summaryrefslogtreecommitdiff
path: root/www/jakarta-tomcat/files
AgeCommit message (Collapse)AuthorFilesLines
2002-12-28Use the JAVA_HOME of the JDK upon which the jakarta-tomcat package dependsjlam1-2/+2
as the default JAVA_HOME. It can still be overridden by an environment variable.
2002-05-23Add a 'flush' option to the rc.d script. Bump version to jakarta-tomcat-3.2.4nb1abs1-2/+6
If you've used tomcat this probably comes under the category of bugfix :)
2002-05-17include crimson.jar and ant.jar in default CLASSPATHabs1-2/+2
2001-05-24Obey rc.conf if present (modelled on apache rc.d file), plus allow entriesabs1-22/+60
to be prepended to CLASSPATH by setting optional tomcat_classpath
2001-04-17+ move the distfile digest/checksum value from files/md5 to distinfoagc2-8/+0
+ move the patch digest/checksum values from files/patch-sum to distinfo
2001-04-13Fix thinko in a message. Purely aesthetic.jwise1-2/+7
2001-04-03RCS Id policewennmach1-3/+3
2001-04-02Add a `run' rc script command corresponding to the tomcat `run' startupjwise1-2/+2
directive -- run in the foreground for debugging purposes.
2001-03-29Ease out-of-the-box integration with mod_jk (pkgsrc/www/ap-jk):jwise1-2/+4
* include a workers.properties which works out of the box -- this file may be better off as part of the ap-jk package, even though it is somewhat tomcat-specific. I'll give this possibility more thought. * modify the apache config file fragment generator which runs on tomcat startup to generate an Include-able apache config file fragment which works out of the box to laod mod_jk.
2001-03-28Add mandatory tomcat jar files at end of CLASSPATH, not front, so that theyjwise1-2/+2
don't override user-provided jar files. Needed for cocoon, which must find xerces as the first SAX implementation in it's class path.
2001-03-28Update jakarta-tomcat to version 3.2.1.jwise3-8/+48
Changes in the package since version 3.1.1 (the last pkgsrc version): ===================================================================== * tomcat is now always installed under ${PREFIX}/tomcat. Making ${TOMCAT_HOME} configurable added much complexity for not real gain. It had been my intention to aim for a hier(7) like install for tomcat with this version, but at this point there are way to many hard-coded relative paths (relative to tomcat.home) in tomcat, and in addition, all of the (quite good, really) documentation assumes the standard install paths. Note that the previous default value of ${TOMCAT_HOME} was ${PREFIX}/jakarta/tomcat. * an rc.subr compatible (but not requiring) startup script is now installed as ${PREFIX}/etc/rc.d/tomcat. * if Sun's JSSE (Java Secure Socket Extensions) is in ${CLASSPATH} when the pkg is built, tomcat will be built with support for SSL in the standalone server mode. This soft dependency will be replaced by a hard dependency as soon as I get a chance to import a JSSE package (soon). * likewise, I will import an ap-jk package for the new apache connector (mod_jk) soon. ap-jserv continues to be usable for this purpose. Changes in tomcat itself since version 3.1.1: ============================================= New in tomcat-3.2.1: -------------------- Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2 (final) code base. The following changes are included: - Disallowed requesting JSP pages under the WEB-INF directory (/WEB-INF/dummy.jsp). Previously, only requests for static files were being disallowed. - The JDBCRealm request interceptor will now log the description of any JDBC exception that occurs, to aid in debugging. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.2.1 (note that these fixes were also made to the tomcat-3.1 branch in tomcat 3.1.1) Protection of Resources in /WEB-INF and /META-INF Directories The servlet specification prohibits servlet containers from serving resources in the /WEB-INF and /META-INF directories of a web application archive directly to clients. In Tomcat 3.2, this means that URLs like: http://localhost:8080/examples/WEB-INF/web.xml will return an error message, rather than the contents of your deployment descriptor. However, there is a vulnerability in Tomcat 3.2 that exposes this information if the client requests a URL like this instead: http://localhost:8080/examples//WEB-INF/web.xml (note the double slash before "WEB-INF"). This vulnerability has been corrected in Tomcat 3.2.1. Show Source Vulnerability The example application delivered with Tomcat 3.2 included a mechanism to display the source code for the JSP page examples. This mechanism could be used to bypass the restrictions on displaying sensitive information in the WEB-INF and META-INF directories. This vulnerability has been removed. New in tomcat-3.2: ------------------ Tomcat 3.2 is mainly a performance tune-up release, although a few new features have been added. - Support for mod_jk, which is a replacement to the elderly mod_jserv, has had several bugs fixed and has received much more testing. It is now recommended that all users use mod_jk instead of mod_jserv. - Support JAXP-based XML parser independence. - New and often requested "how-to" documents covering the following topics: - Configuring workers.properties - IIS and Netscape configuration - Running tomcat inside an IIS or Netscape process - Running Tomcat as a Windows NT service - Configuring a JDBC realm - Configuring mod_jk - First round of policy-based security support intended for running untrusted code inside of Tomcat. Interested users should test this support and post feedback to the Tomcat users mailing list. - SSL support for standalone Tomcat. (Preliminary support first appeared in 3.1, but the support in 3.2 has received more testing and documentation support). - Thread reuse is now enabled by default. The thread pool support code was part of 3.1, but not enabled since it was new. - Support for plug-able session managers. Unfortunately, no how-to documents that support this functionality exist (yet). For the adventurous, be aware that the interface that allows administrators to plug session managers is the normal Interceptor interface. - An almost total rewrite of the HTTP request handling now results in improved performance when running Tomcat stand-alone. - Significantly reduced garbage collection. - The code underwent a refactoring effort resulting in improved readability. - And of course, hundreds of miscellaneous improvements and fixes.
2000-12-13Update jakarta-tomcat to 3.1.1. This is a security fix release, and thejwise2-7/+7
vulnerabilities file will be updated. Changes from jakarta-tomcat-3.1: =============================================================================== 6. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.1.1 6.1 Administrative Application Enabled By Default The administrative application (at context path "/admin") was enabled by default in Tomcat 3.1, which allowed unauthenticated remote users to add and remove appliations from a running Tomcat 3.1 installation if it was left installed. To avoid such problems, the administrative application has been removed from the binary distribution of Tomcat 3.1.1. It can be installed if desired by: - Downloading the source distribution of Tomcat 3.1.1. - Modifying the "build.xml" file to remove the commenting around the logic that creates the adminstrative application. - Running the build.sh or build.bat script. 6.2 Case Sensitive Matches on Static Resources In Tomcat 3.1, matches against the filenames of static resources was done in a case insensitive manner on case insensitive platforms (such as Microsoft Windows). This can cause sensitive information to be exposed to remote users who experiment with differently cased request URIs. To avoid such problems, Tomcat 3.1.1 performs filename comparisons for static resources in a case sensitive manner, even on Windows. This means that your hyperlinks must specify the correct case, or a 404 error will be returned. Because this can cause significant conversion problems for existing applications deployed on Tomcat 3.1, a configuration option is provided to temporarily turn off case sensitive matching. Edit the file "conf/web.xml" and modify the value for the "caseSensitive" initialization parameter to the default file-serving servlet. WARNING: CHANGING THIS SETTING WILL RE-INTRODUCE THE SECURITY VULNERABILITY PRESENT IN TOMCAT 3.1 -- IT IS *STRONGLY* RECOMMENDED THAT YOU CORRECT YOUR URLS TO MATCH CORRECTLY INSTEAD OF USING THIS OPTION. Note: All later versions of Tomcat perform filename matches in a case sensitive manner. 6.3 Snoop Servlet Mappings in Example Application In the deployment descriptor for the example application delivered with Tomcat 3.1, a "snoop" servlet was mapped to URL patterns "/snoop" and "*.snp". Theses mappings (in particular the second one) could cause exposure of sensitive information on the internal organization of your web application (for example, when a non-existent page "foo.snp" is requested). To avoid these problems, the offending mappings have been commented out. 6.4 Show Source Vulnerability The example application delivered with Tomcat 3.1 included a mechanism to display the source code for the JSP page examples. This mechanism could be used to bypass the restrictions on displaying sensitive information in the WEB-INF and META-INF directories. This vulnerability has been removed. 6.5 Requesting Unknown JSP Pages In Tomcat 3.1, the error message in response to a request for an unknown JSP page would include the absolute disk file pathname of the corresponding file which could not be found, which exposes sensitive information about how your application is deployed. The error message has been adjusted to include only the context-relative path of the JSP page which could not be found. 6.6 Session ID Vulnerability The algorithm used to calculate session identifiers for new sessions was subject to attack by attempting to guess what the next session identifier will be, and therefore hijack the session. In addition, the generated identifier exposed sensitive information (the number of sessions that have been created since this web application was started. To avoid these problems, the session identifier generation algorithm has been replaced by the algorithm used in Tomcat 3.2, which is not subject to these attacks, and does not expose session count information. 6.7 Server Shutdown Vulnerability In Tomcat 3.1, it was possible to establish a remote network connection to the AJP12 connector and cause Tomcat to shut itself down. Now, this network connection must be created from the same server that Tomcat is running on. NOTE: While this is more secure than Tomcat 3.1 (and mirrors the protection provided by Tomcat 3.2), it is still vulnerable to attack by users who can create socket connections from the server. Suitable use of firewalls and "TCP Wrappers" applications are suggested around the APJ12 port.
2000-05-31Modify tomcat startup process slightly -- now we add tomcat specific jarjwise1-1/+2
files at the _end_ of the CLASSPATH instead of the start so that users can override selected functionality. For example, cocoon needs to override tomcat's own XML parsing with that from Xerces-J if you want PDF generation from XSL Formatting Objects to work.
2000-05-14Update jakarta-tomcat to version 3.1. While here, clean up the packagejwise2-6/+7
a fair deal. Changes from 3.0 (the last pkgsrc version) include: * Thread pooling and JVM load balancing * ISAPI and NSAPI integration * A Command line JSP to Servlet Code tool * Automatic generation of Apache configuration files * Automatic deployment of Web ARchive (WAR) files * Logging * Substantially improved documentation * Experimental servlet reloading * Experimental security implementation * Minimal Admin/Deployment Tool * Internal APIs were changed for flexibility and integration * The source code was cleaned and reorganized * Most non-essential code was moved out of tomcat.core * Greater platform / JVM level coverage * Many, many bugs were fixed. IMHO, this is _much_ closer to being a real, usable platform than 3.0 was (as was intender - 3.0 was more of a proof of concept), and is very close to being something to push into production -- I'm banking on a late 3.1.X or 3.2 for that.
2000-01-16Patch the sample Apache Server configuration file fragment that comes withjwise1-1/+2
Tomcat so that it works out of the box with our Apache Server config.
2000-01-13Use new USE_JAVA support. This runs fine with either jdk or kaffe, but ↵jwise1-1/+1
currently cannot build with kaffe, which I am looking into.
2000-01-12Initial import of jakarta-tomcat-3.0, the Apache Project Servlet/Javajwise2-0/+7
Server Pages engine. This currently runs as a standalone http server with Servlet/JSP support, and will be usable with Apache Server if/when we have a mod_jserv package. I will look into that next, unless someone is already.