Bug report for Tomcat Connectors [2011/08/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |34526|Opn|Nor|2005-04-19|Truncated content in decompressed requests from mo| |35959|Opn|Enh|2005-08-01|mod_jk not independant of UseCanonicalName| |39967|Inf|Nor|2006-07-05|mod_jk gives segmentation fault when apache is sta| |40208|Inf|Nor|2006-08-08|Request-Dump when ErrorDocument in httpd.conf is a| |42366|Inf|Nor|2007-05-09|Memory leak in newer mod_jk version when connectio| |43303|New|Enh|2007-09-04|Versioning under Windows not reported by many conn| |43968|New|Enh|2007-11-26|[patch] support ipv6 with mod_jk | |44290|New|Nor|2008-01-24|mod_jk/1.2.26: retry is not useful for an importan| |44349|New|Maj|2008-02-04|mod_jk/1.2.26 module does not read worker.status.s| |44379|New|Enh|2008-02-07|convert the output of strftime into UTF-8 | |44454|New|Nor|2008-02-19|busy count reported in mod_jk inflated, causes inc| |44571|New|Enh|2008-03-10|Limits busy per worker to a threshold | |45063|New|Nor|2008-05-22|JK-1.2.26 IIS ISAPI filter issue when running diff| |45313|New|Nor|2008-06-30|mod_jk 1.2.26 & apache 2.2.9 static compiled on so| |45395|New|Min|2008-07-14|MsgAjp dump method does not dump packet when being| |46337|New|Nor|2008-12-04|real worker name is wrong | |46406|New|Enh|2008-12-16|Supporting relative paths in isapi_redirect.proper| |46676|New|Enh|2009-02-09|Configurable test request for Watchdog thread | |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47038|New|Enh|2009-04-15|USE_FLOCK_LK redefined compiler warning when using| |47327|New|Enh|2009-06-07|remote_user not logged in apache logfile | |47617|New|Enh|2009-07-31|include time spent doing ajp_get_endpoint() in err| |47678|New|Cri|2009-08-11|Unable to allocate shared memory when using isapi_| |47714|New|Cri|2009-08-20|Reponse mixed between users | |47750|New|Maj|2009-08-27|Loss of worker settings when changing via jkstatus| |47795|New|Maj|2009-09-07|service sticky_session not being set correctly wit| |47840|Inf|Min|2009-09-14|A broken worker name is written in the log file. | |48191|New|Maj|2009-11-13|Problem with mod_jk 1.2.28 - Can not render up the| |48460|New|Nor|2009-12-30|mod_proxy_ajp document has three misleading portio| |48490|New|Nor|2010-01-05|Changing a node to stopped in uriworkermap.propert| |48513|New|Enh|2010-01-09|IIS Quick setup instructions | |48564|New|Nor|2010-01-18|Unable to turn off retries for LB worker | |48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv| |48891|Opn|Enh|2010-03-11|Missing EOL-style settings in tomcat/jk/trunk | |49035|New|Maj|2010-04-01|data lost when post a multipart/form-data form| |49048|New|Nor|2010-04-05|ACL not applied to redirect URLs | |49063|New|Enh|2010-04-07|Please add JkStripSession status in jk-status work| |49135|New|Enh|2010-04-16|SPDY Connector for The Tomcat | |49413|Opn|Reg|2010-06-09|Apache Mod_jk 1.2.30 is shutting down communicatio| |49469|New|Enh|2010-06-19|Workers status page has negative number of connect| |49732|Opn|Nor|2010-08-10|reply_timeout can't wait forever. | |49822|New|Enh|2010-08-25|Add hash lb worker method | |49903|New|Enh|2010-09-09|Make workers file reloadable | |50186|New|Nor|2010-10-31|Wrong documentation of connection_pool_timeout / c| |50233|New|Cri|2010-11-08|support long URLs (more than 2048)| |50385|New|Trv|2010-11-30|There's a Spanish Inquisition error in the documen| |50511|Inf|Nor|2010-12-22|WARNING about Internal Dummy Connection of Apache | |50694|New|Nor|2011-01-31|ModJK NSAPI inserted headers case sensitivity issu| |51235|Inf|Maj|2011-05-20|Access Violation in httpd.exe originating in mod_j| |51253|New|Nor|2011-05-24|use_server_errors for status 401 does not forward | |51261|New|Nor|2011-05-25|JK cannt support ipv6 | |51326|
Bug report for Taglibs [2011/08/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field | |38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)| |42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements | |46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l| |48333|New|Enh|2009-12-02|TLD generator | |50825|New|Nor|2011-02-24|Site still has links to Jakarta for mailing lists | |51234|New|Nor|2011-05-20|NumberFormatException in fmt:formatNumber tag | |51382|New|Maj|2011-06-15|Link to download pages are broken | +-+---+---+--+--+ | Total8 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 7 [2011/08/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10021|New|Enh|2002-06-19|Include upgrade option in installer | |16579|New|Enh|2003-01-30|documentation page layout/style breaks wrapping to| |18500|New|Enh|2003-03-30|Host aliases to match by regular expression | |48358|Opn|Enh|2009-12-09|JSP-unloading reloaded| |48550|Inf|Enh|2010-01-14|Update examples and default server.xml to use UTF-| |48892|New|Enh|2010-03-11|Use URIEncoding from server.xml for decoding post | |49290|New|Enh|2010-05-14|Using a JarScanner with scanAllDirectories=true ca| |49395|New|Enh|2010-06-06|manager.findLeaks : display the date when the leak| |49589|New|Enh|2010-07-12|Tag handlers with constant attribute values are al| |49683|New|Enh|2010-08-01|Separate keep-alive and connection timeout with AP| |49785|New|Enh|2010-08-19|Enabling TLS for JNDIRealm| |49821|New|Enh|2010-08-25|Tomcat CLI| |50019|New|Enh|2010-09-28|Adding JNDI "lookup-name" support In XML and Resou| |50175|New|Enh|2010-10-28|Enhance memory leak detection by selectively apply| |50234|New|Enh|2010-11-08|JspC use servlet 3.0 features | |50504|New|Enh|2010-12-21|Allow setting query string character set trough re| |50570|New|Enh|2011-01-11|Allow explicit use of FIPS mode in APR lifecycle l| |50670|New|Enh|2011-01-27|Tribes | RpcChannel | Add option to specify extern| |50923|New|Enh|2011-03-13|Difficult to pick out valid values from config des| |51181|New|Enh|2011-05-10|Add support for Web Sockets | |51195|New|Enh|2011-05-13|"Find leaks" reports a false positive memory/class| |51334|New|Enh|2011-06-07|Web SSO support based on WS-Federation Passive Req| |51408|Opn|Enh|2011-06-21|String.getBytes() and new String(byte[]) use defau| |51423|Inf|Enh|2011-06-23|[Patch] to add a path and a version parameters to | |51463|New|Enh|2011-07-01|Tomcat.setBaseDir (package org.apache.catalina.st| |51496|New|Enh|2011-07-11|NSIS - Warn that duplicate service name will resul| |51497|New|Enh|2011-07-11|Use canonical IPv6 text representation in logs| |51500|New|Enh|2011-07-12|NSIS - Allow configuration of more service propert| |51526|New|Enh|2011-07-18|Process web application context config with embedd| |51580|Opn|Enh|2011-07-28|Severe error deploying WAR application (ExpandWar | |51587|New|Enh|2011-07-29|Implement status and uptime commands | |51682|Inf|Nor|2011-08-18|j_spring_security_check action is not available | |51698|New|Nor|2011-08-20|ajp CPing/Forward-Request packet forgery, is a des| +-+---+---+--+--+ | Total 33 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 6 [2011/08/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |41679|New|Enh|2007-02-22|SemaphoreValve should be able to filter on url pat| |41883|Ass|Enh|2007-03-18|use abstract wrapper instead of plain X509Certific| |43001|New|Enh|2007-07-30|JspC lacks setMappedFile and setDie for use in Ant| |43400|New|Enh|2007-09-14|enum support for tag libs | |43548|Opn|Enh|2007-10-04|xml schema for tomcat-users.xml | |43682|New|Enh|2007-10-23|JULI: web-inf/classes/logging.properties to suppor| |43742|New|Enh|2007-10-30|.tag compiles performed one at a time -- extremel| |43979|New|Enh|2007-11-27|Add abstraction for Java and Classfile output | |44199|New|Enh|2008-01-10|expose current backlog queue size | |44225|New|Enh|2008-01-14|SSL connector tries to load the private keystore f| |44264|New|Enh|2008-01-18|Clustering - Support for disabling multicasting an| |44284|New|Enh|2008-01-23|Support java.lang.Iterable in c:forEach tag | |44294|New|Enh|2008-01-25|Support for EL functions with varargs | |44312|New|Enh|2008-01-28|Warn when overwritting docBase of the default Host| |44645|New|Enh|2008-03-20|[Patch] JNDIRealm - Doesn't support JNDI "java.nam| |44787|New|Enh|2008-04-09|provide more error context on "java.lang.IllegalSt| |44818|New|Enh|2008-04-13|tomcat hangs with GET when content-length is defin| |45014|New|Enh|2008-05-15|Request and Response classes should have wrappers | |45282|New|Enh|2008-06-25|NioReceiver doesn't close cleanly, leaving sockets| |45283|Opn|Enh|2008-06-25|Provide a JSR196 implementation | |45428|New|Enh|2008-07-18|warn if the tomcat stop doesn't complete | |45832|New|Enh|2008-09-18|add DIGEST authentication support to Ant tasks| |45871|New|Enh|2008-09-23|Support for salted and digested patches in DataSou| |45878|New|Enh|2008-09-24|Generated jars do not contain proper manifests or | |45879|Opn|Enh|2008-09-24|Windows installer fails to install NOTICE and RELE| |45931|Opn|Enh|2008-10-01|trimSpaces incorrectly modifies output| |45995|New|Enh|2008-10-13|RFE - MIME type extension not case sensitive | |46173|New|Enh|2008-11-09|Small patch for manager app: Setting an optional c| |46263|New|Enh|2008-11-21|Tomcat reloading of context does not update contex| |46264|New|Enh|2008-11-21|Shutting down tomcat with large number of contexts| |46284|New|Enh|2008-11-24|Add flag to DeltaManager that blocks processing cl| |46350|New|Enh|2008-12-05|Maven repository should contain source bundles| |46497|New|Enh|2009-01-08|Install Tomcat Deployer/ANT on Windows Platform | |46655|New|Enh|2009-02-03|keystore's password handler | |46727|New|Enh|2009-02-17|DefaultServlet - serving multiple encodings | |46902|New|Enh|2009-03-24|LoginValve to bypass restrictions of j_security_ch| |47214|New|Enh|2009-05-17|Inner classes that are explicitly referenced - sho| |47230|New|Enh|2009-05-21|Include sample cert attributes for SSL connectors | |47242|New|Enh|2009-05-22|request for AJP command line client | |47281|New|Enh|2009-05-28|Efficiency of the JDBCStore | |47407|New|Enh|2009-06-23|HttpSessionListener doesn't operate in the session| |47467|New|Enh|2009-07-02|Deployment of the war file by URL when contextpath| |47785|Opn|Enh|2009-09-04|Cluster MBean not registered | |47834|New|Enh|2009-09-14|TldConfig throws Exception when exploring unpacked| |47919|New|Enh|2009-09-30|Log Tomcat & Java environment variables in additio| |48543|New|Enh|2010-01-14|[Patch] More flexibility in specifying -Dcatalina.| |48600|Opn|Enh|2010-01-22|Performance issue with tags | |48672|New|Enh|2010-02-03|Tomcat Virtual Host Manager (/host-manager) have b| |48674|New|Enh|2010-02-03|Tomcat Virtual Host Manager application doesn't pe| |48743|New|Enh|2010-02-15|Make the SLEEP variable in catalina.sh settable fr| |48899|New|Enh|2010-03-12|Guess URI charset should solve lot of problems| |48922|
Bug report for Tomcat 5 [2011/08/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |28039|Opn|Enh|2004-03-30|Cluster Support for SingleSignOn | |33262|Opn|Enh|2005-01-27|Service Manager autostart should check for adminis| |38216|Inf|Enh|2006-01-10|Extend Jmxproxy to allow call of MBean Operations | |40510|New|Enh|2006-09-14|installer does not create shortcuts for all users | |40728|New|Enh|2006-10-11|Catalina MBeans use non-serializable classes | |40766|New|Enh|2006-10-16|Using an unsecure jsessionid with mod_proxy_ajp ov| |40881|Opn|Enh|2006-11-02|Unable to receive message through TCP channel -> | |41007|Opn|Enh|2006-11-20|Can't define customized 503 error page| |41227|Opn|Enh|2006-12-21|When the jasper compiler fails to compile a JSP, i| |41697|Ver|Enh|2007-02-25|make visible in debug output if charset from brows| |43866|New|Enh|2007-11-14|add support for session attribute propagation with| |43925|Opn|Enh|2007-11-21|org.apache.jasper.runtime.BodyContentImpl causing | |44216|New|Enh|2008-01-11|Don't reuse session ID even if emptySessionPath=tr| |44904|New|Enh|2008-04-29|Provide warning message when DataSource's maxActiv| |45052|New|Enh|2008-05-21|Provide read only access for certain role in Manag| |45882|New|Enh|2008-09-24|Ensure all jars have full manifests and N & L file| |47203|New|Enh|2009-05-15|Make JMXAdaptorLifecycleListener Java 1.4 compatib| |50949|New|Enh|2011-03-20|Allow configuration of service name, AJP port, ser| |51042|New|Nor|2011-04-08|HttpSessionListener.sessionCreated() is called a s| |51550|Opn|Nor|2011-07-25|Empty response instead of error page for IllegalSt| +-+---+---+--+--+ | Total 20 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Modules [2011/08/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |48240|New|Nor|2009-11-19|Tomcat-Lite missing @Override markers | |48268|New|Nor|2009-11-23|Patch to fix generics in tomcat-lite | |48861|New|Nor|2010-03-04|Files without AL headers | |49685|New|Nor|2010-08-02|Unsafe synchronization in class ManagedBean | |49686|New|Nor|2010-08-02|Using an instance lock to protect static shared da| |49953|Opn|Nor|2010-09-17|Missing @Override annotations | |50565|New|Min|2011-01-10|Static variables should be accessed in a static wa| |50566|New|Nor|2011-01-10|Duplicate assignment to connection variable | |50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen| |50660|New|Min|2011-01-26|Improve validationQuery error handling| |50860|New|Nor|2011-03-03|In case of invalid or empty slqQuery connection ar| |50864|New|Nor|2011-03-03|Reconfigure pool on the fly using JMX | |51139|New|Nor|2011-05-01|Possible bug in code related to "validatorClassNam| |51198|New|Nor|2011-05-13|Trunk Version : Performance enhancement in Connect| |51237|New|Nor|2011-05-20|SlowQueryReport interceptor does not log anything | |51388|New|Enh|2011-06-16|SlowQueryReport should respect Statement.getQueryT| |51582|New|Nor|2011-07-29|NPE in SlowQueryReport| |51595|New|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho| +-+---+---+--+--+ | Total 18 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Native [2011/08/21]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |45392|New|Nor|2008-07-14|No OCSP support for client SSL verification | |46179|Opn|Maj|2008-11-10|apr ssl client authentication | |48655|Inf|Nor|2010-02-02|Active multipart downloads prevent tomcat shutdown| |49038|Inf|Nor|2010-04-02|Crash in tcnative | |51477|Opn|Enh|2011-07-05|Support all protocol combinations in SSLProtocol o| |51655|New|Nor|2011-08-12|Index page does not say what native does | +-+---+---+--+--+ | Total6 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
/ on end of context paths breaking existing apps
The change in [1] has broken existing behaviour in some applications. Consider the following situation: - An application is context path /application - The application has a servlet mapped to /* - An authentication valve intercepts requests to /application and returns (via a RequestDispatcher.forward()) a login page that POSTs back to the original path. An HTTP session is used to track the progress of the login process. - The application is accessed with Google Chrome with the URI http://server/application What happens is: - During the redirection to the login page, Tomcat returns a JSESSONID cookie for the path /application/ - The login page then submits a POST to /application - Chrome (15.0 dev channel) and Internet Explorer (8.0) do not send the JSESSIONID cookie with the POST request - (In this particular app, an amusing loop results due to some session timeout handling) What's going on under the hood: - Tomcat (Mapper.internalMapWrapper Rule #2) is considering that there is a mapping for /application (the /*) - Tomcat is then setting a cookie for a /application/ This seems wrong - we're considering a path as being part of a context, but establishing a session that will not include that path (for some browsers at least). This notably makes Cookie based session tracking inconsistent with URL rewriting. Firefox (5.0) seems to sort this out and send the /application/ cookie on the /application requests. [2] made this behaviour configurable, but still defaulted it to the new behaviour of appending slashes. Questions I have: 1) Is what's described above the desired behaviour (that a path mapped to a web application might not be included in the web application session) 2) Should this change in behaviour have been made the default in Tomcat 7? 3) ... or are Chrome/IE or Firefox broken? tim -- [1] https://svn.apache.org/viewvc?view=revision&revision=1100992 [2] http://svn.apache.org/viewvc?view=revision&revision=1101069 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: / on end of context paths breaking existing apps
On 21/08/2011 22:49, Tim Whittington wrote: > The change in [1] has broken existing behaviour in some applications. > > Consider the following situation: > - An application is context path /application > - The application has a servlet mapped to /* > - An authentication valve intercepts requests to /application and > returns (via a RequestDispatcher.forward()) a login page that POSTs > back to the original path. An HTTP session is used to track the > progress of the login process. > - The application is accessed with Google Chrome with the URI > http://server/application > > What happens is: > - During the redirection to the login page, Tomcat returns a JSESSONID > cookie for the path /application/ > - The login page then submits a POST to /application > - Chrome (15.0 dev channel) and Internet Explorer (8.0) do not send > the JSESSIONID cookie with the POST request > - (In this particular app, an amusing loop results due to some session > timeout handling) > > What's going on under the hood: > - Tomcat (Mapper.internalMapWrapper Rule #2) is considering that there > is a mapping for /application (the /*) > - Tomcat is then setting a cookie for a /application/ > > This seems wrong - we're considering a path as being part of a > context, but establishing a session that will not include that path > (for some browsers at least). > This notably makes Cookie based session tracking inconsistent with URL > rewriting. > > Firefox (5.0) seems to sort this out and send the /application/ cookie > on the /application requests. > > [2] made this behaviour configurable, but still defaulted it to the > new behaviour of appending slashes. > > Questions I have: > > 1) Is what's described above the desired behaviour (that a path mapped > to a web application might not be included in the web application > session) Yes. The / is added for security reasons. Requests for /foobar should not see cookies set for the context with path /foo. > 2) Should this change in behaviour have been made the default in Tomcat 7? I think so but I tend to give security related changes a higher priority than backwards compatibility. The community may disagree. > 3) ... or are Chrome/IE or Firefox broken? IE is arguable broken (add this to the list of stuff IE doesn't handle correctly for cookies). Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
