diff -Nru tomcat6-6.0.33/BUILDING.txt tomcat6-6.0.35/BUILDING.txt --- tomcat6-6.0.33/BUILDING.txt 2008-11-15 19:48:42.000000000 +0000 +++ tomcat6-6.0.35/BUILDING.txt 2011-11-15 15:54:27.000000000 +0000 @@ -15,7 +15,7 @@ limitations under the License. ================================================================================ -$Id: BUILDING.txt 717919 2008-11-15 19:48:42Z markt $ +$Id: BUILDING.txt 1202262 2011-11-15 15:54:27Z kkolinko $ ==================================================== Building The Apache Tomcat 6.0 Servlet/JSP Container @@ -23,9 +23,14 @@ This subproject contains the source code for Tomcat 6.0, a container that implements the Servlet 2.5 and JSP 2.1 specifications from the Java -Community Process . In order to build a binary -distribution version of the container from a source distribution, -do the following: +Community Process . + +Note: If you just need to run Apache Tomcat, it is not necessary to build +it. You may simply download a binary distribution. It is cross-platform. +Read RUNNING.txt for the instruction on how to run it. + +In order to build a binary distribution version of Apache Tomcat from a +source distribution, do the following: (0) Download and Install a Java Development Kit @@ -68,17 +73,16 @@ (2.1) Checkout or obtain the source code for Tomcat 6.0 -* Tomcat SVN repository URL: - http://svn.apache.org/repos/asf/tomcat/tc6.0.x/ +* Tomcat 6.0 SVN repository URL: + http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/ * Download a source package from: http://tomcat.apache.org/download-60.cgi -* Checkout the source using SVN, selecting the desired version or - branch (current development source is at - http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/), or - unpack the source package. The location where the source has been - placed will be referred as ${tomcat.source}. +* Checkout the source using SVN, selecting a tag for released version or + trunk for the current development code, or unpack a source package. The + location where the source has been placed will be referred as + ${tomcat.source}. (2.2) Building @@ -88,14 +92,19 @@ ant download ant +* WARNING: Running "ant download" command will download libraries required + to build Tomcat to the /usr/share/java directory. On a typical Linux or + MacOX system an ordinary user will not have access to write to this + directory, and, even if you do, it may not be appropriate for you to + write there. + + On Windows this usually corresponds to the "C:\usr\share\java" + directory, unless Cygwin is used. Read below to learn how to customize + the directory used to download the binaries. + * NOTE: Users accessing the Internet through a proxy must use a properties file to indicate to Ant the proxy configuration. Read below. -* WARNING: Running this command will download binaries to the /usr/share/java - directory. Make sure this is appropriate to do on your computer. On Windows, - this usually corresponds to the "C:\usr\share\java" directory, unless Cygwin - is used. Read below to customize the directory used to download the binaries. - * The build can be controlled by creating a ${tomcat.source}/build.properties file, and adding the following content to it: @@ -108,7 +117,7 @@ # ----- Default Base Path for Dependent Packages ----- # Replace this path with the directory path where dependencies binaries # should be downloaded - base.path=/usr/share/java + base.path=/home/me/some-place-to-download-to (3) Updating sources @@ -138,5 +147,3 @@ cd ${tomcat.source} ant -f dist.xml release - - diff -Nru tomcat6-6.0.33/build.properties.default tomcat6-6.0.35/build.properties.default --- tomcat6-6.0.33/build.properties.default 2011-08-15 14:11:04.000000000 +0000 +++ tomcat6-6.0.35/build.properties.default 2011-11-28 10:12:53.000000000 +0000 @@ -21,16 +21,16 @@ # modules that Tomcat depends on. Copy this file to "build.properties" # in the top-level source directory, and customize it as needed. # -# $Id: build.properties.default 1157853 2011-08-15 14:11:04Z jfclere $ +# $Id: build.properties.default 1207052 2011-11-28 10:12:53Z jfclere $ # ----------------------------------------------------------------------------- # ----- Version Control Flags ----- version.major=6 version.minor=0 -version.build=33 +version.build=35 version.patch=0 version.suffix=-dev -version=6.0.33 +version=6.0.35 # ----- Default Base Path for Dependent Packages ----- # Please note this path must be absolute, not relative, @@ -108,17 +108,17 @@ # - noTldJars in o.a.j.compiler.TldLocationsCache # - res/maven/jasper.pom # - eclipse.classpath -jdt.version=3.3.1 -jdt.release=R-3.3.1-200709211145 +jdt.version=3.7 +jdt.release=R-3.7-201106131736 jdt.home=${base.path}/ecj-${jdt.version} jdt.jar=${jdt.home}/ecj-${jdt.version}.jar # The download will be moved to the archive area eventually. We are taking care of that in advance. # Note older JARs were called ecj.jar. Newer JARs are called ecj-${jdt.version}.jar -jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj.jar -jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj.jar +jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj-${jdt.version}.jar +jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj-${jdt.version}.jar # ----- Tomcat native library ----- -tomcat-native.version=1.1.20 +tomcat-native.version=1.1.22 tomcat-native.home=${base.path}/tomcat-native-${tomcat-native.version} tomcat-native.tar.gz=${tomcat-native.home}/tomcat-native.tar.gz tomcat-native.loc.1=${base-tomcat.loc.1}/tomcat-connectors/native/${tomcat-native.version}/source/tomcat-native-${tomcat-native.version}-src.tar.gz diff -Nru tomcat6-6.0.33/build.xml tomcat6-6.0.35/build.xml --- tomcat6-6.0.33/build.xml 2011-08-04 10:09:45.000000000 +0000 +++ tomcat6-6.0.35/build.xml 2011-10-14 16:07:51.000000000 +0000 @@ -417,6 +417,9 @@ excludes="build.xml project.xml" includes="*.xml"> + + + + + + + + + + + + + + + + + + diff -Nru tomcat6-6.0.33/conf/web.xml tomcat6-6.0.35/conf/web.xml --- tomcat6-6.0.33/conf/web.xml 2011-04-18 14:04:17.000000000 +0000 +++ tomcat6-6.0.35/conf/web.xml 2011-11-10 22:24:17.000000000 +0000 @@ -421,6 +421,19 @@ + + + + + + @@ -481,6 +494,14 @@ + + + -
+
+ + + + Fix regression in decoding of parameters that contain spaces. + Patch by Willem Fibbe. (kkolinko) + + + +
+
+ + + + 51550: Display an error page rather than an empty response + for an IllegalStateException caused by too many active sessions. (markt) + + + 51640: Improve the memory leak prevention for leaks + triggered by java.sql.DriverManager. (markt/kkolinko) + + + 51688: JreMemoryLeakPreventionListener now protects against + AWT thread creation. (schultz) + + + 51758: The digester (used for processing XML files) used the + logger name org.apache.commons.digester.Digester rather + than the expected org.apache.tomcat.util.digester.Digester. + The digester has been changed to use the expected logger name. + (kkolinko) + + + 51862: Added a classesToInitialize attribute to + JreMemoryLeakPreventionListener to allow pre-loading of configurable + classes to avoid some classloader leaks. (slaurent) + + + 51872: Ensure that the access log always uses the correct + value for the remote IP address associated with the request and that + requests with multiple errors do not result in multiple entries in + the access log. (markt) + + + Allow to overwrite the check for distributability + of session attributes by session implementations. (rjung) + + + Provide the log format "OneLineFormatter" for JULI that provides the same + information as the default plus thread name but on a single line. + (markt/rjung) + + + Ensure the the memory leak protection for the HttpClient keep-alive + always operates even if the thread has already stopped. (markt) + + + 51940: Do not limit saving of request bodies during FORM + authentication to POST requests since any HTTP method may include a + request body. Based on a patch by Nicholas Sushkin. (kkolinko) + + + 52091: Address performance issues related to lock contention + in StandardWrapper. Based on patch provided by Taiki Sugawara. + (kkolinko) + + + In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles + that have only one element. (kkolinko) + + + Make configuration issue for CsrfPreventionFilter result in the + failure of the filter rather than just a warning message. (kkolinko) + + + Ensure changes to the configuration of RemoteAddrValve and + RemoteHostValve via JMX are thread-safe. (kkolinko) + + + Make configuration issue for RemoteAddrValve and + RemoteHostValve result in the failure of the valve rather than + just a warning message. (kkolinko) + + + In RequestFilterValve (RemoteAddrValve, + RemoteHostValve): refactor value matching logic into + separate method and expose this new method isAllowed + through JMX. (kkolinko) + + + Improve performance of parameter processing for GET and POST requests. + Also add an option to limit the maximum number of parameters processed + per request. This defaults to 10000. Excessive parameters are ignored. + Note that FailedRequestFilter can be used to reject the + request if some parameters were ignored. (markt/kkolinko) + + + New filter FailedRequestFilter that will reject a request + if there were errors during HTTP parameter parsing. (kkolinko) + + + + + + + 50394: Return -1 from read operation instead of throwing an + exception when encountering an EOF with the HTTP APR connector. + (kkolinko) + + + 51698: Fix CVE-2011-3190. Prevent AJP message injection. + (markt) + + + Detect incomplete AJP messages and reject the associated request if one + is found. (markt) + + + 51794: Fix race condition in NioEndpoint selector. Patch + provided by dlord. (fhanik) + + + 51905: Fix infinite loop in AprEndpoint shutdown if + acceptor unlock fails. Reduce timeout before forcefully closing + the socket from 30s to 10s. (kkolinko) + + + 52121: Fix possible output corruption when compression is + enabled for a connector and the response is flushed. Test + case provided by David Marcks. (kkolinko) + + + Replace unneeded call that iterated events queue in NioEndpoint.Poller. + (kkolinko) + + + Improve MimeHeaders.toString(). (kkolinko) + + + Allow the BIO HTTP connector to be used with SSL when running under Java + 7. (markt) + + + Improve multi-byte character handling in all connectors. (rjung) + + + + + + + 51220: Correct copy/paste error in original commit for this + issue. (markt) + + + 52091: Address performance issues related to log creation + in TagHandlerPool. Patch provided by Taiki Sugawara. (markt) + + + + + + + 51736: Make rpcTimeout configurable in BackupManager. + (kfujino) + + + New cluster manager attribute sessionAttributeFilter + allows to filter which session attributes are replicated using a + regular expression applied to the attribute name. (rjung) + + + Avoid an unnecessary session ID change notice. + Notice of changed session ID by JvmRouteBinderValve is unnecessary to + BackupManager. In BackupManager, change of session ID is replicated by + the call of a setId() method. (kfujino) + + + Fix unneeded duplicate resetDeltaRequest() call in + DeltaSession.setId(String). (kkolinko) + + + When Context manager does not exist, no context manager message is + replied in order to avoid timeout (default 60 sec) of + GET_ALL_SESSIONS sync phase. (kfujino) + + + + + + + Correct the documentation for the connectionLinger attribute of the HTTP + connector. (markt) + + + Show build date and version in the header on every documentation + page. (kkolinko) + + + 52049: Improve setup instructions for running as a Windows + service: correct information on how a JRE is identified and selected. + (markt) + + + 52172: Clarify Tomcat build instructions. Patch provided + by bmargulies. (kkolinko) + + + + + + + Update the native component of the APR/native connectors to 1.1.22. + (markt) + + + Update the recommended version of the native component of the APR/native + connectors to 1.1.22. (kkolinko) + + + Update the Eclipse compiler (used for JSPs) to 3.7. (markt) + + + Correct two typos in the Windows installer. (kkolinko) + + + 52059: In Windows uninstaller: Do not forget to remove + Tomcat keys from 32-bit registry on deinstallation. (kkolinko) + + + +
+
@@ -154,7 +385,7 @@ 51400: Avoid jvm bottleneck on String/byte[] conversion triggered by a JVM bug. Based on patches by Dave Engberg and Konstantin - Preißer. (markt) + Preißer. (markt) 51403: Avoid NPE in JULI FileHandler if formatter is @@ -191,8 +422,8 @@ Unregister DataSource MBeans when web application stops. (kfujino) - Add additional configuration options to the DIGEST authenticator. - (markt) + CVE-2011-1184: Add additional configuration options to the DIGEST + authenticator. (markt) @@ -445,7 +676,8 @@ Improve HTTP specification compliance in support of - Accept-Language header. (kkolinko) + Accept-Language header. This protects from known exploit + of the Oracle JVM bug that triggers a DoS, CVE-2010-4476. (kkolinko) @@ -1645,7 +1877,7 @@ operation. Patch provided by sebb. (markt) - 48417: Update French translations. Patch provided by Andr� + 48417: Update French translations. Patch provided by André Warnier. (markt/kkolinko) @@ -1946,7 +2178,7 @@ 47918: Correct mbean descriptors for the host deployer. Patch - provided by Uwe G�nther. (markt) + provided by Uwe Günther. (markt) 47930: Fix thread safety issues on session swap-in in the @@ -1977,7 +2209,7 @@ 48257: Correct error in Spanish translations. Patch provided - by Guillermo Guti�rrez. (markt) + by Guillermo Gutiérrez. (markt) 48306, 48307: Correct French translations. Patches @@ -1989,7 +2221,7 @@ 48413: Correct some French translations. Patch provided by - Andr� Warnier. (markt) + André Warnier. (markt) Deprecate the caseSensitive option on the @@ -3038,7 +3270,7 @@ 46047: Include the path to the JAR when recording dependencies that are located inside a JAR file. Patch provided by - C�dric Mailleux. (markt) + Cédric Mailleux. (markt) 46381: Composite expressions used for attribute values must @@ -3419,7 +3651,7 @@ 44988: Use Java5 syntax for debug options. Patch provided - by Cedrik Lime. (markt) + by Cédrik Lime. (markt) 45101: Format header dates obtained from @@ -4322,7 +4554,7 @@ Fix various paths in the manager webapps (remm) - Session viewer and editor for the HTML manager. Submitted by C�drik Lime. (remm) + Session viewer and editor for the HTML manager. Submitted by Cédrik Lime. (remm) Session handling tools for the manager. Submitted by Rainer Jung. (remm) @@ -4454,7 +4686,7 @@ Cleanup hello webapp from the docs and fix a XSS issue in the JSP. (remm) - Examples webapp cleanup. Submitted by Takayuki Kaneko and Markus Sch�nhaber. (remm) + Examples webapp cleanup. Submitted by Takayuki Kaneko and Markus Schönhaber. (remm) 41289: Create configBase, since it is no longer created elsewhere. @@ -4599,7 +4831,7 @@ Use 2.5 xsd in Tomcat webapps. (markt) - Compression filter improvements, submitted by Eric Hedstr�m. (markt) + Compression filter improvements, submitted by Eric Hedström. (markt) @@ -4749,7 +4981,7 @@ 39572: Improvements to CompressionFilter example provided by - Eric Hedstr�m. (markt) + Eric Hedström. (markt) diff -Nru tomcat6-6.0.33/webapps/docs/config/ajp.xml tomcat6-6.0.35/webapps/docs/config/ajp.xml --- tomcat6-6.0.33/webapps/docs/config/ajp.xml 2011-06-03 08:17:02.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/ajp.xml 2011-11-10 22:24:17.000000000 +0000 @@ -93,6 +93,14 @@ By default, DNS lookups are enabled.

+ +

The maximum number of parameters (GET plus POST) which will be + automatically parsed by the container. A value of less than 0 means no + limit. If not specified, a default of 10000 is used. Note that + FailedRequestFilter filter can be + used to reject requests that hit the limit.

+ +

The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The feature can be disabled by diff -Nru tomcat6-6.0.33/webapps/docs/config/cluster-manager.xml tomcat6-6.0.35/webapps/docs/config/cluster-manager.xml --- tomcat6-6.0.33/webapps/docs/config/cluster-manager.xml 2011-08-01 19:10:01.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/cluster-manager.xml 2011-09-24 16:39:29.000000000 +0000 @@ -123,6 +123,15 @@ from another node when a node is starting up. Default value is 60 seconds. + + A regular expression used to filter, which session attributes will + be replicated. An attribute will only be replicated, if its name + matches this pattern. If the pattern is not set (default), all + attributes are eligible for replication. As an example, the value + ^(userName|sessionHistory)$ will only replicate the two + session attributes named userName and + sessionHistory. + @@ -141,6 +150,11 @@ sessions where the current node is the primary node for the session are considered active sessions. + + Timeout for RPC message used for broadcast and transfer state from + another map. + Default value is 15000 milliseconds. +

diff -Nru tomcat6-6.0.33/webapps/docs/config/context.xml tomcat6-6.0.35/webapps/docs/config/context.xml --- tomcat6-6.0.33/webapps/docs/config/context.xml 2011-08-02 09:38:38.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/context.xml 2011-10-18 12:52:22.000000000 +0000 @@ -50,7 +50,7 @@ unpacked contents, as described in the Servlet Specification (version 2.2 or later). For more information about web application archives, you can download the - Servlet + Servlet Specification, and review the Tomcat Application Developer's Guide.

diff -Nru tomcat6-6.0.33/webapps/docs/config/filter.xml tomcat6-6.0.35/webapps/docs/config/filter.xml --- tomcat6-6.0.33/webapps/docs/config/filter.xml 2010-11-03 17:17:59.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/filter.xml 2011-11-10 22:24:17.000000000 +0000 @@ -112,6 +112,46 @@
+
+ + + +

This filter triggers parameters parsing in a request and rejects the + request if some parameters were skipped during parameter parsing because + of parsing errors or request size limitations (such as + maxParameterCount attribute in a + Connector). + This filter can be used to ensure that none parameter values submitted by + client are lost.

+ +

Note that parameter parsing may consume the body of an HTTP request, so + caution is needed if the servlet protected by this filter uses + request.getInputStream() or request.getReader() + calls. In general the risk of breaking a web application by adding this + filter is not so high, because parameter parsing does check content type + of the request before consuming the request body.

+ +

The request is rejected with HTTP status code 400 (Bad Request).

+ + + + + +

The filter class name for the Failed Request Filter is + org.apache.catalina.filters.FailedRequestFilter + .

+ + + + + +

The Failed Request Filter does not support any initialization parameters.

+ + + +
+ + diff -Nru tomcat6-6.0.33/webapps/docs/config/http.xml tomcat6-6.0.35/webapps/docs/config/http.xml --- tomcat6-6.0.33/webapps/docs/config/http.xml 2011-06-14 11:21:53.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/http.xml 2011-11-10 22:24:17.000000000 +0000 @@ -100,6 +100,14 @@ By default, DNS lookups are enabled.

+ +

The maximum number of parameters (GET plus POST) which will be + automatically parsed by the container. A value of less than 0 means no + limit. If not specified, a default of 10000 is used. Note that + FailedRequestFilter filter can be + used to reject requests that hit the limit.

+ +

The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The limit can be disabled by @@ -291,9 +299,11 @@ -

The number of milliseconds during which the sockets used by this - Connector will linger when they are closed. - The default value is -1 (socket linger is disabled).

+

The number of seconds during which the sockets used by this + Connector will linger when they are closed. Setting this + attribute to -1 will disable connection linger. The default + value for the BIO and AJP connectors is 100. The default value for the NIO + connection is 25.

 diff -Nru tomcat6-6.0.33/webapps/docs/config/listeners.xml tomcat6-6.0.35/webapps/docs/config/listeners.xml --- tomcat6-6.0.33/webapps/docs/config/listeners.xml 2011-02-02 14:48:39.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/listeners.xml 2011-11-11 16:52:54.000000000 +0000 @@ -65,14 +65,23 @@ - + + +
+ +

No element may be nested inside a Listener.

+ +
+ + +

Unlike most Catalina components, there are several standard Listener implementations available. As a result, the className attribute MUST be used to select the implementation you wish to use.

-

APR Lifecycle Listener (org.apache.catalina.core.AprLifecycleListener)

+

The APR Lifecycle Listener checks for the presence of the APR/native library and loads the library if it is present. For more @@ -87,11 +96,12 @@ -

Name of the SSLEngine to use. off: Do not use SSL, on: Use SSL but no - specific ENGINE. The default value is on. This initializes the +

Name of the SSLEngine to use. off: do not use SSL, + on: use SSL but no specific ENGINE.

+

The default value is on. This initializes the native SSL engine, which must be enabled in the APR/native connector by the use of the SSLEnabled attribute.

-

See the Official OpenSSL website +

See the Official OpenSSL website for more details on supported SSL hardware engines and manufacturers.

@@ -104,7 +114,9 @@ -

Jasper Listener (org.apache.catalina.core.JasperListener)

+ + +

The Jasper Listener initializes the Jasper 2 JSP engine before any web applications that may use it are loaded. For more @@ -117,8 +129,9 @@

No additional attributes are supported by the Jasper Listener .

-

Server Lifecycle Listener - (org.apache.catalina.mbeans.ServerLifecycleListener)

+ + +

The Server Lifecycle Listener initializes the MBeanServer for the MBeans that may be used to manage Tomcat via JMX. @@ -130,8 +143,9 @@

No additional attributes are supported by the Server Lifecycle Listener.

-

Global Resources Lifecycle Listener - (org.apache.catalina.mbeans.GlobalResourcesLifecycleListener)

+ + +

The Global Resources Lifecycle Listener initializes the Global JNDI resources defined in server.xml as part of the No additional attributes are supported by the Global Resources Lifecycle Listener.

-

JMX Remote Lifecycle Listener - (org.apache.catalina.mbeans.JmxRemoteLifecycleListener)

+ + +

This listener requires catalina-jmx-remote.jar to be placed in $CATALINA_HOME/lib. This jar may be found in the extras @@ -221,8 +236,9 @@ -

JRE Memory Leak Prevention Listener - (org.apache.catalina.core.JreMemoryLeakPreventionListener)

+ + +

The JRE Memory Leak Prevention Listener provides work-arounds for known places where the Java Runtime environment uses @@ -250,6 +266,31 @@ is true.

+ +

Enables protection so that calls to + java.awt.Toolkit.getDefaultToolkit() triggered by a web + application do not result in a memory leak. + Defaults to false because an AWT thread is launched.

+ + + +

List of comma-separated fully qualified class names to load and initialize + during the startup of this Listener. This allows to pre-load classes that are + known to provoke classloader leaks if they are loaded during a request + processing. Non-JRE classes may be referenced, like + oracle.jdbc.driver.OracleTimeoutThreadPerVM. + The default value is empty, but specific JRE classes are loaded by other leak + protection features managed by other attributes of this Listener.

+ + + +

The first use of java.sql.DriverManager will trigger the + loading of JDBC Driver in the the current class loader. The web + application level memory leak protection can take care of this in most + cases but triggering the loading here has fewer side-effects. The + default is true.

+ +

Enables protection so that calls to sun.misc.GC.requestLatency(long) triggered by a web @@ -327,12 +368,6 @@

-
- -

No element may be nested inside a Listener.

- -
- diff -Nru tomcat6-6.0.33/webapps/docs/config/manager.xml tomcat6-6.0.35/webapps/docs/config/manager.xml --- tomcat6-6.0.33/webapps/docs/config/manager.xml 2011-01-25 12:40:38.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/manager.xml 2011-10-18 11:57:58.000000000 +0000 @@ -43,7 +43,9 @@

A Manager element MAY be nested inside a Context component. If it is not included, a default Manager configuration will be created automatically, which - is sufficient for most requirements.

+ is sufficient for most requirements, — see + Standard Manager Implementation below for the details + of this configuration.

@@ -85,7 +87,7 @@

Tomcat provides two standard implementations of Manager - for use - the default one stores active sessions, while the optional one + for use — the default one stores active sessions, while the optional one stores active sessions that have been swapped out (in addition to saving sessions across a restart of Tomcat) in a storage location that is selected via the use of an appropriate Store nested element.

@@ -135,8 +137,9 @@

Absolute or relative (to the work directory for this Context) pathname of the file in which session state will be preserved across application restarts, if possible. The default is - "SESSIONS.ser". See Restart - Persistence for more information. Restart persistence may be + "SESSIONS.ser".
See + Persistence Across Restarts + for more information. This persistence may be disabled by setting this attribute to an empty string.

 @@ -458,9 +461,9 @@
- + -

Whenever Catalina is shut down normally and restarted, or when an +

Whenever Apache Tomcat is shut down normally and restarted, or when an application reload is triggered, the standard Manager implementation will attempt to serialize all currently active sessions to a disk file located via the pathname attribute. All such saved @@ -475,6 +478,17 @@ + + +

As documented above, every web application by default has + standard manager implementation configured, and it performs session + persistence across restarts. To disable this persistence feature, create + a Context configuration file for your web + application and add the following element there:

+ + <Manager pathname="" /> + +
diff -Nru tomcat6-6.0.33/webapps/docs/config/valve.xml tomcat6-6.0.35/webapps/docs/config/valve.xml --- tomcat6-6.0.33/webapps/docs/config/valve.xml 2011-08-16 10:11:43.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/config/valve.xml 2011-11-22 18:17:22.000000000 +0000 @@ -208,7 +208,9 @@

There is also support to write information from the cookie, incoming header, the Session or something else in the ServletRequest. - It is modeled after the apache syntax: + It is modeled after the + Apache HTTP Server log configuration + syntax:

-

The shorthand pattern name common (which is also the diff -Nru tomcat6-6.0.33/webapps/docs/index.xml tomcat6-6.0.35/webapps/docs/index.xml --- tomcat6-6.0.33/webapps/docs/index.xml 2011-02-17 23:08:43.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/index.xml 2011-10-18 12:52:22.000000000 +0000 @@ -60,8 +60,8 @@ Apache Tomcat on a variety of platforms.

  • First web application - An introduction to the concepts of a web application as defined - in the Servlet - 2.4 Specification. Covers basic organization of your web application + in the Servlet + 2.5 Specification. Covers basic organization of your web application source tree, the structure of a web application archive, and an introduction to the web application deployment descriptor (/WEB-INF/web.xml).
    • @@ -69,7 +69,7 @@ Operating the Apache Tomcat Deployer to deploy, precompile, and validate web applications.
  • Manager - - Operating the Manager web app to deploy, undeploy, and + Operating the Manager web app to deploy, undeploy, and redeploy applications while Apache Tomcat is running.
  • Realms and Access Control - Description of how to configure Realms (databases of users, diff -Nru tomcat6-6.0.33/webapps/docs/introduction.xml tomcat6-6.0.35/webapps/docs/introduction.xml --- tomcat6-6.0.33/webapps/docs/introduction.xml 2010-03-03 13:14:01.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/introduction.xml 2011-10-18 12:52:22.000000000 +0000 @@ -46,10 +46,10 @@
    -

    In the course of reading these documents, you'll run across a number of +

    In the course of reading these documents, you will run across a number of terms; some specific to Tomcat, and others defined by the -Servlet or -JSP specifications.

    +Servlet and +JSP specifications.

    • Context - In a nutshell, a Context is a diff -Nru tomcat6-6.0.33/webapps/docs/jasper-howto.xml tomcat6-6.0.35/webapps/docs/jasper-howto.xml --- tomcat6-6.0.33/webapps/docs/jasper-howto.xml 2010-09-22 14:33:25.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/jasper-howto.xml 2011-10-18 12:52:22.000000000 +0000 @@ -37,7 +37,7 @@

      Tomcat 6.0 uses the Jasper 2 JSP Engine to implement -the JavaServer Pages 2.0 +the JavaServer Pages 2.1 specification.

      Jasper 2 has been redesigned to significantly improve performance over diff -Nru tomcat6-6.0.33/webapps/docs/jndi-datasource-examples-howto.xml tomcat6-6.0.35/webapps/docs/jndi-datasource-examples-howto.xml --- tomcat6-6.0.33/webapps/docs/jndi-datasource-examples-howto.xml 2011-08-02 09:22:35.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/jndi-datasource-examples-howto.xml 2011-10-19 12:26:46.000000000 +0000 @@ -66,81 +66,129 @@

      -
      +
      -

      DBCP provides support for JDBC 2.0. On systems using a 1.4 JVM DBCP -will support JDBC 3.0. Please let us know if you have used DBCP and its -JDBC 3.0 features with a 1.4 JVM. +

      java.sql.DriverManager supports the +service +provider mechanism. This feature is that all the available JDBC drivers +that announce themselves by providing a META-INF/services/java.sql.Driver +file are automatically discovered, loaded and registered, +relieving you from the need to load the database driver explicitly before +you create a JDBC connection. +However, the implementation is fundamentally broken in all Java versions for +a servlet container environment. The problem is that +java.sql.DriverManager will scan for the drivers only once.

      + +

      The JRE Memory Leak Prevention Listener +that is included with Apache Tomcat solves this by triggering the drivers scan +during Tomcat startup. This is enabled by default. It means that only +libraries visible to the listener such as the ones in +$CATALINA_BASE/lib will be scanned for database drivers. +If you are considering disabling this feature, note that +the scan would be triggered by the first web application that is +using JDBC, leading to failures when this web application is reloaded +and for other web applications that rely on this feature. +

      + +

      Thus, the web applications that have database drivers in their +WEB-INF/lib directory cannot rely on the service provider +mechanism and should register the drivers explicitly.

      + +

      The list of drivers in java.sql.DriverManager is also +a known source of memory leaks. Any Drivers registered +by a web application must be deregistered when the web application stops. +Tomcat will attempt to automatically discover and deregister any +JDBC drivers loaded by the web application class loader when the web +application stops. +However, it is expected that applications do this for themselves via +a ServletContextListener.

      -

      See the -DBCP documentation for a complete list of configuration parameters. +

      + +
      + +

      The default database connection pool implementation in Apache Tomcat +relies on the libraries from the +Apache Commons project. +The following libraries are used:

      - -

      DBCP uses the Commons Database Connection Pool. It relies on -number of Commons components:

      • Commons DBCP
      • Commons Pool
      + +

      These libraries are located in a single JAR at $CATALINA_HOME/lib/tomcat-dbcp.jar. However, only the classes needed for connection pooling have been included, and the packages have been renamed to avoid interfering with applications.

      +

      DBCP 1.3 provides support for JDBC 3.0.

      + + + +

      See the +DBCP documentation for a complete list of configuration parameters. +

      +       - +

      A database connection pool creates and manages a pool of connections to a database. Recycling and reusing already existing connections -to a dB is more efficient than opening a new connection. +to a database is more efficient than opening a new connection.

      There is one problem with connection pooling. A web application has to explicitly close ResultSet's, Statement's, and Connection's. Failure of a web application to close these resources can result in -them never being available again for reuse, a db connection pool "leak". -This can eventually result in your web application db connections failing +them never being available again for reuse, a database connection pool "leak". +This can eventually result in your web application database connections failing if there are no more available connections.

      -There is a solution to this problem. Commons DBCP can be -configured to track and recover these abandoned dB connections. Not +There is a solution to this problem. The Apache Commons DBCP can be +configured to track and recover these abandoned database connections. Not only can it recover them, but also generate a stack trace for the code which opened these resources and never closed them.

      -To configure a DBCP DataSource so that abandoned dB connections are +To configure a DBCP DataSource so that abandoned database connections are removed and recycled add the following attribute to the Resource configuration for your DBCP DataSource: - - removeAbandoned="true" - -When available db connections run low DBCP will recover and recycle -any abandoned dB connections it finds. The default is false. +

      + +removeAbandoned="true" + +

      +When available database connections run low DBCP will recover and recycle +any abandoned database connections it finds. The default is false.

      Use the removeAbandonedTimeout attribute to set the number -of seconds a dB connection has been idle before it is considered abandoned. - - removeAbandonedTimeout="60" - +of seconds a database connection has been idle before it is considered abandoned. +

      + +removeAbandonedTimeout="60" + +

      The default timeout for removing abandoned connections is 300 seconds.

      The logAbandoned attribute can be set to true if you want DBCP to log a stack trace of the code which abandoned the -dB connection resources. - - logAbandoned="true" - +database connection resources. +

      +logAbandoned="true" +

      The default is false.

      @@ -149,13 +197,14 @@

      0. Introduction

      -

      Versions of MySQL and JDBC drivers that have been reported to work: +

      Versions of MySQL and JDBC +drivers that have been reported to work: +

      • MySQL 3.23.47, MySQL 3.23.47 using InnoDB,, MySQL 3.23.58, MySQL 4.0.1alpha
      • Connector/J 3.0.11-stable (the official JDBC Driver)
      • mm.mysql 2.0.14 (an old 3rd party JDBC Driver)
      -

      Before you proceed, don't forget to copy the JDBC Driver's jar into $CATALINA_HOME/lib.

      @@ -167,6 +216,7 @@

      Create a new test user, a new database and a single test table. Your MySQL user must have a password assigned. The driver will fail if you try to connect with an empty password. +

      mysql> GRANT ALL PRIVILEGES ON *.* TO javauser@localhost -> IDENTIFIED BY 'javadude' WITH GRANT OPTION; @@ -181,9 +231,9 @@ Note: the above user should be removed once testing is complete! -

      Next insert some test data into the testdata table. +

      mysql> insert into testdata values(null, 'hello', 12345); Query OK, 1 row affected (0.00 sec) @@ -198,39 +248,37 @@ mysql> -

      2. Context configuration

      Configure the JNDI DataSource in Tomcat by adding a declaration for your resource to your Context.

      -

      For example: - +

      For example:

      <Context> - <!-- maxActive: Maximum number of dB connections in pool. Make sure you + <!-- maxActive: Maximum number of database connections in pool. Make sure you configure your mysqld max_connections large enough to handle all of your db connections. Set to -1 for no limit. --> - <!-- maxIdle: Maximum number of idle dB connections to retain in pool. + <!-- maxIdle: Maximum number of idle database connections to retain in pool. Set to -1 for no limit. See also the DBCP documentation on this and the minEvictableIdleTimeMillis configuration parameter. --> - <!-- maxWait: Maximum time to wait for a dB connection to become available + <!-- maxWait: Maximum time to wait for a database connection to become available in ms, in this example 10 seconds. An Exception is thrown if this timeout is exceeded. Set to -1 to wait indefinitely. --> - <!-- username and password: MySQL dB username and password for dB connections --> + <!-- username and password: MySQL username and password for database connections --> <!-- driverClassName: Class name for the old mm.mysql JDBC driver is org.gjt.mm.mysql.Driver - we recommend using Connector/J though. Class name for the official MySQL Connector/J driver is com.mysql.jdbc.Driver. --> - <!-- url: The JDBC connection url for connecting to your MySQL dB. + <!-- url: The JDBC connection url for connecting to your MySQL database. --> <Resource name="jdbc/TestDB" auth="Container" type="javax.sql.DataSource" @@ -240,11 +288,10 @@ </Context> -

      3. web.xml configuration

      -

      Now create a WEB-INF/web.xml for this test application. +

      Now create a WEB-INF/web.xml for this test application.

      <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" @@ -260,7 +307,6 @@ </resource-ref> </web-app> -

      4. Test code

      Now create a simple test.jsp page for use later. @@ -290,7 +336,12 @@

      -

      That JSP page makes use of JSTL's SQL and Core taglibs. You can get it from Sun's Java Web Services Developer Pack or Jakarta Taglib Standard 1.1 project - just make sure you get a 1.1.x release. Once you have JSTL, copy jstl.jar and standard.jar to your web app's WEB-INF/lib directory. +

      That JSP page makes use of JSTL's +SQL and Core taglibs. You can get it from +Apache Tomcat Taglibs - Standard Tag Library +project — just make sure you get a 1.1.x release. Once you have JSTL, +copy jstl.jar and standard.jar to your web app's +WEB-INF/lib directory.

      @@ -330,6 +381,7 @@ user scott.

      Use of the OCI driver should simply involve a changing thin to oci in the URL string. +

      <Resource name="jdbc/myoracle" auth="Container" type="javax.sql.DataSource" driverClassName="oracle.jdbc.OracleDriver" @@ -337,7 +389,6 @@ username="scott" password="tiger" maxActive="20" maxIdle="10" maxWait="-1"/> -

      2. web.xml configuration

      You should ensure that you respect the element ordering defined by the DTD when you @@ -533,13 +584,13 @@

      Here are some common problems encountered with a web application which uses a database and tips for how to solve them.

      - +

      Tomcat runs within a JVM. The JVM periodically performs garbage collection (GC) to remove java objects which are no longer being used. When the JVM performs GC execution of code within Tomcat freezes. If the maximum time -configured for establishment of a dB connection is less than the amount -of time garbage collection took you can get a db conneciton failure. +configured for establishment of a database connection is less than the amount +of time garbage collection took you can get a database connection failure.

      To collect data on how long garbage collection is taking add the @@ -565,6 +616,7 @@ it doesn't close the connection. And Tomcat uses multiple threads to handle concurrent requests. Here is an example of the sequence of events which could cause this error in Tomcat: +

         Request 1 running in Thread 1 gets a db connection.
 
@@ -584,8 +636,10 @@
   Request 2 Thread 2 tries to use the db connection but fails
   because Request 1 closed it.
      -Here is an example of properly written code to use a db connection +

      +Here is an example of properly written code to use a database connection obtained from a connection pool: +

         Connection conn = null;
   Statement stmt = null;  // Or PreparedStatement if needed
@@ -620,7 +674,6 @@
     }
   }
      -

       diff -Nru tomcat6-6.0.33/webapps/docs/jndi-resources-howto.xml tomcat6-6.0.35/webapps/docs/jndi-resources-howto.xml --- tomcat6-6.0.33/webapps/docs/jndi-resources-howto.xml 2011-01-03 15:18:16.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/jndi-resources-howto.xml 2011-10-18 12:52:22.000000000 +0000 @@ -282,7 +282,7 @@

      WARNING - Be sure you respect the element ordering that is required by the DTD for web application deployment descriptors! See the - Servlet + Servlet Specification for details.

      3. Code Your Application's Use Of This Resource

      @@ -444,7 +444,7 @@

      WARNING - Be sure you respect the element ordering that is required by the DTD for web application deployment descriptors! See the - Servlet + Servlet Specification for details.

      2. Code Your Application's Use Of This Resource

      @@ -604,7 +604,7 @@

      WARNING - Be sure you respect the element ordering that is required by the DTD for web application deployment descriptors! See the - Servlet + Servlet Specification for details.

      3. Code Your Application's Use Of This Resource

      @@ -906,7 +906,7 @@

      WARNING - Be sure you respect the element ordering that is required by the DTD for web application deployment descriptors! See the - Servlet + Servlet Specification for details.

      3. Code Your Application's Use Of This Resource

      diff -Nru tomcat6-6.0.33/webapps/docs/logging.xml tomcat6-6.0.35/webapps/docs/logging.xml --- tomcat6-6.0.33/webapps/docs/logging.xml 2011-08-03 23:29:41.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/logging.xml 2011-10-26 14:38:55.000000000 +0000 @@ -490,11 +490,11 @@

    • If you want to configure Tomcat to use log4j globally:

        -
      • Put log4j.jar into $CATALINA_HOME/lib.
        • +
      • Put log4j.jar and + tomcat-juli-adapters.jar from "extras" into + $CATALINA_HOME/lib.
      • Replace $CATALINA_HOME/bin/tomcat-juli.jar with tomcat-juli.jar from "extras".
        • -
      • Put tomcat-juli-adapters.jar from "extras" into - $CATALINA_HOME/lib
      • @@ -505,11 +505,11 @@
    • Create $CATALINA_BASE/bin and $CATALINA_BASE/lib directories if they do not exist.
      • -
    • Put log4j.jar into $CATALINA_BASE/lib
      • +
    • Put log4j.jar and + tomcat-juli-adapters.jar from "extras" into + $CATALINA_BASE/lib
    • Put tomcat-juli.jar from "extras" as $CATALINA_BASE/bin/tomcat-juli.jar
      • -
    • Put tomcat-juli-adapters.jar from "extras" into - $CATALINA_BASE/lib
    • If you are running with a security manager, you would need to edit the diff -Nru tomcat6-6.0.33/webapps/docs/manager-howto.xml tomcat6-6.0.35/webapps/docs/manager-howto.xml --- tomcat6-6.0.33/webapps/docs/manager-howto.xml 2011-08-02 09:22:35.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/manager-howto.xml 2011-10-02 19:53:25.000000000 +0000 @@ -80,7 +80,7 @@

      If you have Tomcat configured to support multiple virtual hosts (websites) you would need to configure a Manager for each.

      -

      There are three ways to use the Manager web application.

      +

      There are three ways to use the Manager web application.

      • As an application with a user interface you use in your browser. Here is an example URL where you can replace localhost with diff -Nru tomcat6-6.0.33/webapps/docs/realm-howto.xml tomcat6-6.0.35/webapps/docs/realm-howto.xml --- tomcat6-6.0.33/webapps/docs/realm-howto.xml 2011-05-04 11:18:09.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/realm-howto.xml 2011-10-18 12:52:22.000000000 +0000 @@ -47,7 +47,7 @@ safely skip this document.

        For fundamental background information about container managed security, -see the Servlet +see the Servlet Specification (Version 2.4), Section 12.

        For information about utilizing the Single Sign On feature of @@ -905,7 +905,7 @@ document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). The users, their passwords and their roles may all be editing dynamically, typically via JMX. Changes may -be saved and will be reflected in the XMl file.

        +be saved and will be reflected in the XML file.

        Realm Element Attributes

        diff -Nru tomcat6-6.0.33/webapps/docs/setup.xml tomcat6-6.0.35/webapps/docs/setup.xml --- tomcat6-6.0.33/webapps/docs/setup.xml 2011-06-15 13:16:06.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/setup.xml 2011-10-20 17:38:17.000000000 +0000 @@ -55,24 +55,27 @@

        • Installation as a service: Tomcat will be - installed as a Windows - NT/2k/XP service no matter what setting is selected. Using the - checkbox on the component page sets the service as "auto" + installed as a Windows service no matter what setting is selected. + Using the checkbox on the component page sets the service as "auto" startup, so that Tomcat is automatically started when Windows starts. For optimal security, the service should be run as a separate user, with reduced permissions (see the Windows Services administration tool and its documentation).
          • -
        • Java location: The installer will use the registry - or the JAVA_HOME environment variable to determine the base path - of a J2SE 5 JRE. -
          • +
        • Java location: The installer will provide a default + JRE to use to run the service. The installer uses the registry to + determine the base path of a Java 5 or later JRE, including the JRE + installed as part of the full JDK. When running on a 64-bit + operating system, the installer will first look for a 64-bit JRE and + only look for a 32-bit JRE if a 64-bit JRE is not found. It is not + mandatory to use the default JRE detected by the installer. Any + installed Java 5 or later JRE (32-bit or 64-bit) may be used.
        • Tray icon: When Tomcat is run as a service, there will not be any tray icon present when Tomcat is running. Note that when choosing to run Tomcat at the end of installation, the tray icon will be used even if Tomcat was installed as a service.
        • Refer to the Windows Service HOW-TO - for information on how to manage Tomcat as Windows NT service. + for information on how to manage Tomcat as a Windows service.

        diff -Nru tomcat6-6.0.33/webapps/docs/tomcat-docs.xsl tomcat6-6.0.35/webapps/docs/tomcat-docs.xsl --- tomcat6-6.0.33/webapps/docs/tomcat-docs.xsl 2011-01-03 14:07:14.000000000 +0000 +++ tomcat6-6.0.35/webapps/docs/tomcat-docs.xsl 2011-10-14 16:07:51.000000000 +0000 @@ -17,7 +17,7 @@ --> - + @@ -36,6 +36,9 @@ + + + @@ -61,7 +64,7 @@ select="document('project.xml')/project"/> - <xsl:value-of select="project/title"/> - <xsl:value-of select="properties/title"/> + <xsl:value-of select="project/title"/> (<xsl:value-of select="$version"/>) - <xsl:value-of select="properties/title"/> @@ -107,6 +110,7 @@

        + Version , APACHE LOGO @@ -155,7 +159,7 @@ PAGE FOOTER
        - Copyright © 1999-2011, Apache Software Foundation + Copyright © 1999-, Apache Software Foundation