                  Apache Tomcat Version 4.0 Beta 3
                  =================================
                            Release Notes
                            =============

$Id: RELEASE-NOTES-4.0-B3.txt,v 1.2 2001/04/03 00:38:46 craigmcc Exp $


============
INTRODUCTION:
============


This document describes the changes that have been made in the current
beta release of Apache Tomcat, relative to the previous release.

Bug reports should be entered at the interim bug reporting system for
Jakarta projects at:

        http://nagoya.apache.org/bugzilla/

Please use project codes "Catalina" and "Jasper" for servlet-related and
JSP-related bug reports, respectively.


------------------------
Important Security Notes:
------------------------

This release includes fixes for security vulnerabilities that have been
reported against Tomcat 4.0 beta 2:

* Fixes to a similar vulnerability that was included in Tomcat 4.0-b2
  is also included here.

* "Tomcat 4.0-b2 for winnt/2000 show ".jsp" source vulnerability"
  (BugTraq reference CSA-200110), which would cause JSP source to be
  displayed on a URL like:
    http://localhost:8080/examples/jsp/snp/snoop%252ejsp
  on all platforms, not just Windows.  The same vulnerability was
  fixed in the new server-side include facility.

Any user who has downloaded Tomcat 4.0 beta 2 is encouraged to upgrade to
beta 3 to fix these security vulnerabilities.


============
NEW FEATURES:
============


---------------------
Catalina New Features:
---------------------


-------------------
Jasper New Features:
-------------------


--------------------
Webapps New Features:
--------------------


==========================
BUG FIXES AND IMPROVEMENTS:
==========================


------------------
Catalina Bug Fixes:
------------------


Bootstrap:  Make sure bootstrap.jar has only the minimum classes it needs to
run, and do not duplicate classes in catalina.jar.

DirContextURLConnection:  Implement getPermission so that a FilePermission is
used to enforce security rather than the default AllPermission.

HttpConnector/StandardServer:  Ensure that the server socket ignores and logs
SocketPermission AccessControlExceptions.

StandardHost:  Ignore the "directory exists" exception when context startup
tries to expand a WAR file that is already expanded.

Extension:  Do not throw NullPointerException if a JAR file with no manifest
file is added to the set of repositories for a StandardClassLoader.


----------------
Jasper Bug Fixes:
----------------


-----------------
Webapps Bug Fixes:
-----------------


Manager:  Correct message format for the "list" command's response.


============================
KNOWN ISSUES IN THIS RELEASE:
============================


------------------------------------------
Redeploying From a Web Application Archive:
------------------------------------------

If you attempt to undeploy, then redeploy, an application from the same
web application archive file URL (where the URL refers to an actual WAR
file, not to a directory), the redeploy will fail with error "zip file is
closed".  There appears to be a problem in the JDK's JarURLConnection class
where JAR files are cached, even after they are closed, so that a request
for a connection to the same URL returns the previous JarFile object instead
of a new one.  As a workaround, you should do one of the following:
* Change the URL of the web application archive each time you redeploy.
* Deploy from an unpacked directory (on the same server) instead of from
  a WAR file (this is often more convenient in a development environment
  anyway).


--------------------------
Tomcat 4.0 and XML Parsers:
--------------------------

Previous versions of Tomcat 4.0 exposed the XML parser used by Jasper (the
JAXP/1.1 reference implementation) to web applications.  This is no longer
the case, because Jasper loads its parser with a new class loader instead.
Keep the following points in mind when considering how to use XML parsers
in Tomcat 4.0 and your web applications:

* If you wish to make the JAXP/1.1 RI XML parser available to all web
  applications, simply move the "jaxp.jar" and "crimson.jar" files from
  the "$TOMCAT_HOME/jasper" directory to the "$TOMCAT_HOME/lib" directory.

* If you wish to make another XML parser that is JAXP/1.1-compatible
  available to all web applications, install that parser into the
  "$TOMCAT_HOME/lib" directory and remove "jaxp.jar" and "crimson.jar"
  from the "$TOMCAT_HOME/jasper" directory.  It has been reported that
  Xerces 1.3.1 can be used in this fashion, but 2.x alpha releases
  can not be.

* If you wish to use an XML parser (such as Xerces) in the WEB-INF/lib
  directory of your web application, this should now be possible, because
  of the modified JAXP 1.1 parser mentioned below.

WARNING:  Tomcat 4.0 now ships with a modified version of the JAXP/1.1
(Final) "jaxp.jar" and "crimson.jar" files in the "jasper" subdirectory.
The "sealed" attribute has been removed from the manifest file for these
two JARs, to avoid "package sealing violation" errors that were caused by
them in a JDK 1.3 environment.  You MUST NOT replace these files with a
different (or later) release of JAXP, unless that later release has had
the sealed attribute removed, or you will encounter "package sealing violation"
errors when trying to use a different XML parser in a web application.
