Subject: CVS commit: pkgsrc
To: None <>
From: Jim Wise <>
List: pkgsrc-changes
Date: 03/28/2001 05:46:10
Module Name:	pkgsrc
Committed By:	jwise
Date:		Wed Mar 28 02:46:09 UTC 2001

Modified Files:
	pkgsrc/www/jakarta-tomcat: Makefile
	pkgsrc/www/jakarta-tomcat/files: md5 patch-sum
	pkgsrc/www/jakarta-tomcat/patches: patch-aa
	pkgsrc/www/jakarta-tomcat/pkg: MESSAGE PLIST
Added Files:
	pkgsrc/www/jakarta-tomcat/pkg: DEINSTALL INSTALL
Removed Files:
	pkgsrc/www/jakarta-tomcat/patches: patch-ab patch-ac

Log Message:
Update jakarta-tomcat to version 3.2.1.

Changes in the package since version 3.1.1 (the last pkgsrc version):

  * tomcat is now always installed under ${PREFIX}/tomcat.  Making
    ${TOMCAT_HOME} configurable added much complexity for not real

    It had been my intention to aim for a hier(7) like install for
    tomcat with this version, but at this point there are way to many
    hard-coded relative paths (relative to tomcat.home) in tomcat,
    and in addition, all of the (quite good, really) documentation
    assumes the standard install paths.

    Note that the previous default value of ${TOMCAT_HOME} was

  * an rc.subr compatible (but not requiring) startup script is now installed
    as ${PREFIX}/etc/rc.d/tomcat.

  * if Sun's JSSE (Java Secure Socket Extensions) is in ${CLASSPATH} when
    the pkg is built, tomcat will be built with support for SSL in the
    standalone server mode.  This soft dependency will be replaced by a
    hard dependency as soon as I get a chance to import a JSSE package

  * likewise, I will import an ap-jk package for the new apache connector
    (mod_jk) soon.  ap-jserv continues to be usable for this purpose.

Changes in tomcat itself since version 3.1.1:

New in tomcat-3.2.1:
Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2
(final) code base.  The following changes are included:

- Disallowed requesting JSP pages under the WEB-INF directory
  (/WEB-INF/dummy.jsp).  Previously, only requests for static files
  were being disallowed.

- The JDBCRealm request interceptor will now log the description of any
  JDBC exception that occurs, to aid in debugging.

(note that these fixes were also made to the tomcat-3.1 branch in tomcat 3.1.1)

Protection of Resources in /WEB-INF and /META-INF Directories

The servlet specification prohibits servlet containers from serving resources
in the /WEB-INF and /META-INF directories of a web application archive directly
to clients.  In Tomcat 3.2, this means that URLs like:


will return an error message, rather than the contents of your deployment
descriptor.  However, there is a vulnerability in Tomcat 3.2 that exposes
this information if the client requests a URL like this instead:


(note the double slash before "WEB-INF").  This vulnerability has been
corrected in Tomcat 3.2.1.

Show Source Vulnerability

The example application delivered with Tomcat 3.2 included a mechanism to
display the source code for the JSP page examples.  This mechanism could
be used to bypass the restrictions on displaying sensitive information in
the WEB-INF and META-INF directories.  This vulnerability has been removed.

New in tomcat-3.2:
Tomcat 3.2 is mainly a performance tune-up release, although a few new
features have been added.

- Support for mod_jk, which is a replacement to the elderly mod_jserv, has
  had several bugs fixed and has received much more testing.  It is now
  recommended that all users use mod_jk instead of mod_jserv.

- Support JAXP-based XML parser independence.

- New and often requested "how-to" documents covering the following topics:
     - Configuring
     - IIS and Netscape configuration
     - Running tomcat inside an IIS or Netscape process
     - Running Tomcat as a Windows NT service
     - Configuring a JDBC realm
     - Configuring mod_jk

- First round of policy-based security support intended for running untrusted
  code inside of Tomcat.  Interested users should test this support and post
  feedback to the Tomcat users mailing list.

- SSL support for standalone Tomcat. (Preliminary support first appeared in
  3.1, but the support in 3.2 has received more testing and documentation

- Thread reuse is now enabled by default. The thread pool support code was part
  of 3.1, but not enabled since it was new.

- Support for plug-able session managers.  Unfortunately, no how-to documents
  that support this functionality exist (yet). For the adventurous, be aware
  that the interface that allows administrators to plug session managers is
  the normal Interceptor interface.

- An almost total rewrite of the HTTP request handling now results in improved
  performance when running Tomcat stand-alone.

- Significantly reduced garbage collection.

- The code underwent a refactoring effort resulting in improved readability.

- And of course, hundreds of miscellaneous improvements and fixes.

To generate a diff of this commit:
cvs rdiff -r1.14 -r1.15 pkgsrc/www/jakarta-tomcat/Makefile
cvs rdiff -r1.4 -r1.5 pkgsrc/www/jakarta-tomcat/files/md5
cvs rdiff -r1.5 -r1.6 pkgsrc/www/jakarta-tomcat/files/patch-sum
cvs rdiff -r0 -r1.1 pkgsrc/www/jakarta-tomcat/files/
cvs rdiff -r1.4 -r1.5 pkgsrc/www/jakarta-tomcat/patches/patch-aa
cvs rdiff -r1.5 -r0 pkgsrc/www/jakarta-tomcat/patches/patch-ab
cvs rdiff -r1.2 -r0 pkgsrc/www/jakarta-tomcat/patches/patch-ac
cvs rdiff -r0 -r1.1 pkgsrc/www/jakarta-tomcat/pkg/DEINSTALL \
cvs rdiff -r1.5 -r1.6 pkgsrc/www/jakarta-tomcat/pkg/MESSAGE
cvs rdiff -r1.6 -r1.7 pkgsrc/www/jakarta-tomcat/pkg/PLIST

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.