tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Isaacs <>
Subject Remaining Tomcat 3.3 Issues
Date Wed, 12 Sep 2001 15:31:19 GMT
Hi All,

I have made a pass through all Tomcat3 bugs.  Those listed below
are the only ones that remain open as of last night.  Listed for
RC1 and RC2 are issues I have accumulated as well as bugs that must
be resolved.

Each of these issues needs to be considered according to its
impact on the stability of Tomcat 3.3.  I think most of the bugs
are already fixed, but I need someone more familiar with the
code to make a more informed assessment about the appropriate

I am going ahead and posting this even though I haven't spent much
time trying to identify which of these I consider showstoppers
(mainly due to dancing late into the night with Bugzilla).
At this moment, by default I don't consider any of these
showstoppers.  I will try to review this and post my opinions later,
probably tomorrow. Others are welcome to offer their opinions in this

===== Tomcat 3.3 Release Issues =====

To Be Addressed for RC1:

1. HttpSessionFacade.setAttribute() isn't synchronized.  If a second request
called "setAttribute()" after this request's "removeAttribute()" and before
"realSession.setAttribute()", the second request's value would be overwritten
without an valueUnbound() being called.

2. Evaluate Tomcat 3.3's vulnerability to "Double Checked Locking". This
is referred to in Bug #177. See:
for details.  I think ServletHandler.init() is currently subject to this

3. The spec doesn't address whether a the form-login-page and form-error-page
should be excluded from the security-constraint, but it makes sense that
it should.  It might be best to postpone this.

4. Address user authentication via Ajp12 and Ajp13.  Ajp12 has a test for
isTomcatAuthentication() to see if req.setRemoteUser() should be called.
I think Ajp13 doesn't have this yet and probably should.  Also, if the
user is anonymous, i.e. user = "", should we call req.setRemoteUser()
with this value?  This prevents Tomcat's normal authentication from being

5. If a error handler is not found for an exception, check the root cause
as well if it is a ServletException.  This is mentioned in Bug 3233.  I think
it would be a good idea to apply this.  I don't think we are prohibited
by the spec.  We could add an option to be safe if there is concern.

6. StaticInterceptor is missing a localization enhancement added to
Tomcat 3.2.x.  Should this enhancement be ported to Tomcat 3.3?  Is
this still considered a regression, though it isn't part of the
Servlet 2.2/JSP 1.1 spec?

7. Evaluate whether anything should be done to deal with the use of
non-thread-safe DateFormat and related classes.

Must Resolve Bugs:

177   Race condition during servlet initialization BugRat Report#2
182   JSP error-page doesn't work with virtual hosts BugRat Report
274   request.getUserPrincipal() doesn't work when user is authent
437   req.getParameter(name) Ignores charset. always assumes ISO88  
461   Use setCharacterEncoding("UTF8") does not change the way get  
463   Ctx( /examples ): IOException in: R( /examples + + null) No  
1253  Frequent Connection reset by peer errors  
1482  Ignored session ids in encoded URLs  
1663  Tomcat -SSL problem  
1798  Tomcat 3.2.2b5 with Apache and ajp13 stops responding after  
3233  exception handling wrt errorpages seems to be incorrect  
3486 Session problem (with case insensitive context matching on windows)

To Be Addressed by RC2:

8. We need to remove or optionally disable the shutdown support in
Ajp13Interceptor.  This allows configuring a password protected
Ajp12Interceptor shutdown to be the only shutdown available.

9. Some files under src/native have embedded CR's, i.e. Unix files would have
CRLF and Windows files would have CRCRLF's.  These need to be fixed.

10. The jk_nt_service, and I assume jniconnect, redirect stdout and stderr to
files.  With the default server.xml with no path for tc_log, Tomcat's
startup output ends up in the "stderr" log. I would have expected it to
be in the "stdout" log.  Is there a reason the o.a.t.u.qlog.Logger uses
stderr as the default sink instead of stdout?

11. Make sure we are okay with mod_jk not supporting Apache's rewrite
in Tomcat 3.3's mod_jk.  I'm fine with not supporting it, but I want
to include some justification in the documentation to avoid some of
the "why don't you" questions.

12. To simplify upgrade development, I would like to see the classpath
for the "container", "common", and "apps" classloaders include the
directory so classes placed under them will be picked up.

13. Determine cause of pauses running Tomcat's internal test with
Tomcat + IIS.

Must Resolve Bugs:

82    Jasper not affected by mod_rewrite BugRat Report#49  (part of issue 11)
111   after httpd reload mod_jk fails to find a worker BugRat Repo  
276   JNI problem: fails in Tomcat/IIS/JNI set  
319   Nor Hig All UNCO  Tomcat does not launch with given
      Unix script files BugRat R  
405   response.sendRedirect() in MS Explorer 5.5 fails using both  
620   StopTomcat defaults to localhost  
2333  Nor Oth PC NEW  HTTP Reason will be destroyed in header
      using AJP12  
2550  Ajp13 Connection hanging on static content.  
2927  Nor Oth PC NEW  ArrayIndexOutOfBoundsException when
      accessing ajp13  

Open in 3.2.x But Fixed in 3.3

384   AJP13 returns no Status Message (Reason-Phrase RFC 2616) Bug  
2057  URL contains encoded special chars  


I will update the RELEASE-PLAN-3.3 tomorrow with the previous
schedule and these issues, updating as needed base on discussion
that occurs before then. These issues are the driving force for
when RC1 and RC2 can be built and posted.  The dates previously
voted on are still the targets, but may slip as needed to deal
with these issues.

I plan to go through (possibly with some help) all the Tomcat3 bugs.
Where I find bugs for earlier Tomcat's that have not been addressed
for Tomcat 3.3, I will do what I can to address them.  I will prepare
and post a list of all bugs and there status in Tomcat 3.3.  If
I don't have this list ready prior to RC2, I will still build and
post RC2, but will not start the 7 day voting deadline clock until
this list is posted.

If a showstopper appears from this scan (which I don't expect to happen)
I will post this issue and plan on another release candidate.


View raw message