and map them to org.apache.catalina.servlets.CGIServlet. By default, the url pattern "*.cgi" is mapped to this servlet. ========================== BUG FIXES AND IMPROVEMENTS: ========================== ------------------ Catalina Bug Fixes: ------------------ org.apache.catalina.authenticator.FormAuthenticator: Update form based login processing to be consistent with the requirements of the 2.3 PFD3 spec. Previously, Catalina did an "internal forward" to display the form login page, and an "internal forward" to display the originally requested page after successful authentication. Now, Catalina does HTTP redirects in both cases (the former is optional but makes relative references in the login page work correctly; the latter is required by the s