geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <joe.b...@earthlink.net>
Subject Re: Tomcat webdav issue and Geronimo 2.1
Date Tue, 11 Dec 2007 22:53:28 GMT


Kevan Miller wrote:
> 
> On Dec 7, 2007, at 2:44 PM, Joe Bohn wrote:
> 
>>
>> I was just looking into updating Tomcat for the Geronimo 2.1 release 
>> with an eye toward getting a fix integrated for the Webdav servlet 
>> security issue.
>>
>> There are 3 possible approaches:
>>
>> 1) Apply the Webdav patch to the 6.0.13 image with the annotation 
>> changes and one other minor change (basically our current 
>> 6.0.13_G543818 build plus the WebDav fix).  Check this into our 
>> private repository in trunk.
>>
>> 2) Checkout 6.0.14, apply the Webdav patch and annotation changes. 
>> Check this into our private repository in trunk.
>>
>> 3) Checkout tomcat trunk (6.0.x) which already includes the Webdav 
>> patch but not the annotation changes.  Apply the annotation changes 
>> for our private build and check it into our repository in trunk.
>>
>> I personally think #2 is probably best although it might expose some 
>> other issues in tomcat.  We could always fall back to #1 if necessary. 
>> There was an attempt made at a tomcat 6.0.15 a few weeks back but it 
>> failed due to some context and tck issues ... hence my reservations 
>> with 6.0.x since it probably has those same issues.
> 
> OK. Good, I think, to upgrade to 6.0.14. So, I like your plan # 2.

I just checked in this upgrade in 
http://svn.apache.org/viewvc?rev=603398&view=rev

I hope it works (some quick testing looks promising).

After digging into this now for tomcat 6.0.14 I can safely say that we 
really need to come up with a better way.  IMO we need to get Tomcat to 
integrate these annotation changes soon or revert back to using the 
native Tomcat mechanisms to support annotations.  At the moment Tomcat 
still has the annotation changes sitting in their sandbox and the code 
in their new trunk is drifting.

Here are steps that I followed to create the patch to save the manual 
changes that were necessary so that we can recreate the tomcat image.  I 
checked these directions in as 
repository/org/apache/tomcat/6.0.14-G602188.README.TXT


Private Build of Tomcat for Geronimo.										
How to build Tomcat 6_0_14 with modifications for Geronimo:

Checkout tomcat 6.0.14
   svn co 
https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_14 
tomcat_6_0_14

Apply the custom patch for Geronimo Annotation changes, Webdav fix, and 
build fix.
   cd tomcat_6_0_14
   patch -p0 -u < tomcat_6_0_14-G602188.patch   (checked in as a peer to 
this file)
   -  Respond "y" to the 3 prompts "Reversed (or previously applied) 
patch detected!  Assume -R? [n]"
   svn delete java/org/apache/jasper/runtime/AnnotationHelper.java --force
   svn delete java/org/apache/AnnotationProcessor.java --force
   svn delete 
java/org/apache/catalina/util/DefaultAnnotationProcessor.java --force

Build tomcat
   cd tomcat_6_0_14
   Per tomcat build instructions install ant-1.6.5 or later and set 
ANT_HOME as well as add ant/bin to PATH
   You must run as the super user for the first build that downloads 
more ant & eclipse artifacts
   ant download   - to setup build for tomcat
   Exit super user
   ant - to build tomcat artifacts

Copy to appropriate jars and rename into geronimo/repository
   cd tomcat_6_0_14
   cp /build/lib/catalina.jar 
<geronimo-root>/repository/org/apache/tomcat/catalina/6.0.14-G602188/catalina-6.0.14-G602188.jar
   cp /build/lib/jasper.jar 
<geronimo-root>/repository/org/apache/tomcat/jasper/6.0.14-G602188/jasper-6.0.14-G602188.jar







How the patch was created:

Checkout tomcat 6.0.14
   svn co 
https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_14 
tomcat_6_0_14


Apply annotation changes from old tomcat trunk
   cd tomcat_6_0_14
   svn merge -r 542188:542189 
https://svn.apache.org/repos/asf/tomcat/sandbox/gdev6x/ .
   manually correct merge conflicts

Apply the Webdav security fix from the new tomcat trunk
   svn merge -r 587081:587082 
https://svn.apache.org/repos/asf/tomcat/trunk/ .
   manually correct merge conflicts

Fix the tomcat build properties before attempting "ant download"
   - Before you can build tomcat you need to make some manual changes to 
build.properties.default
   - replace jdt.jar=${jdt.lib}/org.eclipse.jdt.core_3.2.3.v_686_R32x.jar
     with jdt.jar=${jdt.lib}/org.eclipse.jdt.core_3.3.1.v_780_R33x.jar
   and
   - replace 
jdt.loc=http://sunsite.informatik.rwth-aachen.de/eclipse/downloads/drops/R-3.2.2-200702121330/eclipse-JDT-3.2.2.zip
     with 
jdt.loc=http://www.eclipse.org/downloads/download.php?file=/eclipse/downloads/drops/R-3.3.1-200709211145/eclipse-JDT-3.3.1.zip

The merge earlier keeps a history on added parts.  As a result, the 
added parts will not appear on patch created from this image.  To correct
this we must revert the addition changes and manually add the parts 
back.  Perform the following commands:
   svn revert java/org/apache/InstanceManager.java
   svn add    java/org/apache/InstanceManager.java
   svn revert java/org/apache/jasper/runtime/InstanceManagerFactory.java
   snv add    java/org/apache/jasper/runtime/InstanceManagerFactory.java
   svn revert java/org/apache/catalina/deploy/InjectionTarget.java
   snv add    java/org/apache/catalina/deploy/InjectionTarget.java

Create the patch:
   svn diff > TOMCAT_6_0_14-G602188.patch

Mime
View raw message