ServletExec 4.2 (10/7/02) ------------------------- Bug Fixes (ServletExec AS Specific): - ServletExec AS fails to install with Apache 1.3.27 on Windows (bug #577) ServletExec 4.2rc1 (9/25/02) ---------------------------- Bug Fixes (General): - encodeRedirectUrl fails to encode relative URL that doesn't begin with '/' (bug #544) - getRealPath() returns decoded real path (bug #560) - An encoded URL is not processed the same as its decoded version (bug #561) Bug Fixes (Web Application Specific): - Auto-deployed WAR expansions remain, even after the .war is no longer auto-deployed (bug #523) - Removing Web Apps named "temp" or "sessionSwap" cause Legacy data to be lost (bug #539) - Web server allowed to serve alias mappings for Filters & Security (bug #545) - URLs for web app static content are treated as case-insensitive (bug #548) - Web Application Security hole when request contains HTTP escape characters (bug #553) Bug Fixes (JSP specific): - A JSP configured as a servlet does not return the correct servlet name or init parameters. (bug #547) - With IIS, the source to a JSP is served by appending %00 to the URL (bug #562) Bug Fixes (SSL specific): - With Apache-SSL, retrieving client certificate info fails (bug #540) Bug Fixes (ServletExec ISAPI specific): - With IIS6, ServletExec is not installed as a Web Service Extension (bug #551) - With IIS, the source to a JSP is served by appending %00 to the URL (bug #562) ServletExec 4.2b1 (8/23/02) --------------------------- New Features: - JavaMail support - Web Services support - Java Standard Tag Library (JSTL) support - External Libraries support for web applications - ServletExec AS now supports iWS on Linux Other Changes: - switched from Crimson parser to Xerces parser Bug Fixes (General): - Deleting of cookies fails with IE browser (bug #62) - When using Eval license; Restrict IP information lost upon restart as is Admin Username (bug #255) - When browser uses Spanish Locale, SE is unable to convert to charset correctly (bug #312) - getParameterMap returns String (bug #336) - Body of a Redirect response should be properly tagged HTML (bug #487) - Using a data source in a context listener's contextInitialized method causes NameNotFoundException (bug #517) - getServerPort returns wrong value when SE runs behind a load balancer (bug #518) - In Legacy (non-webapp) context, getServletContext().getInitParameterNames() returns null (bug #531) Bug Fixes (Session Tracking Specific): - After a restart, sometimes getSession() will throw a NoSuchElementException (bug #301) - Sometimes duplicate session ID's can be generated (bug #305) - Session data is not being persistent when Persistence is enabled. (bug #460) Bug Fixes (JSP Specific): - In a TLD, validator-class is not processed properly (bug #302) - Context class loader for JSPs in a webapp is not setup properly (bug #307) - Suffix alias requests that use HTTP escape characters can sometime cause SE to serve the page source (bug #459) - request.getParameter always returns ISO Latin-1 formatted Strings in JSPs (bug #494) - ServletExec does not pass well-formed XML to TLD Validators (bug #495) Bug Fixes (Web Application Specific): - getResources() throws ZipException: Filename too long (bug #309) - Welcome files specified as url path portions cannot be found (bug #310) - Some files unpacked from a .war file remain locked (bug #426) - Request loop hole can be used to access files - Part 2 (bug #508) - Sometimes static web app pages are served when NOT MODIFIED should be sent (bug #509) - With IIS, connection is closed after NOT MODIFIED response for web app static page (bug #510) - Changes made to the default NAC session extensions are lost across web app restarts (bug #254) - A WAR file without a web.xml deploys without errors (bug #209) - Neither listener classes nor filters are properly loading if using static initializer (bug #526) Bug Fixes (SSL specific): - With IIS, an exception is thrown if a servlet accesses client certificate info (bug #86) - With SE NSAPI on Solaris, client certificates cannot be retrieved (bug #524) - Sometimes the cipher suite and key size cannot be retrieved (bug #525) - With IIS, bad values are returned for a client cert's subject DN and serial number (bug #527) Bug Fixes (ServletExec ISAPI Specific): - With SE ISAPI, IIS will sometimes crash (bug #306) - SE ISAPI fails to work with IIS6 (bug #314) - With SE ISAPI, sometimes web app welcome files are not found (bug #516) Bug Fixes (ServletExec NSAPI Specific): - On Solaris, SE NSAPI hangs while processing request with iWS 6.0 (bug #225) - With SE NSAPI on Solaris, client certificates cannot be retrieved (bug #524) Bug Fixes (ServletExec AS Specific): - Thread.currentThread().getContextClassLoader() returns null (bug #311) - SE AS sometimes fails to install with Apache on Windows (bug #519) - SE/AS Installer on Windows fails to udpate httpsd.conf with Covalent Fast Start Server 2.0 (bug #522) ServletExec 4.1.1 (3/21/02) --------------------------- Bug Fixes (General): - Impossible to use a different XML parser without writing special code (bug #260) - Using javax.servlet.ServletRequestWrapper causes ClassCastException (bug #265) - IOException is logged if client disconnects (bug #291) - A resource that is included by a resource that itself is included, fails to execute (bug #292) - With prefix alias of /*, getServletPath and getPathInfo return wrong values (bug #293) - prefix alias filters return wrong value for getServletPath & getPathInfo, if path info is present (bug #294) - On SE admin pages, the link to www.newatlanta.com should open in a new browser window (bug #297) Bug Fixes (ServletExec AS Specific) - Adapter module for Apache crashes when retrieving client certificate (bug #211) - SE AS -root option sometimes doesn't work for virtual servers (bug #257) - ServletExec AS with IIS cannot access more than 10 instances (bug #268) - With multiple instances, conn. pooling between native adaptor and various SE instances leaks memory (bug #269) - Sockets between adapter module and ServletExec are remaining open (bug #273) - ServletExec AS service fails to start on Windows XP (bug #300) Bug Fixes (VM Support): - ServletExec won't work with JRE 1.3.1 or higher on Windows (bug #256) - SE won't work with JDK/JRE 1.4 when client hotspot VM is selected (bug #258) Bug Fixes (Web Application Specific) - WAR files are unpacked at every SE startup, even if they have not been changed (bug #262) - ServletExec only recognizes .war files when the .war extension is all lower case (bug #263) - getResource and getResourceAsStream causes JAR files in lib folder to be locked (bug #274) - Web App welcome files cannot be served by HTTP Web Server (bug #287) - getClass().getClassLoader().getResources() always returns an empty Enumeration (bug #295) Bug Fixes (JSP Specific): - include action sometimes won't work in a JSP page configured as a servlet (bug #259) - A statically included JSP cannot be found when the file path is page-relative (bug #270) - ServletExec looses cached timestamp info for JSPs if not shutdown gracefully (bug #276) - Only recently requested JSPs have their timestamps maintained across restarts (bug #277) - JSP10Servlet allows arbitrary files to be read from within the webserver's root or a web app's root (bug #280) - Invoking JSP10Servlet and requesting a JSP with a huge filename causes SE to crash (bug #281) - Static include of zero-byte file causes java.lang.IllegalArgumentException (bug #282) - nested custom tags with non-empty body fail unless a space is put after prefix:action (bug #284) - Compiling JSP page with JDK 1.4 causes warning message (bug #290) Bug Fixes (Session Tracking Specific): - IllegalArgumentException when session is invalidated (bug #267) - Sometimes under heavy load createSession will throw an exception (bug #272) - calling session.setAttribute("key", null) causes NullPointerException (bug #278) ServletExec 4.1 (9/17/01) ------------------------- Bug Fixes (General): - fixed Web Application security hole with URLs that contain '/../', '/./' and '//' (bug #231) - Paths in web.xml which contain '//' or '/./' are not canonicalized properly (bug #232) - implicit mappings (*.jsp, /servlet/*, /admin) in a web application can not be overridden (bug #233) - some charset to character encoding mappings are missing (bug #234) - Exception occurs when virtual server admin user views logs from admin pages (bug #236) - Suffix aliases don't work with URLs that are URL rewritten and don't have query arguments (bug #241) - Static resource not served when Request contains an invalid If-Modified-Since value (bug #246) - When default local is Japanese, admin pages and error messages are in English and Japanese (bug #247) - On Japanese Windows, installer display messages in English and Japanese (bug #244) - On Monitor Threads admin page, start time is wrong (bug #250) Bug Fixes (Web Application Security Specific) - With FORM auth, isUserInRole() and getRemoteUser() don't work (bug #237) Bug Fixes (ServletExec AS Specific) - SE/AS for NES/iWS fails to process requests with a NULL value in the post arguments (bug #238) Bug Fixes (JSP Specific): - The JSP10Servlet pageCheckSeconds init argument is not processed properly (bug #235) - The JSP10Servlet fails when a prefix alias is mapped to it (bug #239) - StringIndexOutOfBoundsException when using JSP with inner class (bug #240) - If action implements BodyTag then body appears in generated java file twice (bug #248) ServletExec 4.0 (7/12/01) ------------------------- Bug Fixes (General): - a NullPointerException occurs when a swapped session fails to be loaded (bug #222) Bug Fixes (Web Application Security Specific) - security role references for a web app servlet don't work (bug #216) - request.getAuthType() doesn't return the correct value (bug #218) - security constraint URL patterns aren't checked in the proper order (bug #219) - exact match URL patterns aren't checked properly (bug #220) - a web resource collection with no HTTP methods specified must apply to all methods (bug #221) - with FORM auth, an authenticated user is logged out if it accesses an unauthorized resource (bug #223) - a transport guarantee security failure doesn't generate an error page (bug #224) Bug Fixes (ServletExec AS Specific) - with iWS on AIX the ServletExec_Adapter.so fails to load (bug #215) ServletExec 4.0rc1 (6/28/01) ---------------------------- Bug Fixes (General): - web application error handlers aren't examined in the order they appear in web.xml (bug #194) - if an error occurs while binding data sources, ServletExec will fail to init (bug #196) - if connection is broken while post arguments are being read, a NullPointerException occurs (bug #204) - if a listener class isn't found ServletExec will fail to initialize (bug #212) - sometimes classes in the web apps classes folder are not loaded (bug #213) Bug Fixes (Web Application Security Specific) - with FORM auth, if first login fails then next correct login results in resource not found (bug #214) Bug Fixes (JSP Specific): - some page directive attributes can appear twice in a JSP page with no error (bug #197) - no error occurs when autoFlush is false and buffer is set to none (bug #198) - no error occurs when a taglib directive appears after actions using the taglib's prefix (bug #199) - no error occurs when the useBean class attribute isn't assignable to type (bug #200) - a NullPointerException is thrown if getProperty or setProperty reference an undefined object (bug #201) - only the first validator for a taglib receives the proper PageData (bug #202) Bug Fixes (ServletExec NSAPI Specific): - the HTTP Response Status line has an extra CR character (bug #203) - on Solaris, tools.jar is not automatically added to the classpath (bug #207) Bug Fixes (ServletExec AS Specific): - with Apache, request.getScheme() and request.isSecure() sometimes returns "http" when it should return "https" (bug #116) - on Windows, ServletExec AS will not install with Apache 1.3.20 (bug #195) - with NES/iWS, the HTTP Response Status line has an extra CR character (bug #203) ServletExec 4.0b1 (5/4/01) -------------------------- New Features: - support for Servlet API 2.3. This includes filtering and lifecycle events. - support for JSP 1.2. This includes validation and the XML syntax. - resource monitoring: - threads can be monitored from the ServletExec admin pages - sessions can be monitored from the ServletExec admin pages - requests can be monitored from the ServletExec admin pages - support for Servlet API web application security - JDBC 2.0 data sources can now be configured from the ServletExec admin pages - addition of New Atlanta Extensions to web applications to allow more session tracking settings - support for HTTP/1.1 persistent connections - loaded servlets can now be viewed from the ServletExec admin pages - installed optional packages can now be viewed from the ServletExec admin pages - connection pooling between ServletExec adapter and java application (AS version only) - web application static file caching (ISAPI and NSAPI versions only) - ServletExec admin pages can now require SSL (ISAPI and AS versions only) Other Changes: - SSIServlet was deprecated - JDK 1.2 or greater is now required Bug Fixes (General): - Localized static pages in web applications aren't served up properly (bug #70) - ServletExec uses old version of XML parser (bug #82) - Resources in lib\*.jar web application files can't be found (bug #88) - No warning messages when web application is deployed with unsupported J2EE elements (bug #107) - When an admin request fails to write changes to a config file, no error is returned to the client (bug #115) - Configuration changes to web applications in WAR files are lost over a restart (bug #117) - Web application sessions are lost over a restart (bug #130) - It is possible for a hacker to calculate a valid session id (bug #131) - Static pages in web application need Last-modified header in response (bug #134) - Response.sendRedirect() doesn't convert relative URLs to absolute URLs (bug #137) - HotSpot doesn't run with a JITC so JITC info should not be displayed on VM Settings admin page (bug #140) - Sometimes two instances of a webapp servlet are created (bug #141) - HttpSession.getLastAccessedTime() returns wrong value (bug #142) - Disabling the ServletExec admin UI doesn't disable the Web Application admin UI (bug #150) - Custom loaded classes can't be assigned security permissions in java.policy (bug #153) - When access is denied to a context, ServletContext.getContext() should return null (bug #155) - Modifying web application session timeout value doesn't take effect immediately (bug #156) - Need to return Not Modified for static web app pages which haven't been modified (bug #157) - The Max Sessions setting isn't being honored (bug #160) - The web application class loader is too restrictive (bug #162) - Web application servlet mappings admin page displays incorrect message (bug #168) - Logger thread not stopped when web app is removed (bug #169) - When a Servlet or Filter init parameter is removed, all remaining init parameters are removed too (bug #170) - Request loop hole can be used to access files outside a web app (bug #172) - URL rewriting doesn't work for URLs that end with '#' character (bug #174) - Protected resources can be accessed using a url like /ex//WEB-INF/web.xml (bug #175) - SE admin pages JavaScript causes problems with non-english locale browsers (bug #176) - web apps with spaces in their name disappear after a ServletExec restart (bug #177) - empty web-app tag in web.xml prevents access to web app's admin pages (bug #178) - Passing a path relative URL to request.getRequestDispatcher() fails (bug #180) - Request attribute javax.servlet.include.context_path is not being set (bug #181) - The javax.servlet.include.xxx request attributes are set when getNamedDispatcher is used (bug #182) - Response is not closed after forwarding to a resource (bug #183) - Request's path elements don't reflect original request (bug #184) Bug Fixes (JSP Specific): - When a taglib directive is parsed, a TagLibraryInfo object needs to be created (bug #91) - JSP include and forward tags inside a tag ext body write to wrong output stream (bug #92) - Non-web app JSP pages sometimes have their source served up by the web server (bug #93) - Empty elements in TLD cause null pointer exception (bug #166) - Requests of the form /xxx%252ejsp can be used to serve up content of web app JSP pages (bug #179) - Page directives with a TAB, CR or LF before the directive name aren't recognized (bug #185) - ' and " in attribute values aren't decoded properly (bug #190) - a "%\>" in a declaration or expression isn't properly decoded to a "%>" (bug #191) - a quoted slash (ie. "\\" ) in an attribute value is not decoded properly (bug #192) - MissingResourceException when using ResourceBundle.getBundle() from a JSP in a web app (bug #210) Bug Fixes (ServletExec ISAPI Specific): - With JDK 1.2 and greater need to support both client and server HotSpot VMs (bug #81) - Response headers set by other ISAPI filters are not included in the response (bug #97) - With JDK 1.2 or greater, ServletExec doesn't come up with correct default VM settings (bug #112) - With JDK 1.3 on Windows, ServletExec should default to using the HotSpot Client VM (bug #133) - Large post requests from IE to ServletExec ISAPI sometimes fail due to extra CRLF (bug #138) - HotSpot internal error occurs when ServletExec in-process on Windows is shutdown (bug #144) - Need to prompt user before uninstalling ServletExec ISAPI (bug #145) - Non-web app error pages are sometimes not found with in-process versions of ServletExec (bug #148) - Setting of System Output and System Error on VM Settings admin page fails (bug #154) Bug Fixes (ServletExec NSAPI Specific): - With JDK 1.2 and greater need to support both client and server HotSpot VMs (bug #81) - With JDK 1.2 or greater, ServletExec doesn't come up with correct default VM settings (bug #112) - With JDK 1.3 on Windows, ServletExec should default to using the HotSpot Client VM (bug #133) - HotSpot internal error occurs when ServletExec in-process on Windows is shutdown (bug #144) - Non-web app error pages are sometimes not found with in-process versions of ServletExec (bug #148) - Setting of System Output and System Error on VM Settings admin page fails (bug #154) - On Solaris, Cannot stop Netscape Enterprise (or iWS) when ServletExec NSAPI is installed (bug #159) Bug Fixes (ServletExec AS Specific): - The stop_iis.bat file is not installed by the ServletExec AS installer (bug #95) - Response headers set by other ISAPI filters are not included in the response (bug #97) - Response headers set by other Apache modules are not included in the response (bug #98) - ServletExec AS on Windows fails to install with Apache 1.3.17 and 1.3.19 (bug #151) - Response headers set by other NSAPI plugins are not included in the response with ServletExec AS (bug #152) - ServletExec AS running with HotSpot Server VM will reject all requests (bug #163) - Client disconnect during reading of post args isn't handled properly with ServletExec AS (bug #164) - ServletExec AS installer completes even if Apache ServerRoot registry entry is wrong (bug #171) - request.getHeaders() returns a valid but EMPTY enumeration, even when there ARE values (bug #173)