tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Remaining Tomcat 3.3 Issues
Date Wed, 12 Sep 2001 17:21:21 GMT
As I expected (having spent enough time on encoded URLs), I can't reproduce
1483 against B2.  It always finds the correct session both in stand-alone
and Ajp13.
----- Original Message -----
From: "Larry Isaacs" <>
To: <>
Sent: Wednesday, September 12, 2001 8:31 AM
Subject: Remaining Tomcat 3.3 Issues

> Hi All,
> I have made a pass through all Tomcat3 bugs.  Those listed below
> are the only ones that remain open as of last night.  Listed for
> RC1 and RC2 are issues I have accumulated as well as bugs that must
> be resolved.
> Each of these issues needs to be considered according to its
> impact on the stability of Tomcat 3.3.  I think most of the bugs
> are already fixed, but I need someone more familiar with the
> code to make a more informed assessment about the appropriate
> resolution.
> I am going ahead and posting this even though I haven't spent much
> time trying to identify which of these I consider showstoppers
> (mainly due to dancing late into the night with Bugzilla).
> At this moment, by default I don't consider any of these
> showstoppers.  I will try to review this and post my opinions later,
> probably tomorrow. Others are welcome to offer their opinions in this
> regard.
> ===== Tomcat 3.3 Release Issues =====
> To Be Addressed for RC1:
> 1. HttpSessionFacade.setAttribute() isn't synchronized.  If a second
> called "setAttribute()" after this request's "removeAttribute()" and
> "realSession.setAttribute()", the second request's value would be
> without an valueUnbound() being called.
> 2. Evaluate Tomcat 3.3's vulnerability to "Double Checked Locking". This
> is referred to in Bug #177. See:
> for details.  I think ServletHandler.init() is currently subject to this
> vulnerability.
> 3. The spec doesn't address whether a the form-login-page and
> should be excluded from the security-constraint, but it makes sense that
> it should.  It might be best to postpone this.
> 4. Address user authentication via Ajp12 and Ajp13.  Ajp12 has a test for
> isTomcatAuthentication() to see if req.setRemoteUser() should be called.
> I think Ajp13 doesn't have this yet and probably should.  Also, if the
> user is anonymous, i.e. user = "", should we call req.setRemoteUser()
> with this value?  This prevents Tomcat's normal authentication from being
> triggered.
> 5. If a error handler is not found for an exception, check the root cause
> as well if it is a ServletException.  This is mentioned in Bug 3233.  I
> it would be a good idea to apply this.  I don't think we are prohibited
> by the spec.  We could add an option to be safe if there is concern.
> 6. StaticInterceptor is missing a localization enhancement added to
> Tomcat 3.2.x.  Should this enhancement be ported to Tomcat 3.3?  Is
> this still considered a regression, though it isn't part of the
> Servlet 2.2/JSP 1.1 spec?
> 7. Evaluate whether anything should be done to deal with the use of
> non-thread-safe DateFormat and related classes.
> Must Resolve Bugs:
> 177   Race condition during servlet initialization BugRat Report#2
> 182   JSP error-page doesn't work with virtual hosts BugRat Report
> 274   request.getUserPrincipal() doesn't work when user is authent
> 437   req.getParameter(name) Ignores charset. always assumes ISO88
> 461   Use setCharacterEncoding("UTF8") does not change the way get
> 463   Ctx( /examples ): IOException in: R( /examples + + null) No
> 1253  Frequent Connection reset by peer errors
> 1482  Ignored session ids in encoded URLs
> 1663  Tomcat -SSL problem
> 1798  Tomcat 3.2.2b5 with Apache and ajp13 stops responding after
> 3233  exception handling wrt errorpages seems to be incorrect
> 3486 Session problem (with case insensitive context matching on windows)
> To Be Addressed by RC2:
> 8. We need to remove or optionally disable the shutdown support in
> Ajp13Interceptor.  This allows configuring a password protected
> Ajp12Interceptor shutdown to be the only shutdown available.
> 9. Some files under src/native have embedded CR's, i.e. Unix files would
> CRLF and Windows files would have CRCRLF's.  These need to be fixed.
> 10. The jk_nt_service, and I assume jniconnect, redirect stdout and stderr
> files.  With the default server.xml with no path for tc_log, Tomcat's
> startup output ends up in the "stderr" log. I would have expected it to
> be in the "stdout" log.  Is there a reason the o.a.t.u.qlog.Logger uses
> stderr as the default sink instead of stdout?
> 11. Make sure we are okay with mod_jk not supporting Apache's rewrite
> in Tomcat 3.3's mod_jk.  I'm fine with not supporting it, but I want
> to include some justification in the documentation to avoid some of
> the "why don't you" questions.
> 12. To simplify upgrade development, I would like to see the classpath
> for the "container", "common", and "apps" classloaders include the
> directory so classes placed under them will be picked up.
> 13. Determine cause of pauses running Tomcat's internal test with
> Tomcat + IIS.
> Must Resolve Bugs:
> 82    Jasper not affected by mod_rewrite BugRat Report#49  (part of issue
> 111   after httpd reload mod_jk fails to find a worker BugRat Repo
> 276   JNI problem: fails in Tomcat/IIS/JNI set
> 319   Nor Hig All UNCO  Tomcat does not launch with
>       Unix script files BugRat R
> 405   response.sendRedirect() in MS Explorer 5.5 fails using both
> 620   StopTomcat defaults to localhost
> 2333  Nor Oth PC NEW  HTTP Reason will be destroyed in
>       using AJP12
> 2550  Ajp13 Connection hanging on static content.
> 2927  Nor Oth PC NEW  ArrayIndexOutOfBoundsException when
>       accessing ajp13
> Open in 3.2.x But Fixed in 3.3
> 384   AJP13 returns no Status Message (Reason-Phrase RFC 2616) Bug
> 2057  URL contains encoded special chars
> ========================
> I will update the RELEASE-PLAN-3.3 tomorrow with the previous
> schedule and these issues, updating as needed base on discussion
> that occurs before then. These issues are the driving force for
> when RC1 and RC2 can be built and posted.  The dates previously
> voted on are still the targets, but may slip as needed to deal
> with these issues.
> I plan to go through (possibly with some help) all the Tomcat3 bugs.
> Where I find bugs for earlier Tomcat's that have not been addressed
> for Tomcat 3.3, I will do what I can to address them.  I will prepare
> and post a list of all bugs and there status in Tomcat 3.3.  If
> I don't have this list ready prior to RC2, I will still build and
> post RC2, but will not start the 7 day voting deadline clock until
> this list is posted.
> If a showstopper appears from this scan (which I don't expect to happen)
> I will post this issue and plan on another release candidate.
> Cheers,
> Larry


This message is intended only for the use of the person(s) listed above 
as the intended recipient(s), and may contain information that is 
PRIVILEGED and CONFIDENTIAL.  If you are not an intended recipient, 
you may not read, copy, or distribute this message or any attachment.  
If you received this communication in error, please notify us immediately 
by e-mail and then delete all copies of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent 
through the Internet is not secure. Do not send confidential or sensitive 
information, such as social security numbers, account numbers, personal 
identification numbers and passwords, to us via ordinary (unencrypted) 

View raw message