From 36f81d2e7058b012f6718bc2f1e2786694a8a4a1 Mon Sep 17 00:00:00 2001 From: gregw Date: Wed, 22 Nov 2006 15:39:06 +0000 Subject: [PATCH] Use SecureRandom for session ID generation --- VERSION.txt | 2489 ++++++++++++++++- .../main/java/org/mortbay/cometd/Bayeux.java | 21 +- .../main/java/org/mortbay/cometd/Channel.java | 4 +- .../jetty/servlet/HashSessionIdManager.java | 64 +- 4 files changed, 2547 insertions(+), 31 deletions(-) diff --git a/VERSION.txt b/VERSION.txt index db4f50ad0..1908d2bbb 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1,8 +1,24 @@ jetty-6.1-SNAPSHOT + fixed NIO endpoint flush. Avoid duplicate sends + + Upgraded session ID generation to use SecureRandom + + Merged refactored AJP -jetty-6.1.0pre1 - 20 Nov 2006 +jetty-6.0-SNAPSHOT + + ensure setContextPath() works when invoked from jetty-web.xml + + ensure sessions nulled out on request recycle; ensure session null after invalidate + + ensure "" returned for ServletContext.getContextPath() for root context + + Fixed tld parsing for maven plugin + + JETTY-129 ServletContextListeners called after servlets are initialized + + change examples/test-jndi-webapp so it can be regularly built + + added examples/test-jaas-webapp + + (re)make JAAS classes available to webapp classloader + + Reverted UnixCrypt to use coersions (that effected results) + + JETTY-171 Fixed filter mapping + + JETTY-172 use getName() instead of toString + + JETTY-173 restore servletpath after dispatch + +jetty-6.1.0pre2 - 20 Nov 2006 + Added extraClassPath to WebAppContext + Fixed resource cache flushing + Clean up jboss module licensing @@ -76,19 +92,16 @@ jetty-6.1.0pre0 - 21 Oct 2006 + Default soLinger is -1 (disabled) + AJP Connector -jetty-6.0-SNAPSHOT - + ensure setContextPath() works when invoked from jetty-web.xml - + ensure sessions nulled out on request recycle; ensure session null after invalidate - + ensure "" returned for ServletContext.getContextPath() for root context - + Fixed tld parsing for maven plugin - + JETTY-129 ServletContextListeners called after servlets are initialized - + change examples/test-jndi-webapp so it can be regularly built - + added examples/test-jaas-webapp - + (re)make JAAS classes available to webapp classloader - + Reverted UnixCrypt to use coersions (that effected results) - + JETTY-171 Fixed filter mapping - + JETTY-172 use getName() instead of toString - + JETTY-173 restore servletpath after dispatch +Jetty-5.1.11 - 8 October 2006 + + fixed ByteBufferOutputStream capacity calculation + + Fixed AJP handling of certificate length (1494939) + + Fixed AJP chunk header (1507377) + + Fixed order of destruction event calls + + Fix to HttpOutputStream from M.Traverso + + Default servlet only uses setContentLength on wrapped responses + +Jetty-4.2.26 - 8 October 2006 + + Backport of AJP fixes jetty-6.0.1 - 24 September 2006 + fixed isUserInRole checking for JAASUserRealm @@ -422,5 +435,2453 @@ Jetty-6.0.0ALPHA0 - Missing war support +Jetty-5.1.11RC0 - 5 April 2006 + + stop JDBCUserRealm forcing all credentials to be String + + force close with shutdownOutput for win32 + + NPE protection if desirable client certificates + + Added provider support to SslListener + + logging improvements for servlet and runtime exceptions + + Fixed AJP handling of ;jsessionid. + + improved contentType param handling + +Jetty-5.1.10 - 5 January 2006 + + Fixed path aliasing with // on windows. + + Fix for AJP13 with multiple headers + + Fix for AJP13 with encoded path + + Remove null dispatch attributes from getAttributeNames + + Put POST content default back to iso_8859_1. GET is UTF-8 still + +Jetty-4.2.25 - 4 Jan 2006 + + Fixed aliasing of // for win32 + +Jetty-5.1.9 - 7 December 2005 + + Fixed wantClientAuth(false) overriding netClientAuth(true) + +Jetty-6.0.0betaX - + + See http://jetty.mortbay.org/jetty6 for 6.0 releases + +Jetty-5.1.8 - 7 December 2005 + + Fixed space in URL issued created in 5.1.6 + +Jetty-5.1.7 - 7 December 2005 +Jetty-5.1.7rc0 - 6 December 2005 + + improved server stats + + char encoding for MultiPartRequest + + fixed merging of POST params in dispatch query string. + + protect from NPE in dispatcher getValues + + Updated to 2.6.2 xerces + + JSP file servlet mappings copy JspServlet init params. + + Prefix servlet context logs with org.mortbay.jetty.context + + better support for URI character encodings + + use commons logging jar instead of api jar. + +Jetty-5.1.6 - 18 November 2005 + + Fixed JSP visibility security issue. + + Improved jetty-web.xml access to org.mortbay classes. + +Jetty-5.1.5 - 10 November 2005 + + Improved shutdown hook + + Improved URL Decoding + + Improved mapping of JSP files. + +Jetty-5.1.5rc2 - 7 October 2005 + + Reverted dispatcher params to RI rather than spec behaviour. + + ProxyHandler can handle chained proxies + + unsynchronized ContextLoader + + ReFixed merge of Dispatcher params + + public ServerMBean constructor + + UTF-8 encoding for URLs + + Response.setLocale will set locale even if getWriter called. + +Jetty-5.1.5rc1 - 23 August 2005 + + upgraded to commons logging 1.0.4 + + Release commons logging factories when stopping context. + + Fixed illegal state with chunks and 100 continue - Tony Seebregts + + Fixed PKCS12Import input string method + + Fixed merge of Dispatcher parameters + + Encoded full path in ResourceHandler directory listing + + handle extra params after charset in header + + Fixed 100-continues with chunking and early commit + +Jetty-5.1.5rc0 - 16 August 2005 + + Fixed component remove memory leak for stop/start cycles + + Facade over commons LogFactory so that discovery may be avoided. + + Applied ciphersuite patch from tonyj + + Authenticators use servlet sendError + + CGI sets SCRIPT_FILENAME + + HttpTunnel timeout + + NPE protection for double stop in ThreadedServer + + Expect continues only sent if input is read. + +Jetty-5.1.4 - 5 June 2005 + + Fixed FTP close issue. + + setup MX4J with JDK1.5 in start.config + + set classloader during webapp doStop + + NPE protection in ThreadedServer + + ModelMBean handles null signatures + + Change JAAS impl to be more flexible on finding roles + +Jetty-5.1.4rc0 - 19 April 2005 + + ServletHttpContext correctly calls super.doStop. + + HttpServer delegates component handling to Container. + + Allow ServletHandler in normal HttpContext again. + + Stop start.jar putting current directory on classpath. + + More protection from null classloaders. + + Turn off web.xml validation for JBoss. + +Jetty-5.1.3 - 7 April 2005 + + Some minor code janitorial services + +Jetty-4.2.24 - 7 April 2005 + +Jetty-5.1.3rc4 - 31 March 2005 + + Moved servlet request wrapping to enterContextScope for geronimo security + + refixed / mapping for filters + + Allow XmlConfiguration to start with no object. + + updated to mx4j 3.0.1 + + rework InitialContextFactory to use static 'default' namespace + + make java:comp/env immutable for webapps as per J2EE spec + +Jetty-5.1.3rc3 - 20 March 2005 + + removed accidental enablement of DEBUG for JettyPlus jndi in log4j.properties + + fixed "No getter or setter found" mbean errors + +Jetty-5.1.3rc2 - 16 March 2005 + + Updated JSR154Filter for ERROR dispatch + + Fixed context to _context refactory error + +Jetty-5.1.3rc1 - 13 March 2005 + + Fixed typo in context-param handling. + + update to demo site look and feel. + + Fixed principal naming in FormAuthenticator + + JettyPlus updated to JOTM 2.0.5, XAPool 1.4.2 + +Jetty-4.2.24rc1 + + Fixed principal naming in FormAuthenticator + +Jetty-5.1.3rc0 - 8 March 2005 + + Flush filter chain caches on servlet/filter change + + Fixed rollover filename format bug + + Fixed JSR154 error dispatch with explicit pass of type. + + Allow system and server classes to be configured for context loader. + + IOException if EOF read during chunk. + + Fixed HTAccess crypt salt handling. + + Added simple xpath support to XmlParser + + Added TagLibConfiguration to search for listeners in TLDs. + + Added SslListener for 1.4 JSSE API. + + Fixed moderate load preventing ThreadPool shrinking. + + Added logCookie and logLatency support to NCSARequestLog + + Added new JAAS callback to allow extra login form fields in authentication + +Jetty-4.2.24rc0 - 8 March 2005 + + Back ported Jetty 5 ThreadedServer and ThreadPool + + Added logCookie and logLatency support to NCSARequestLog + +Jetty-5.1.2 - 18 January 2005 + + Added id and ref support to XmlConfiguration + + Cleaned up AbstractSessionManager synchronization. + + Fixed potential concurrent login problem with JAAS + + Apply patch #1103953 + +Jetty-4.2.23 - 16 January 2005 + + Cleaned up AbstractSessionManager synchronization. + + Fixed potential concurrent login problem with JAAS + +Jetty-5.1.2pre0 - 22 December 2004 + + Fixed case of Cookie parameters + + Support Secure and HttpOnly in session cookies + + Modified useRequestedID handling to only use IDs from other contexts + + Added global invalidation to AbstractSessionManager + + UnavailableException handling from handle + + Fixed suffix filters + +Jetty-4.2.23RC0 - 17 December 2004 + + LineInput handles readers with small internal buffer + + Added LogStream to capture stderr and stdout to logging + + Support Secure and HttpOnly in session cookies + + Build unsealed jars + +Jetty-5.1.1 - 1 December 2004 + +Jetty-5.1.1RC1 + + Some minor findbugs code cleanups + + Made more WebApplicationHandle configuration methods public. + + Fixed ordering of filters with multiple interleaved mappings. + + Allow double // within URIs + + Applied patch for MD5 hashed credentials for MD5 + +Jetty-5.1.1RC0 - 17 November 2004 + + fix for adding recognized EventListeners + + fix commons logging imports to IbmJsseListener + + added new contributed shell start/stop script + + excluded ErrorPageHandler from standard build in extra/jdk1.2 build + +Jetty-5.1.0 - 14 November 2004 + +Jetty-5.1.RC1 - 24 October 2004 + + Allow JSSE listener to be just confidential or just integral. + + Fixed NPE for null contenttype + + improved clean targets + + when committed setHeader is a noop rather than IllegalStateException + + Partially flush writers on every write so content length can be detected. + + Build unsealed jars + + default / mapping does not apply to Filters + + many minor cleanups suggested from figbug utility + + Allow multiple accepting threads + +Jetty-5.1.RC0 - 11 October 2004 + + Fixed many minor issues from J2EE 1.4 TCK testing + See sf.net bugs 1031520 - 1032205 + + Refactored, simplified and optimized HttpOutputStream + + LineInput handles readers with small internal buffer + + Added LogStream to capture stderr and stdout to logging + + Added filter chain cache + + Added JSR77 servlet statistic support + + Refactored webapp context configurations + + Added LifeCycle events and generic container. + + Upgraded to ant-1.6 for jasper + + Fixed HTAccessHandler + + JBoss 4.0.0 support + +Jetty-5.0.0 - 10 September 2004 + +Jetty-5.0.RC4 - 5 September 2004 + + Fixed configuration of URL alias checking + + JettyJBoss: Use realm-name from web.xml if present, otherwise use security-domain from jboss-web.xml + +Jetty-5.0.RC3 - 28 August 2004 + + DIGEST auth handles qop, stale and maxNonceAge. + + Less verbose warning for non validating xml parser. + + fixed jaas logout for jetty-jboss + + fixed deployment of ejb-link elements in web.xml with jboss + + Update to jasper 5.0.27 + + Added parameters for acceptQueueSize and lowResources level. + + Changed default URI encoding to UTF-8 + + Fixes to work with java 1.5 + + JettyPlus upgrade to XAPool 1.3.3. and HSQLDB 1.7.2 + + JettyPlus addition of pluggable DataSources + + Always say close for HTTP/1.0 non keep alive. + +Jetty-4.2.22 - 23 August + + fixed jaas logout for jetty-jboss integration + + fixed deployment of ejb-link elements in web.xml for jboss + + Added parameters for acceptQueueSize and lowResources level. + +Jetty-5.0.RC2 - 2 July 2004 + + Fixed DIGEST challenge delimiters + + HTAccess calls UnixCrypt correctly + + integrated jetty-jboss with jboss-3.2.4 + + Error dispatchers are always GET requests. + + OPTIONS works for all URLs on default servlet + + add JMX support for JettyPlus + + add listing of java:comp/env for webapp with JMX + + make choice of override of JNDI ENC entries: config.xml or web.xml + + Default servlet may use only pathInfo for resource + + Fixed session leak in j2ee + + Fixed no-role security constraint combination. + + Fix to use runas roles during servlet init and destroy + + Fixed JAAS logout + + HttpContext sendError for authentication errors + +Jetty-4.2.21 - 2 July 2004 + + integrated jetty-jboss with jboss-3.2.4 + + add JMX support for JettyPlus + + add listing of java:comp/env for webapp with JMX + + make choice of override of JNDI ENC entries: config.xml or web.xml + + Fixed JAAS logout + +Jetty-5.0.RC1 - 24 May 2004 + + Changed to apache 2.0 license + + added extra/etc/start-plus.config to set up main.class for jettyplus + + maxFormContentLength may be unlimited with <0 value + + Fixed HTTP tunnel timeout setting. + + Improved handling of exception from servlet init. + + FORM auth redirects to context on a re-auth + + Handle multiple virutal hosts from JBoss 3.2.4RC2 + +Jetty-4.2.20 - 22 May 2004 + + maxFormContentLength may be unlimited with <0 value + + Fixed HTTP tunnel timeout setting. + + Improved handling of exception from servlet init. + + FORM auth redirects to context on a re-auth + +Jetty-5.0.0RC0 - 7 April 2004 + + Updated JettyPlus to JOTM 1.4.3 (carol-1.5.2, xapool-1.3.1) + + ServletContext attributes wrap HttpContext attributes. + + Factored out XML based config from WebApplicationContext + + Improved RequestLog performance + + Fixed j2se 1.3 problem with HttpFields + + Default servlet respectes servlet path + + Fixed setCharacterEncoding for parameters. + + Fixed DOS problem + + Worked around bad jboss URL handler in XMLParser + + Forced close of connections over stop/start + + ProxiedFor field support added to NCSARequestLog + + Fixed Default servlet for non empty servlet paths + + Updated mx4j to V2 + + Updated jasper to 5.0.19 + + Changed dist naming convention to lowercase + +Jetty-4.2.20RC0 - 7 April 2004 + + Worked around bad jboss URL handler in XMLParser + + Forced close of connections over stop/start + + HttpFields protected headers + + ProxiedFor field support added to NCSARequestLog + + Fixed Default servlet for non empty servlet paths + + Changed dist naming convention to lowercase + +Jetty-4.2.19 - 19 Mar 2004 + + Fixed DOS attack problem + +Jetty-5.0.beta2 - 12 Feb 2004 + + Added skeleton JMX MBean for jetty plus + + Fixed HEAD with empty chunk bug. + + Fixed jetty.home/work handling + + Fixed setDate thread safety + + Fixed SessionManager init + + Improved low thread handling + + FileResource better handles non sun JVM + + Monitor closes socket before exit + + Updated to Japser 5.0.16 + + RequestDispatcher uses request encoding for query params + + Fixed busy loop in threadpool run + + Reorganized ServletHolder init + + Added log4j context repository to jettyplus + + NPE guard for no-listener junit deployment + + Added experimental NIO listeners again. + + fixed filter dispatch configuration. + + fixed lazy authentication with FORMs + +Jetty-4.2.18 - 1 Mar 2004 + + Added log4j context repository to jettyplus + + NPE guard for no-listener junit deployment + + Improved log performance + + Fixed j2se 1.3 problem with HttpFields + + Suppress some more IOExceptions + + Default servlet respectes servlet path + +Jetty-4.2.17 - 1 Feb 2004 + + Fixed busy loop in threadpool run + + Reorganized ServletHolder init + +Jetty-4.2.16 - 30 Jan 2004 + + Fixed setDate multi-cpu race + + Improved low thread handling + + FileResource better handles non sun JVM + + Fixed HttpTunnel for JDK 1.2 + + Monitor closes socket before exit + + RequestDispatcher uses request encoding for query params + + Update jasper to 4.1.29 + +Jetty-5.0.beta1 - 24 December 2003 + + SecurityConstraints not reset by stop() on custom context + + Fixed UnixCrypt handling in HTAccessHandler + + Added patch for JBoss realm single sign on + + Reorganized FAQ + + Env variables for CGI + + Removed support for old JBoss clustering + +Jetty-4.2.15 - 24 December 2003 + + SecurityConstraints not reset by stop() on custom context + + Fixed UnixCrypt handling in HTAccessHandler + + Added patch for JBoss realm single sign on + + Environment variables for CGI + + Removed support for old JBoss clustering + +Jetty-5.0.beta0 - 22 November 2003 + + Removed support for HTTP trailers + + PathMap uses own Map.Entry impl for IBM JVMs + + Use ${jetty.home}/work or WEB-INF/work for temp directories if present + + Protect ThreadPool.run() from interrupted exceptions + + Added org.mortbay.http.ErrorHandler for error pages. + + Fixed init race in HttpFields cache + + Allow per listener handlers + + Added MsieSslHandler to handle browsers that don't grok persistent SSL (msie 5) + + Respect content length when decoding form content. + + JBoss integration uses writer rather than stream for XML config handling + + Expire pages that contain set-cookie as per RFC2109 recommendation + + Updated jasper to 5.0.14beta + + Removed the CMR/CMP distributed session implementation + +Jetty-4.2.15rc0 - 22 November 2003 + + PathMap uses own Map.Entry impl for IBM JVMs + + Race in HttpFields cache + + Use ${jetty.home}/work or WEB-INF/work for temp directories if present + + Protect ThreadPool.run() from interrupted exceptions + + Added org.mortbay.http.ErrorHandler for error pages. + + JsseListener checks UserAgent for browsers that can't grok persistent SSL (msie5) + + Removed the CMR/CMP distributed session implementation + +Jetty-4.2.14 - 04 November 2003 + + respect content length when decoding form content. + + JBoss integration uses writer rather than stream for XML config handling + + Fixed NPE in SSO + + Expire pages that contain set-cookie as per RFC2109 recommendation + +Jetty-5.0.alpha3 - 19 October 2003 + + Reworked Dispatcher to better support cross context sessions. + + Use File.toURI().toURL() when jdk 1.2 alternative is available. + + Priority added to ThreadPool + + replaced win32 service with http://wrapper.tanukisoftware.org + + FileClassPath derived from walk of classloader hierarchy. + + Implemented security constraint combinations + + Set TransactionManager on JettyPlus datasources and pools + + Fixed null pointer if no sevices configured for JettyPlus + + Updated jasper and examples to 5.0.12 + + Lazy authentication if no auth constraint. + + Restore servlet handler after dispatch + + Allow customization of HttpConnections + + Failed requests excluded from duration stats + +Jetty-4.2.14RC1 - 19 October 2003 + + Reworked Dispatcher to better support cross context sessions. + + Added UserRealm.logout and arrange for form auth + + Allow customization of HttpConnections + + Failed requests excluded from + +Jetty-4.2.14RC0 - 7 October 2003 + + Correctly setup context classloader in cross context dispatch. + + Put a semi busy loop into proxy tunnels for IE problems + + Fixed handling of error pages for IO and Servlet exceptions + + updated extra/j2ee to jboss 3.2.1+ + + Use File.toURI().toURL() when jdk 1.2 alternative is available. + + cookie timestamps are in GMT + + Priority on ThreadedServer + + replaced win32 service with http://wrapper.tanukisoftware.org + + Build fileclasspath from a walk of the classloaders + + Set TransactionManager on JettyPlus datasources and pools + + Fixed null pointer if no sevices configured for JettyPlus + + Fixed comments with embedded double dashes on jettyplus.xml file + +Jetty-5.0.alpha2 - 19 September 2003 + + Use commons logging. + + Use log4j if extra is present. + + Improved JMX start. + + Update jakarta examples + + Correctly setup context classloader in cross context dispatch. + + Turn off validation without non-xerces errors + + minor doco updates. + + moved mailing lists to sourceforge. + + Put a semi busy loop into proxy tunnels for IE problems + + MultipartRequest supports multi value headers. + + XML entity resolution uses URLs not Resources + + Implemented ServletRequestListeners as optional filter. + + Moved error page mechanism to be webapp only. + + Fixed error page handling of IO and Servlet exceptions. + +Jetty-5.0.alpha1 - 12 August 2003 + + Switched to mx4j + + Improve combinations of Security Constraints + + Implemented locale encoding mapping. + + Synced with 4.2.12 + + Updated to Jasper 5.0.7 + + Server javadoc from war + +Jetty-5.0.alpha0 - 16 Jul 2003 + + Compiled against 2.4 servlet spec. + + Implemented remote/local addr/port methods + + Updated authentication so that a normal Principal is used. + + updated to jasper 5.0.3 + + Implemented setCharaterEncoding + + Implemented filter-mapping element + + Implemented Dispatcher forward attributes. + +Jetty-4.2.12 - 12 August 2003 + + Restore max inactive interval for session manager + + Removed protection of org.mortbay.http attributes + + Fixed parameter ordering for a forward request. + + Fixed up HTAccessHandler + + Improved error messages from ProxyHandler + + Added missing S to some OPTIONS strings + + Added open method to threaded server. + + FORMAuthenticator does 403 with empty error page. + + Fixed MIME types for chemicals + + Padding for IE in RootNotFoundHandler + +Jetty-4.2.11 - 12 July 2003 + + Fixed race in servlet initialization code. + + Cookie params all in lower case. + + Simplified AJP13 connection handling. + + Prevent AJP13 from reordering query. + + Support separate Monitor class for start + + Branched for Jetty 5 development. + +Jetty-4.2.10 - 7 July 2003 + + Updates to JettyPlus documentation + + Updates to Jetty tutorial for start.jar, jmx etc + +Jetty-4.2.10pre2 - 4 July 2003 + + Improvement to JettyPlus config of datasources and connection pools + + Addition of mail service for JettyPlus + + Move to Service-based architecture for JettyPlus features + + Re-implementation of JNDI + + Many improvements in JettyPlus java:comp handling + + Allow multiple security-role-ref elements per servlet. + + Handle Proxy-Connection better + + Cleaned up alias handling. + + Confidential redirection includes query + + handle multiple security role references + + Fixed cookie handling for old cookies and safari + + Restricted ports in ProxyHandler. + + URI always encodes % + + Session statistics + + XmlConfiguration can get/set fields. + +Jetty-4.2.10pre1 - 2 June 2003 + + Fixed JSP code visibility problem introduced in Jetty-4.2.10pre0 + + Added stop.jar + + Added SSO implementation for FORM authentication. + + WebApplicationContext does not reassign defaults descriptor value. + + Fixed AJP13 protocol so that request/response header enums are correct. + + Fixed form auth success redirect after retry, introduced in 4.2.9rc1 + + Trace support is now optional (in AbstractHttpHandler). + + Deprecated forced chunking. + + Form authentication remembers URL over 403 + + ProxyHandler has improved test for request content + + Removed support of org.mortbay.http.User role. + + Fixed problem with shared session for inter context dispatching. + +Jetty-4.2.10pre0 - 5 May 2003 + + Moved Log4JLogSink into JettyPlus + + Added ability to override jetty startup class by using -Djetty.server on runline + + Incorporate JettyPlus jotm etc into build. + + Massive reorg of the CVS tree. + + Incorporate jetty extra and plus into build + + Integrate with JAAS + + Apply the append flag of RolloverFileOutputStream constructor. + + RolloverFileOutputStream manages Rollover thread. + + New look and feel for www site. + + Fixed table refs in JDBCUserRealm. + + Allow params in form auth URLs + + Updated to jasper jars from tomcat 4.1.24 + + Allow query params in error page URL. + + ProxyHandler checks black and white lists for Connect. + + Merge multivalued parameters in dispatcher. + + Fixed CRLF bug in MultiPartRequest + + Warn if max form content size is reached. + + getAuthType returns CLIENT_CERT instead of CLIENT-CERT. + + getAuthType maps the HttpServletRequest final strings. + + FORM Authentication is serializable for session distribution. + +Jetty-4.2.9 - 19 March 2003 + + Conditional headers check after /dir to /dir/ redirection. + +Jetty-4.2.9rc2 - 16 March 2003 + + Fixed build.xml for source release + + Made rfc2068 PUT/POST Continues support optional. + + Defaults descriptor has context classloader set. + + Allow dispatch to j_security_check + + Added X-Forwarded-For header in ProxyHandler + + Updated included jmx jars + +Jetty-4.2.9rc1 - 6 March 2003 + + Work around URLClassloader not handling leading / + + Dump servlet can load resources for testing now. + + Added trust manager support to SunJsseListener. + + Added support for client certs to AJP13. + + Cleaned up includes + + Removed checking for single valued headers. + + Optional 2.4 behaviour for sessionDestroyed notification. + + Stop proxy url from doing user interaction. + + Turn request log buffering off by default. + + Reduced default context cache sizes (Total 1MB file 100KB). + + ProxyHandler has black and white host list. + + Added requestlog to HttpContext. + + Allow delegated creation of WebApplication derivations. + + Check Data contraints before Auth constraints + +Jetty-4.2.8_01 - 18 February 2003 + + Patched first release of 4.2.8 with correct version number + + Fixed CGI servlet to handle multiple headers. + + Added a SetResponseHeadersHandler, can set P3P headers etc. + + ProxyHandler can handle multiple cookies. + + Fixed AdminServlet to handle changed getServletPath better. + + Default servlet can have own resourceBase. + + Rolled back SocketChannelListener to 4.2.5 version + + Added option to resolve remote hostnames. Defaults to off. + + Added MBeans for Servlets and Filters + + Moved ProxyHandler to the src1.4 tree + +Jetty-4.2.7 - 4 February 2003 + + Upgraded to JSSE 1.0.3_01 to fix security problem. + + Fixed proxy tunnel for non persistent connections. + + Relative sendRedirect handles trailing / correctly. + + Changed PathMap to conform to / getServletPath handling. + +Jetty-4.2.6 - 24 January 2003 + + Improved synchronization on AbstractSessionManager. + + Allow AJP13 buffers to be resized. + + Fixed LineInput problem with expanded buffers. + + ClientCertAuthentication updates request. + + Fixed rel sendRedirects for root context. + + Added HttpContext.setHosts to restrict context by real interface. + + Added MBeans for session managers + + Improved SocketChannelListener contributed. + + Added version to HttpServerMBean. + +Jetty-4.2.5 - 14 January 2003 + + Fixed pathParam bug for ;jsessionid + + Don't process conditional headers and ranges for includes + + Added Log4jSink in the contrib directory. + + Fixed requestedSessionId null bug. + +Jetty-4.2.4 - 4 January 2003 + + Fixed stop/start handling of servlet context + + Reuse empty LogSink slots. + + HTAccessHandler checks realm as well as htpassword. + + Clear context listeners after stop. + + Clear context attributes after stop. + + Use requestedSessionId as default session ID. + + Added MBeans for handlers + + Upgraded jasper to 4.1.18 + +Jetty-4.2.4rc0 - 12 December 2002 + + Simplified ThreadedServer + + Use ThreadLocals for ByteArrayPool to avoid synchronization. + + Use Version to reset HttpFields + + Cheap clear for HttpFields + + Fixed setBufferSize NPE. + + Cleaned up some unused listener throws. + + Handle chunked form data. + + Allow empty host header. + + Avoid optional 100 continues. + + Limit form content size. + + Handle = in param values. + + Added HttpContext.flushCache + + Configurable root context. + + RootNotFoundHandler to help when no context found. + + Update jasper to 4.1.16beta + + Fixed dir listing from jars. + + Dir listings in UTF8 + + Character encoding handling for GET requests. + + Removed container transfer encoding handling. + + Improved setBufferSize handling + + Code logs objects rather than strings. + + Better access to session manager. + + Fixed isSecure and getScheme for SSL over AJP13 + + Improved ProxyHandler to the point is works well for non SSL. + + Implemented RFC2817 CONNECT in ProxyHandler + + Added gzip content encoding support to Default and ResourceHandler + +Jetty-4.2.3 - 2 December 2002 + + Removed aggressive threadpool shrinkage to avoid deadlock on SMP machines. + + Fixed some typos + + Added links to Jetty Powered page + + Clean up of ThreadedServer.stop() + + Updated bat scripts + + Added PKCS12Import class to import PKCS12 key directly + + removed old HttpContext.setDirAllowed() + + added main() to org.mortbay.http.Version + + Check form authentication config for leading / + + Cleaner servlet stop to avoid extra synchronization on handle + + org.mortbay.http.HttpContext.FileClassPathAttribute + +Jetty-4.2.2 - 20 November 2002 + + Fixed sendRedirect for non http URLS + + Fixed URI query recycling for persistent connections + + Fixed handling of empty headers + + Added EOFException to reduce log verbosity on closed connections. + + Avoided bad buffer status after closed connection. + +Jetty-4.2.1 - 18 November 2002 + + Fixed bad optimization in UrlEncoding + + Re-enabled UrlEncoding test harnesses + +Jetty-4.2.0 - 16 November 2002 + + Fixed AJP13 buffer size. + + Fixed remove listener bug. + + Fixed include of Invoker servlet. + + Restrict 304 responses to seconds time resolution. + + Use IE date formatting for speed. + + Removed jasper source and just include jars from 4.1.12 + + Worked around JVM1.3 bug for JSPs + + Lowercase jsessionid for URLs only. + + Made NCSARequestLog easier to extend. + + Added definitions for RFC2518 WebDav response codes. + + Removed remaining non portable getBytes() calls + + Added upload demo to dump servlet. + + Many more optimizations. + +Jetty-4.1.4 - 16 November + + Fixed ContextLoader parent delegation bug + + Fixed remove SocketListener bug. + + Fixed Invoker servlet for RD.include + + Use IE date formatting for last-modified efficiency + + Last modified handling uses second resolution. + + Made NCSARequestLog simpler to extend. + +Jetty-4.2.0rc1 - 2 November 2002 + + Support default mime mapping defined by * + + Recycling of HttpFields class. + + Renamed Filter application methods. + + Fixed firstWrite after commit. + + Fixed ContextLoader parent delegation bug. + + Fixed problem setting the size of chunked buffers. + + Removed unused Servlet and Servlet-Engine headers. + + Fixed servletpath on invoker for named servlets. + + Fixed directory resource bug in JarFileResource. + + Improved handling of 2 byte encoded characters within forms. + +Jetty-4.2.0rc0 - 24 October 2002 + + Greg's birthday release! + + Added embedded iso8859 writer to HttpOutputStream. + + Removed duplicate classes from jar + + Fixed RolloverFileOutputStream without date. + + Fixed SessionManager initialization + + Added authenticator to admin.xml + + Fixed Session timeout NPE. + + Jetty-4.1.3 - 24 October 2002 + + Fixed RolloverFileOutputStream without date. + + Fixed SessionManager initialization + + Added authenticator to admin.xml + + Fixed Session timeout NPE. + +Jetty-4.0.6 - 24 October 2002 + + Clear interrupted status in ThreadPool + + Fixed forward query string handling + + fixed forward attribute handling for jsp-file servlets + + Fixed setCharacterEncoding to work with getReader + + Fixed handling of relative sendRedirect after forward. + + Fixed virtual hosts temp directories. + +Jetty-4.2.0beta0 - 13 October 2002 + + New ThreadPool implementation. + + New Buffering implementation. + + New AJP13 implementation. + + Removed Dispatcher dependancy on ServletHttpContext + + getNamedDispatcher(null) returns containers default servlet. + + unquote charset in content type + + Stop/Start filters in declaration order. + + Use "standard" names for default,jsp & invoker servlets. + + Fixed caching of directories to avoid shared buffers. + + Fixed bad log dir detection + + Fix Session invalidation bug + + Build without jmx + + 404 instead of 403 for WEB-INF requests + + FORM authentication sets 403 error page + + Allow %3B encoded ; in URLs + + Allow anonymous realm + + Update jasper to 4.1.12 tag + +Jetty-4.1.2 - 13 October 2002 + + Some AJP13 optimizations. + + getNamedDispatcher(null) returns containers default servlet. + + unquote charset in content type + + Stop/Start filters in declaration order. + + Use "standard" names for default,jsp & invoker servlets. + + Fixed caching of directories to avoid shared buffers. + + Fixed bad log dir detection + + Fix Session invalidation bug + + Build without jmx + + 404 instead of 403 for WEB-INF requests + + FORM authentication sets 403 error page + + Allow %3B encoded ; in URLs + + Allow anonymous realm + + Update jasper to 4.1.12 tag + +Jetty-4.1.1 - 30 September 2002 + + Fixed client scripting vulnerability with jasper2. + + Merged LimitedNCSARequestLog into NCSARequestLog + + Fixed space in resource name handling for jdk1.4 + + Moved launcher/src to src/org/mortbay/start + + Fixed infinite recursion in JDBCUserRealm + + Avoid setting sotimeout for optimization. + + String comparison of If-Modified-Since headers. + + Touch files when expanding jars + + Deprecated maxReadTime. + + Cache directory listings. + +Jetty-4.1.0 - 22 September 2002 + + Fixed CGI+windows security hole. + + Fixed AJP13 handling of mod_jk loadbalancing. + + Stop servlets in opposite order to start. + + NCSARequest log buffered default + + WEB-INF/classes before WEB-INF/lib + + Sorted directory listings. + + Handle unremovable tempdir. + + Context Initparams to control session cookie domain, path and age. + + ClientCertAuthenticator protected from null subjectDN + + Added LimitedNCSARequestLog + + Use javac -target 1.2 for normal classes + +Jetty-4.1.0RC6 - 14 September 2002 + + Don't URL encode FileURLS. + + Improved HashUserRealm doco + + FormAuthenticator uses normal redirections now. + + Encode URLs of Authentication redirections. + + Added logon.jsp for no cookie form authentication. + + Extended Session API to pass request for jvmRoute handling + + Fixed problem with AJP 304 responses. + + Improved look and feel of demo + + Cleaned up old debug. + + Added redirect to welcome file option. + +Jetty-4.1.0RC5 - 8 September 2002 + + AJP13Listener caught up with HttpConnection changes. + + Added commandPrefix init param to CGI + + More cleanup in ThreadPool for idle death. + + Improved errors for misconfigured realms. + + Implemented security-role-ref for isUserInRole. + +Jetty-4.1.0RC4 - 30 August 2002 + + Included IbmJsseListener in the contrib directory. + + Updated jasper2 to 4.1.10 tag. + + Reverted to 302 for all redirections as all clients do not understand 303 + + Created statsLock sync objects to avoid deadlock when stopping. + +Jetty-4.1.0RC3 - 28 August 2002 + + Fixed security problem for suffix matching with trailing "/" + + addWebApplications encodes paths to allow for spaces in file names. + + Improved handling of PUT,DELETE & MOVE. + + Improved handling of path encoding in Resources for bad JVMs + + Added buffering to request log + + Created and integrated the Jetty Launcher + + Made Resource canonicalize it's base path for directories + + Allow WebApplicationHandler to be used with other handlers. + + Added defaults descriptor to addWebApplications. + + Allow FORM auth pages to be within security constraint. + +Jetty-4.1.0RC2 - 20 August 2002 + + Conveninace setClassLoaderJava2Compliant method. + + Clear interrupted status in ThreadPool + + Fixed HttpFields cache overflow + + Improved ByteArrayPool to handle multiple sizes. + + Added HttpListener.bufferReserve + + Use system line separator for log files. + + Updated to Jasper2 (4_1_9 tag) + + Build ant, src and zip versions with the release + +Jetty-4.1.0RC1 - 11 August 2002 + + Fixed forward query string handling + + Fixed setCharacterEncoding to work with getReader + + Fixed getContext to use canonical contextPathSpec + + Improved the return codes for PUT + + Made HttpServer serializable + + Updated international URI doco + + Updated jasper to CVS snapshot 200208011920 + + Fixed forward to jsp-file servlet + + Fixed handling of relative sendRedirect after forward. + +Jetty-4.1.0RC0 - 31 July 2002 + + Fixed getRealPath for packed war files. + + Changed URI default charset back to ISO_8859_1 + + Restructured Password into Password and Credentials + + Added DigestAuthenticator + + Added link to a Jetty page in Korean. + + Added ExpiryHandler which can set a default Expires header. + +Jetty-4.0.5 - 31 July 2002 + + Fixed getRealPath for packed war files. + + Reversed order of ServletContextListener.contextDestroyed calls + + Fixed getRequestURI for RD.forward to return new URI. + +Jetty-4.1.B1 - 19 July 2002 + + Updated mini.http.jar target + + CGI Servlet, pass all HTTP headers through. + + CGI Servlet, catch and report program invocation failure status. + + CGI Servlet, fixed suffix mapping problem. + + CGI Servlet, set working directory for exec + + Support HTTP/0.9 requests again + + Reversed order of ServletContextListener.contextDestroyed calls + + Moved dynamic servlet handling to Invoker servlet. + + Moved webapp resource handling to Default servlet. + + Sessions create attribute map lazily. + + Added PUT,DELETE,MOVE support to webapps. + + Added 2.4 Filter dispatching support. + +Jetty-3.1.9 - 15 July 2002 + + Allow doHead requests to be forwarded. + + Fixed race in ThreadPool for minThreads <= CPUs + +Jetty-4.1.B0 - 13 July 2002 + + Added work around of JDK1.4 bug with NIO listener + + Moved 3rd party jars to $JETTY_HOME/ext + + Fixed ThreadPool bug when minThreads <= CPUs + + close rather than disable stream after forward + + Allow filter init to access servlet context methods. + + Keep notFoundContext out of context mapping lists. + + mod_jk FAQ + + Fixed close problem with load balancer. + + Stopped RD.includes closing response. + + RD.forward changes getRequestURI. + + NCSARequestLog can log to stderr + +Jetty-4.1.D2 - 24 June 2002 + + Support trusted external authenticators. + + Moved jmx classes from JettyExtra to here. + + Set contextloader during webapplicationcontext.start + + Added AJP13 listener for apache integration. + + Fixed ChunkableOutputStream close propagation + + Better recycling of HttpRequests. + + Protect session.getAttributeNames from concurrent modifications. + + Allow comma separated cookies and headers + + Back out Don't chunk 30x empty responses. + + Conditional header tested against welcome file not directory. + + Improved ThreadedServer stopping on bad networks + + Use ThreadLocals to avoid unwrapping in Dispatcher. + +Jetty-4.0.4 - 23 June 2002 + + Back out change: Don't chunk 30x empty responses. + + Conditional header tested against welcome file not directory. + + Improved ThreadedServer stopping on bad networks + +Jetty-4.0.3 - 20 June 2002 + + WebapplicationContext.start sets context loader + + Fixed close propagation of on-chunked output streams + + Force security disassociation. + + Better recycling of HttpRequests. + + Protect session.getAttributeNames from concurrent modifications. + + Allow session manager to be initialized when set. + + Fixed japanese locale + + Allow comma separated cookies and headers + +Jetty-4.1.D1 - 8 June 2002 + + Recycle servlet requests and responses + + Added simple buffer pool. + + Reworked output buffering to keep constant sized buffers. + + Don't chunk 30x empty responses. + + Fixed "" contextPaths in Dispatcher. + + Removed race for the starting of session scavaging + + Fixed /foo/../bar// bug in canonical path. + + Merged ResourceBase and SecurityBase into HttpContext + +Jetty-4.0.2 - 6 June 2002 + + Fixed web.dtd references. + + Fixed handler/context start order. + + Added OptimizeIt plug + + Fixed /foo/../bar// bug in canonical path. + + Don't chunk 30x empty responses. + + Fixed "" contextPaths in Dispatcher. + + Removed race for the starting of session scavaging + +Jetty-3.1.8 - 6 June 2002 + + Made SecurityConstraint.addRole() require authentication. + + Fixed singled threaded dynamic servlets + + Fixed no slash context redirection. + + Fixed /foo/../bar// bug in canonical path. + +Jetty-4.1.D0 - 5 June 2002 + + The 4.1 Series started looking for even more performance + within the 2.3 specification. + + Removed the HttpMessage facade mechanism + + BRAND NEW WebApplicationHandler & WebApplicationContext + + Added TypeUtil to reduce Integer creation. + + General clean up of the API for for MBean getters/setters. + + Experimental CLIENT-CERT Authenticator + + Restructured ResourceHandler into ResourceBase + + Fixed web.dtd references. + + Fixed handler/context start order. + + Added OptimizeIt plug. + +Jetty-4.0.1 - 22 May 2002 + + Fixed contextclassloader on ServletContextEvents. + + Support graceful stopping of context and server. + + Fixed "null" return from getRealPath + + OutputStreamLogSink config improvements + + Updated jasper to 16 May snapshot + +Jetty-4.0.1RC2 - 14 May 2002 + + Better error for jre1.3 with 1.4 classes + + Cleaned up RD query string regeneration. + + 3DES Keylength was being reported as 0. Now reports 168 bits. + + Implemented the run-as servlet tag. + + Added confidential and integral redirections to HttpListener + + Fixed ServletResponse.reset() to resetBuffer. + +Jetty-4.0.1RC1 - 29 April 2002 + + Improved flushing of chunked responses + + Better handling if no realm configured. + + Expand ByteBuffer full limit with capacity. + + Fixed double filtering of welcome files. + + Fixed FORM authentication auth of login page bug. + + Fixed setTempDirectory creation bug + + Avoid flushes during RequestDispatcher.includes + +Jetty-4.0.1RC0 - 18 April 2002 + + Updated Jasper to CVS snapshot from Apr 18 18:50:59 BST 2002 + + Pass pathParams via welcome file forward for jsessionid + + Extended facade interfaces to HttpResponse.sendError + + Moved basic auth handling to HttpRequest + + AbstractSessionManager sets contextClassLoader for scavanging + + Set thread context classloader for webapp load-on-startup inits + + Added extract arg to addWebApplications + + Fixed delayed response bug: + Stopped HttpConnection consuming input from timedout connection. + + DTD allows static "Get" and "Set" methods to be invoked. + +Jetty-4.0.0 - 22 March 2002 + + Updated tutorial configure version + + Added IPAddressHandler for IP restrictions + + Updated contributors. + + Minor documentation updates. + + Jetty.sh cygwin support + +Jetty-4.0.RC3 - 20 March 2002 + + Fixed ZZZ offset format to +/-HHMM + + Updated history + + JDBCUserRealm instantiates JDBC driver + + ContextInitialized notified before load-on-startup servlets. + + Suppress WriterOutputStream warning. + + Changed html attribute order for mozilla quirk. + +Jetty-4.0.RC2 - 12 March 2002 + + Fixed security constraint problem with // + + Fixed version for String XmlConfigurations + + Fixed empty referrer in NCSA log. + + Dont try to extract directories + + Added experimental nio SocketChannelListener + + Added skeleton load balancer + + Fixed column name in JDBCUserRealm + + Remove last of the Class.forName calls. + + Removed redundant sessionID check. + + Security FAQ + + Disabled the Password EXEC mechanism by default + +Jetty-3.1.7 - 12 Mar 2002 + + Fixed security problem with constraints being bypassed with // + in URLs + +Jetty-4.0.RC1 - 06 March 2002 + + Added ContentEncodingHandler for compression. + + Fixed filter vs forward bug. + + Improved efficiency of quality list handling + + Simplified filter API to chunkable streams + + XmlParser is validating by default. use o.m.x.XmlParser.NotValidating property to change. + + contextDestroyed event sent before destruction. + + Minor changes to make HttpServer work on J2ME CVM + + Warn if jdk 1.4 classes used on JVM <1.4 + + WebApplication will use ContextLoader even without WEB-INF directory. + + FileResource depends less on FilePermissions. + + Call response.flushBuffer after service to flush wrappers. + + Empty suffix for temp directory. + + Contributors list as an image to prevent SPAM! + + Fixed recursive DEBUG loop in Logging. + + Updated jetty.sh to always respect arguments. + +Jetty-3.1.6 - 28 Feb 2002 + + Implemented 2.3 clarifications to security constraint semantics + PLEASE REVIEW YOUR SECURITY CONSTRAINTS (see README). + + Empty suffix for temp directory. + + Fixed HttpFields remove bug + + Set Listeners default scheme + + LineInput can handle any sized marks + + HttpResponse.sendError makes a better attempt at finding an error page. + + Dispatcher.forward dispatches directly to ServletHolder to avoid + premature exception handling. + +Jetty-4.0.B2 - 25 Feb 2002 + + Minor Jasper updates + + Improve handling of unknown URL protocols. + + Improved default jetty.xml + + Adjust servlet facades for welcome redirection + + User / mapping rather than /* for servlet requests to static content + + Accept jetty-web.xml or web-jetty.xml in WEB-INF + + Added optional JDK 1.4 src tree + + o.m.u.Frame uses JDK1.4 stack frame handling + + Added LoggerLogSink to direct Jetty Logs to JDK1.4 Log. + + Start ServletHandler as part of the FilterHandler start. + + Simplified addWebApplication + + Added String constructor to XmlConfiguration. + + Added org.mortbay.http.JDBCUserRealm + + Init classloader for JspServlet + + Slightly more agressive eating unused input from non persistent connection. + +Jetty-4.0.B1 - 13 Feb 2002 + + WriterOutputStream so JSPs can include static resources. + + Suppress error only for IOExceptions not derivitives. + + HttpConnection always eats unused bodies + + Merged HttpMessage and Message + + LineInput waits for LF after CF if seen CRLF before. + + Added setClassLoader and moved getFileClassPath to HttpContext + + Updated examples webapp from tomcat + + getRequestURI returns encoded path + + Servlet request destined for static content returns paths as default servlet + +Jetty-4.0.B0 - 4 Feb 2002 + + Implemented 2.3 security constraint semantics + PLEASE REVIEW YOUR SECURITY CONSTRAINTS (see README). + + Stop and remove NotFound context for HttpServer + + HttpContext destroy + + Release process builds JettyExtra + + Welcome files may be relative + + Fixed HttpFields remove bug + + Added Array element to XMLConfiguration + + Allow listener schemes to be set. + + Added index links to tutorial + + Renamed getHttpServers and added setAnonymous + + Updated crimson to 1.1.3 + + Added hack for compat tests in watchdog for old tomcat stuff + + Added AbstractSessionManager + + Support Random Session IDs in HashSessionManager. + + Common handling of TRACE + + Updated tutorial and FAQ + + Reduce object count and add hash width to StringMap + + Factor out RolloverFileOutputStream from OutputStreamLogSink + + Remove request logSink and replace with RequestLog using + RolloverFileOutputStream + + Handle special characters in resource file names better. + + Welcome file dispatch sets requestURI. + + Removed triggers from Code. + +Jetty-4.0.D4 - 14 Jan 2002 + + Prevent output after forward + + Handle ServletRequestWrappers for Generic Servlets + + Improved handling of UnavailableException + + Extract WAR files to standard temp directory + + URI uses UTF8 for % encodings. + + Added BlueRibbon campaign. + + RequestDispatcher uses cached resources for include + + Improved HttpResponsse.sendError error page matching. + + Fixed noaccess auth demo. + + FORM auth caches UserPrincipal + + Added isAuthenticated to UserPrincipal + +Jetty-4.0.D3 - 31 Dec 2001 + + Fixed cached filter wrapping. + + Fixed getLocale again + + Patch jasper to 20011229101000 + + Removed limits on mark in LineInput. + + Corrected name to HTTP_REFERER in CGI Servlet. + + Fixed UrlEncoding for % + combination. + + Generalized temp file handling + + Fixed ContextLoader lib handling. + + DateCache handles misses better. + + HttpFields uses DateCache more. + + Moved admin port to 8081 to avoid JBuilder + + Made Frame members private and fixed test harness + + cookies with maxAge==0 expire on 1 jan 1970 + + setCookie always has equals + +Jetty-3.1.5 - 11 Dec 2001 + + setCookie always has equals for cookie value + + cookies with maxage==0 expired 1 jan 1970 + + Fixed formatting of redirectURLs for NS4.08 + + Fixed ChunableInputStream.resetStream bug. + + Ignore IO errors when trying to persist connections. + + Allow POSTs to static resources. + + stopJob/killStop in ThreadPool to improve stopping + ThreadedServer on some platforms. + + Branched at Jetty_3_1 + +Jetty-4.0.D2 - 2 Dec 2001 + + Removed most of the old doco, which needs to be + rewritten and added again. + + Restructured for demo and test hierarchies + + Fixed formatting of redirect URLs. + + Removed ForwardHandler. + + Removed Demo.java (until updated). + + Made the root context a webapplication. + + Moved demo docroot/servlets to demo directory + + added addWebApplications auto discovery + + Disabled last forwarding by setPath() + + Removed Request set methods (will be replaced) + + New event model to decouple from beans container. + + Better handling of charset in form encoding. + + Allow POSTs to static resources. + + Fixed ChunableInputStream.resetStream bug. + + Ignore IO errors when trying to persist connections. + + Allow POSTs to static resources. + + stopJob/killStop in ThreadPool to improve stopping + ThreadedServer on some platforms. + +Jetty-4.0.D1 - 14 Nov 2001 + + Fixed ServletHandler with no servlets + + Fixed bug with request dispatcher parameters + + New ContextLoader implementation. + + New Dispatcher implementation + + Added Context and Session Event Handling + + Added FilterHolder + + Added FilterHandler + + Changed HandlerContext to HttpContext + + Simplified ServletHandler + + Removed destroy methods + + Simplified MultiMap + +Jetty-4.0.D0 - 06 Nov 2001 + + Branched from Jetty_3_1 == Jetty_3_1_4 + + 2.3 Servlet API + + 1.2 JSP API + + Jasper from tomcat4 + + Start SessionManager abstraction. + + Added examples webapp from tomcat4 + + Branched at Jetty_3_1 + +Jetty-3.1.4 - 06 Nov 2001 + + Added RequestLogFormat to allow extensible request logs. + + Support the ZZZ timezone offset format in DateCache + + HTAccessHandler made stricter on misconfiguration + + Generate session unbind events on a context.stop() + + Default PathMap separator changed to ":," + + PathMap now ignores paths after ; or ? characters. + + Remove old stuff from contrib that had been moved to extra + + getRealPath accepts \ URI separator on platforms using \ file separator. + +Jetty-3.1.3 - 26 Oct 2001 + + Fix security problem with trailing special characters. + Trailing %00 enabled JSP source to be viewed or other + servlets to be bypassed. + + Fixed several problems with external role authentication. + Role authentication in JBoss was not working correctly and + there were possible object leaks. The fix required an API + change to UserPrinciple and UserRealm. + + Allow a per context UserRealm instance. + + Upgraded JSSE to 1.0.2 + + Improved FORM auth handling of role failure. + + Improved Jasper debug output. + + Improved ThreadedServer timeout defaults + + Fixed binary files in CVS + + Fixed Virtual hosts to case insensitive. + + PathMap spec separator changed from ',' to ':'. May be set with + org.mortbay.http.PathMap.separators system property. + + Correct dispatch to error pages with javax attributes set. + +Jetty-3.1.2 - 13 Oct 2001 + + Fixed double entry on PathMap.getMatches + + Fixed servlet handling of non session url params. + + Fixed attr handling in XmlParser.toString + + Fixed request log date formatting + + Fixed NotFoundHandler handling of unknown methods + + Fixed FORM Authentication username. + + Fixed authentication role handling in FORM auth. + + FORM authentication passes query params. + + Added short delay to shutdown hook for JVM bug. + + Added ServletHandler.sessionCount() + + Added run target to ant + + Changed 304 responses for Opera browser. + + Changed JSESSIONID to jsessionid + + Log OK state after thread low warnings. + + Changed unsatisfiable range warnings to debug. + + Further improvements in handling of shutdown. + +Jetty-3.1.1 - 27 Sep 2001 + + Fixed jar manifest format - patched 28 Sep 2001 + + Removed JDK 1.3 dependancy + + Fixed ServletRequest.getLocale(). + + Removed incorrect warning for WEB-INF/lib jar files. + + Handle requestdispatcher during init. + + Use lowercase tags in html package to be XHTML-like. + + Correctly ignore auth-constraint descriptions. + + Reduced verbosity of bad URL errors from IIS virus attacks + +Jetty-3.1.0 - 21 Sep 2001 + + Added long overdue Tutorial documentation. + + Improved some other documentation. + + Fix ResourceHandler cache invalidate. + + Fix ServletResponse.setLocale() + + Fix reuse of Resource + + Fix Jetty.bat for spaces. + + Fix .. handling in URI + + Fix REFFERER in CGI + + Fix FORM authentication on exact patterns + + Fix flush on stop bug in logs. + + Fix param reading on CGI servlet + + New simplified jetty.bat + + Improved closing of listeners. + + Optimized List creation + + Removed win32 service.exe + + Added HandlerContext.registerHost + +Jetty-3.1.rc9 - 02 Sep 2001 + + Added bin/orgPackage.sh script to change package names. + + Changed to org.mortbay domain names. + + Form auth login and error pages relative to context path. + + Fixed handling of rel form authentication URLs + + Added support for Nonblocking listener. + + Added lowResourcePersistTimeMs for more graceful degradation when + we run out of threads. + + Patched Jasper to 3.2.3. + + Added handlerContext.setClassPaths + + Fixed bug with non cookie sessions. + + Format cookies in HttpFields. + +Jetty-3.1.rc8 - 22 Aug 2001 + + Support WEB-INF/web-jetty.xml configuration extension for webapps + + Allow per context log files. + + Updated sponsors page + + Added HttpServer statistics + + Don't add notfound context. + + Many major and minor optimizations: + * ISO8859 conversion + * Buffer allocation + * URI pathAdd + * StringMap + * URI canonicalPath + * OutputStreamLogSink replaces WriterLogSink + + Separation of URL params in HttpHandler API. + + Fixed handling of default mime types + + Allow contextpaths without leading / + + Removed race from dynamic servlet initialization. + +Jetty-3.1.rc7 - 9 Aug 2001 + + Fix bug in sendRedirect for HTTP/1.1 + + Added doco for Linux port redirection. + + Don't persist connections if low on threads. + + Added shutdown hooks to Jetty.Server to trap Ctl-C + + Fixed bug with session ID generation. + + Added FORM authentication. + + Remove old context path specs + + Added UML diagrams to Jetty architecture documentation. + + Use Enumerations to reduce conversions for servlet API. + + Optimized HttpField handling to reduce object creatiyon. + + ServletRequest SSL attributes in line with 2.2 and 2.3 specs. + + Dump Servlet displays cert chains + + Fixed redirect handling by the CGI Servlet. + + Fixed request.getPort for redirections from 80 + + Added utility methods to ServletHandler for wrapping req/res pairs. + + Added method handling to HTAccessHandler. + + ServletResponse.sendRedirect puts URLs into absolute format. + +Jetty-3.1.rc6 - 10 Jul 2001 + + Avoid script vulnerability in error pages. + + Close persistent HTTP/1.0 connections on missing Content-Length + + Use exec for jetty.sh run + + Improved SSL debugging information. + + KeyPairTool can now load cert chains. + + KeyPairTool is more robust to provider setup. + + Fixed bug in B64Code. Optimised B64Code. + + Added Client authentication to the JsseListener + + Fixed a problem with Netscape and the acrobat plugin. + + Improved debug output for IOExceptions. + + Updated to JSSE-1.0.2, giving full strength crypto. + + Win32 Service uses Jetty.Server instead of HttpServer. + + Added getResource to HandleContext. + + WebApps initialize resourceBase before start. + + Fixed XmlParser to handle xerces1.3 OK + + Added Get element to the XmlConfiguration class. + + Added Static calls to the XmlConfiguration class. + + Added debug and logging config example to demo.xml + + Moved mime types and encodings to property bundles. + + RequestDispatch.forward() uses normal HandlerContext.handle() + path if possible. + + Cleaned up destroy handling of listeners and contexts. + + Removed getConfiguration from LifeCycleThread to avoid JMX clash. + + Cleaned up Win32 Service server creation. + + Moved gimp image files to Jetty3Extra + +Jetty-3.1.rc5 - 1 May 2001 + + Added build target for mini.jetty.jar - see README. + + Major restructing of packages to separate servlet dependancies. + c.m.XML - moved XML dependant classes from c.m.Util + c.m.HTTP - No servlet or XML dependant classes: + c.m.Jetty.Servlet - moved from c.m.HTTP.Handler.Servlet + c.m.Servlet - received some servlet dependant classes from HTTP. + + Added UnixCrypt support to c.m.U.Password + + Added HTaccessHandler to authenitcate against apache .htaccess files. + + Added query param handling to ForwardHandler + + Added ServletHandler().setUsingCookies(). + + Optimized canonical path calculations. + + Warn and close connections if content-length is incorrectly set. + + Request log contains bytes actually returned. + + Fixed handling of empty responses at header commit. + + Fixed ResourceHandler handling of ;JSESSIONID + + Fixed forwarding to null pathInfo requests. + + Fixed handling of multiple cookies. + + Fixed EOF handling in MultiPartRequest. + + Fixed sync of ThreadPool idleSet. + + Fixed jetty.bat classpath problems. + +Jetty-3.0.6 - 26 Apr 2001 + + Fixed handling of empty responses at header commit. + + Fixed ResourceHandler handling of ;JSESSIONID + + Fixed forwarding to null pathInfo requests. + + Fixed EOF handlding in MultiPartRequest. + + Fixed sync of ThreadPool idleSet. + + Load-on-startup the JspServlet so that precompiled servlets work. + +Jetty-3.1.rc4 - 14 April 2001 + + Include full versions of JAXP and Crimson + + Added idle thread getter to ThreadPool. + + Load-on-startup the JspServlet so that precompiled servlets work. + + Removed stray debug println from the Frame class. + +Jetty-3.0.5 - 14 Apr 2001 + + Branched from 3.1 trunk to fix major errors + + Fixed LineInput bug EOF + + Improved flush ordering for forwarded requests. + + Turned off range handling by default until bugs resolved + + Don't chunk if content length is known. + + fixed getLocales handling of quality params + + Created better random session ID + + Resource handler strips URL params like JSESSION. + + Fixed session invalidation unbind notification to conform with spec + + Load-on-startup the JspServlet so that precompiled servlets work. + +Jetty-3.1.rc3 - 9 April 2001 + + Implemented multi-part ranges so that acrobat is happy. + + Simplified multipart response class. + + Improved flush ordering for forwarded requests. + + Improved ThreadPool stop handling + + Frame handles more JIT stacks. + + Cleaned up handling of exceptions thrown by servlets. + + Handle zero length POSTs + + Start session scavenger if needed. + + Added ContentHandler Observer to XmlParser. + + Allow webapp XmlParser to be observed for ejb-ref tags etc. + + Created better random session ID + +Jetty-3.1.rc2 - 30 Mar 2001 + + Lifecycle.start() may throw Exception + + Added MultiException to throw multiple nested exceptions. + + Improved logging of nested exceptions. + + Only one instance of default MIME map. + + Use reference JAXP1.1 for XML parsing.y + + Version 1.1 of configuration dtd supports New objects. + + Improved handling of Primitive classes in XmlConfig + + Renamed getConnection to getHttpConnection + + fixed getLocales handling of quality params + + fixed getParameter(name) handling for multiple values. + + added options to turn off ranges and chunking to support acrobat requests. + +Jetty-3.1.rc1 - 18 Mar 2001 + + Moved JMX and SASL handling to Jetty3Extra release + + Fixed problem with ServletContext.getContext(uri) + + Added Jetty documentation pages from JettyWiki + + Cleaned up build.xml script + + Minimal handling of Servlet.log before initialization. + + Various SSL cleanups + + Resource handler strips URL params like JSESSION. + +Jetty-3.1.rc0 - 23 Feb 2001 + + Added JMX management framework. + + Use Thread context classloader as default context loader parent. + + Fixed init order for unnamed servlets. + + Fixed session invalidation unbind notification to conform with spec + + Improved handling of primitives in utilities. + + Socket made available via HttpConnection. + + Improved InetAddrPort and ThreadedServer to reduce DNS lookups. + + Dynamic servlets may be restricted to Context classloader. + + Reoganized packages to allowed sealed Jars + + Changed getter and setter methods that did not conform to beans API. + +Jetty-3.0.4 - 23 Feb 2001 + + Fixed LineInput bug with split CRLF. + +Jetty-3.0.3 - 3 Feb 2001 + + Fixed pipelined request buffer bug. + + Handle empty form content without exception. + + Allow Log to be disabled before initialization. + + Included new Jetty Logo + + Implemented web.xml servlet mapping to a JSP + + Fixed handling of directories without trailing / + +Jetty-3.0.2 - 13 Jan 2001 + + Replaced ResourceHandler FIFO cache with LRU cache. + + Greatly improved buffering in ChunkableOutputStream + + Padded error bodies for IE bug. + + Improved HTML.Block efficiency + + Improved jetty.bat + + Improved jetty.sh + + Handle unknown status reasons in HttpResponse + + Ignore included response updates rather than IllegalStateException + + Removed classloading stats which were causing circular class loading problems. + + Allow '+' in path portion of a URL. + + Try ISO8859_1 encoding if can't find ISO-8859-1 + + Restructured demo site pages. + + Context specific security permissions. + + Added etc/jetty.policy as example policy file. + +Jetty-3.0.1 - 20 Dec 2000 + + Fixed value unbind notification for session invalidation. + + Removed double null check possibility from ServletHolder + +Jetty-3.0.0 - 17 Dec 2000 + + Improved jetty.sh logging + + Improved dtd resolution in XML parser. + + Fixed taglib parsing + + Fixed rel path handling in default configurations. + + Optional extract war files. + + Fixed WriterLogSink init bug + + Use inner class to avoid double null check sync problems + + Fixed rollover bug in WriterLogSink + +Jetty-3.0.0.rc8 - 13 Dec 2000 + + Optional alias checking added to FileResource. Turned on by default + on all platforms without the "/" file separator. + + Mapped *.jsp,*.jsP,*.jSp,*.jSP,*.Jsp,*.JsP,*.JSp,*.JSP + + Tidied handling of ".", ".." and "//" in resource paths + + Protected META-INF as well as WEB-INF in web applications. + + Jetty.Server catches init exceptions per server + + getSecurityHandler creates handler at position 0. + + SysV unix init script + + Improved exit admin handling + + Change PathMap handling of /* to give precedence over suffix mapping. + + Forward to welcome pages rather than redirect. + + Removed special characters from source. + + Default log options changed if in debug mode. + + Removed some unused variables. + + Added ForwardHandler + + Removed security constraint on demo admin server. + + Patched jasper to tomcat 3.2.1 + +Jetty-3.0.0.rc7 - 02 Dec 2000 + + Fixed security problem with lowercase WEB-INF uris on windows. + + Extended security constraints (see README and WebApp Demo). + + Set thread context classloader during handler start/stop calls. + + Don't set MIME-Version in response. + + Allow dynamic servlets to be served from / + + Handle multiple inits of same servlet class. + + Auto add a NotFoundHandler if needed. + + Added NotFoundServlet + + Added range handling to ResourceHandler. + + CGI servlet handles not found better. + + WEB-INF protected by NotFoundServlet rather than security constraint. + + PUT, MOVE disabled in WebApplication unless defaults file is passed. + + Conditionals apply to puts, dels and moves in ResourceHandler. + + URIs accept all characters < 0xff. + + Set the AcceptRanges header. + + Depreciated RollOverLogSink and moved functionality to an + improved WriterLogSink. + + Changed log options to less verbose defaults. + + ThreadedServer.forceStop() now makes a connection to itself to handle non-premptive close. + + Double null lock checks use ThreadPool.__nullLockChecks. + + Split Debug servlet out of Admin Servlet. + + Added Com.mortbay.HTTP.Handler.Servlet.Context.LogSink attribute + to Servlet Context. If set, it is used in preference to the system log. + +Jetty-3.0.0.rc6 - 20 Nov 2000 + + RequestDispatcher.forward() only resets buffer, not headers. + + Added ServletWriter that can be disabled. + + Resource gets systemresources from it's own classloader. + + don't include classes in release. + + Allow load-on-startup with no content. + + Fixed RollOverFileLogSink bug with extra log files. + + Improved Log defaults + + Don't start HttpServer log sink on add. + + Admin servlet uses unique links for IE. + + Added Win32 service support + + Reduced risk of double null check sync problem. + + Don't set connection:close for normal HTTP/1.0 responses. + + RequestDispatcher new queries params replace old. + + Servlet init order may be negative. + + Corrected a few of the many spelling mistakes. + + Javadoc improvements. + + Webapps serve dynamics servlets by default. + + Warn for missing WEB-INF or web.xml + + Sessions try version 1 cookies in set-cookie2 header. + + Session cookies are given context path + + Put extra server and servlet info in header. + + Version details in header can be suppressed with System property + java.com.mortbay.HTTP.Version.paranoid + + Prevent reloading dynamic servlets at different paths. + + Implemented resource aliases in HandlerContext - used by Servlet Context + + Map tablib configuration to resource aliases. + + Implemented customizable error pages. + + Simple stats in ContextLoader. + + Allow HttpMessage state to be manipulated. + + Allow multiple set cookies. + +Jetty-3.0.0.rc5 - 12 Nov 2000 + + Default writer encoding set by mime type if not explicitly set. + + Relax webapp rules, accept no web.xml or no WEB-INF + + Pass flush through ServletOut + + Avoid jprobe race warnings in DateCache + + Allow null cookie values + + Servlet exceptions cause 503 unavailable rather than 500 server error + + RequestDispatcher can dispatch static resources. + + Merged DynamicHandler into ServletHandler. + + Added debug form to Admin servlet. + + Implemented servlet load ordering. + + Moved JSP classpath hack to ServletHolder + + Removed Makefile build system. + + Many javadoc cleanups. + +Jetty-2.4.9 - 12 Nov 2000 + + HttpListener ignore InterruptedIOExceptions + + HttpListener default max idle time = 20s + + HtmlFilter handles non default encodings + + Writing HttpRequests encodes path + + HttpRequest.write uses ISO8859_1 encoding. + +Jetty-3.0.0.rc4 - 6 Nov 2000 + + Provide default JettyIndex.properties + + Fixed mis-synchronization in ThreadPool.stop() + + Fixed mime type mapping bug introduced in RC3 + + Ignore more IOExceptions (still visible with debug). + +Jetty-3.0.0.rc3 - 5 Nov 2000 + + Changed ThreadPool.stop for IBM 1.3 JVM + + Added bin/jetty.sh run script. + + upgraded build.xml to ant v1.2 + + Set MaxReadTimeMs in all examples + + Further clean up of the connection close actions + + Moved unused classes from com.mortbay.Util to com.mortbay.Tools in + new distribution package. + + Handle mime suffixes containing dots. + + Added gz tgz tar.gz .z mime mappings. + + Fixed default mimemap initialization bug + + Optimized persistent connections by recycling objects + + Added HandlerContext.setHttpServerAccess for trusted contexts. + + Set the thread context class loader in HandlerContext.handle + + Prevent servlet setAttribute calls to protected context attributes. + + Removed redundant context attributes. + + Implemented mime mapping in webapplications. + + Strip ./ from relative resources. + + Added context class path dynamic servlet demo + +Jetty-3.0.0.rc2 - 29 Oct 2000 + + Replaced ISO-8859-1 literals with StringUtil static + + Pass file based classpath to JspServlet (see README). + + Prevented multiple init of ServletHolder + + ErlEncoding treats params without values as empty rather than null. + + Accept public DTD for XmlConfiguration (old style still supported). + + Cleaned up non persistent connection close. + + Accept HTTP/1. as HTTP/1.0 (for netscape bug). + + Fixed thread name problem in ThreadPool + +Jetty-3.0.0.rc1 - 22 Oct 2000 + + Added simple admin servlet. + + Added CGI to demo + + Added HashUserRealm and cleaned up security constraints + + Added Multipart request and response classes from Jetty2 + + Moved and simplified ServletLoader to ContextLoader. + + Initialize JSP with classloader. + + All attributes in javax. java. and com.mortbay. name spaces to be set. + + Partial handling of 0.9 requests. + + removed Thread.destroy() calls. + + Cleaned up exception handling. + +Jetty-2.4.8 23 Oct 2000 + + Fixed bug with 304 replies with bodies. + + Improved win32 make files. + + Fixed closing socket problem + +Jetty-3.0.B05 - 18 Oct 2000 + + Improved null returns to get almost clean watchdog test. + + Cleaned up response committing and flushing + + Handler RFC2109 cookies (like any browser handles them!) + + Added default webapp servlet mapping /servlet/name/* + + Improved path spec interpretation by looking at 2.3 spec + + Implemented security-role-ref for servlets + + Protected servletConfig from downcast security problems + + Made test harnesses work with ant. + + improved ant documentation. + + Removed most deprecation warnings + + Fixed JarFileResource to handle jar files without directories. + + Implemented war file support + + Java2 style classloading + + Improved default log format for clarity. + + Separated context attributes and initParams. + +Jetty-3.0.B04 - 12 Oct 2000 + + Restricted context mapping to simple model for servlets. + + Fixed problem with session ID in paths + + Added modified version of JasperB3.2 for JSP + + Moved FileBase to docroot + + Merged and renamed third party jars. + + Do not try multiple servlets for a request. + + Implemented Context.getContext(uri) + + Added webdefault.xml for web applications. + + Redirect to index files, so index.jsp works. + + Filthy hack to teach jasper JspServer Jetty classpath + +Jetty-3.0.B03 - 9th Oct 2000 + + Expanded import package.*; lines + + Expanded leading tabs to spaces + + Improved Context to Handler contract. + + Parse but not handler startup ordering in web applications. + + Send request log via a LogSink + + Added append mode in RolloverFileLogSink + + Made LogSink a Lifecycle interface + + Improved handler toString + + Redirect context only paths. + + Pass object to LogSink + + Implemented request dispatching. + + Redo dynamic servlets handling + + Improved Log rollover. + + Simplified path translation and real path calculation. + + Catch stop and destroy exceptions in HttpServer.stop() + + Handle ignorable spaces in XmlConfiguration + + Handle ignorable spaces in WebApplication + + Warn about explicit sets of WebApplication + + Remove 411 checks as IE breaks this rule after redirect. + + Removed last remnants JDK 1.1 support + + Added release script + +Jetty-2.4.7 - 6th Oct 2000 + + Allow Objects to be passed to LogSink + + Set content length on errors for keep alive. + + Added encode methods to URI + + Improved win32 build + + fixes to SSL doco + + Support key and keystore passwords + + Various improvements to ServletDispatch, PropertyTree and + associated classes. + +Jetty-3.0.B02 - 24st Aug 2000 + + Fixed LineInput bug with SSL giving CR pause LF. + + Fixed HTTP/1.0 input close bug + + Fixed bug in TestRFC2616 + + Improved ThreadedServer stop and destroy + + Use resources in WebApplication + + Added CGI servlet + +Jetty-3.0.B01 - 21st Aug 2000 + + SSL implemented with JsseListener + + Partial implementation of webapp securitycontraints + + Implemented more webapp configuration + + Switched to the aelfred XML parser from microstar, which is + only partially validating, but small and lightweight + +Jetty-2.4.6 - 16th Aug 2000 + + Turn Linger off before closing sockets, to allow restart. + + JsseListener & SunJsseListener added and documented + + com.mortbay.Util.KeyPairTool added to handle openSSL SSL keys. + + Minor changes to compile with jikes. + + Added passive mode methods to FTP + +Jetty-3.0.A99 - 10 Aug 2000 + + Implemented jetty.xml configuration + + Added Xmlconfiguration utility + + ServletLoader simplied and uses ResourcePath + + Replaced FileHandler with ResourceHandler + + Use SAX XML parsing instead of DOM for space saving. + + Removed FileBase. Now use ResourceBase instead + + Added Resource abstraction + + Make it compile cleanly with jikes. + + Re-added commented out imports for JDK-1.1 compile + +Jetty-3.0.A98 - 20 July 2000 + + Implemented Jetty demos and Site as Web Application. + + Implemented WebApplicationContext + + Switched to JDK1.2 only + + ServletRequest.getServerPort() returns 80 rather than 0 + + Fixed constructor to RolloverFileLogSink + + Improved synchronization on LogSink + + Allow HttpRequest.toString() handles bad requests. + +Jetty-3.0.A97 - 13 July 2000 + + Tempory request log implementation + + Less verbose debug + + Better tuned SocketListener parameters + + Started RequestDispatcher implementation. + + Added WML mappings + + Fixed makefiles for BSD ls + + Fixed persistent commits with no content (eg redirect+keep-alive). + + Implemented servlet isSecure(). + + Implemented servlet getLocale(s). + + Formatted version in server info string. + + Protect setContentLength from a late set in default servlet + HEAD handling. + + Added error handling to LifeCycleThread + + implemented removeAttribute on requests + +Jetty-2.4.5 - 9th July 2000 + + Don't mark a session invalid until after values unbound. + + Formatted version in server info. + + Added HtmlExpireFilter and removed response cache + revention from HtmlFilter. + + Fixed transaction handling in JDBC wrappers + +Jetty-3.0.A96 - 27 June 2000 + + Fixed bug with HTTP/1.1 Head reqests to servlets. + + Supressed un-needed chunking EOF indicators. + +Jetty-3.0.A95 - 24 June 2000 + + Fixed getServletPath for default "/" + + Handle spaces in file names in FileHandler. + +Jetty-3.0.A94 - 19 June 2000 + + Implemented Sessions. + + PathMap exact matches can terminate with ; or # for + URL sessions and targets. + + Added HandlerContext to allow grouping of handlers into + units with the same file, resource and class configurations. + + Cleaned up commit() and added complete() to HttpResponse + + Updated license to clarify that commercial usage IS OK! + +Jetty-3.0.A93 - 14 June 2000 + + Major rethink! Moved to 2.2 servlet API + + Lots of changes and probably unstable + +Jetty-3.0.A92 - 7 June 2000 + + Added HTML classes to jar + + Fixed redirection bug in FileHandler + +Jetty-2.4.4 - 3rd June 2000 + + Many debug call optimizations + + Added RolloverFileLogSink + + Improved LogSink configuration + + Support System.property expansions in PropertyTrees. + + Added uk.org.gosnell.Servlets.CgiServlet to contrib + + HttpRequest.setRequestPath does not null pathInfo. + + BasicAuthHandler uses getResourcePath so it can be used + behind request dispatching + + Added HTML.Composite.replace + + FileHandler implements IfModifiedSince on index files. + + Added build-win32.mak + +Jetty-3.0.A91 - 3 June 2000 + + Improved LogSink mechanism + + Implemented realPath and getResource methods for servlets. + + Abstracted ServletHandler + + Simplified HttpServer configuration methods and arguments + + Simplified class loading + + Added HTML classes from Jetty2 + +Jetty-3.0.A9 - 7 May 2000 + + Improvided finally handling of output end game. + + Fixed double chunking bug in SocketListener. + + File handler checks modified headers on directory indexes. + + ServletLoader tries unix then platform separator for zip separator. + +Jetty-3.0.A8 4th May 2000 + + Servlet2_1 class loading re-acrchitected. See README. + + Moved Sevlet2_1 handler to com.mortbay.Servlet2_1 + + addCookie takes an int maxAge rather than a expires date. + + Added LogSink extensible log architecture. + + Code.ignore only outputs when debug is verbose. + + Added Tenlet class for reverse telnet. + +Jetty-2.4.3 - 4th May 2000 STABLE + + Pass Cookies with 0 max age to browser. + + Allow CRLF in UrlEncoded + +Jetty-2.4.2 - 23rd April 2000 + + Added LogSink and FileLogSink classes to allow extensible + Log handling. + + Handle nested RequestDispatcher includes. + + Modified GNUJSP to prevent close in nested requests. + + Added GNUJSP to JettyServer.prp file. + +Jetty-3.0.A7 - 15 Apr 2000 + + Include java 1.2 source hierarchy + + removed excess ';' from source + + fixed flush problem with chunked output for IE5 + + Added InetGateway to help debug IE5 problems + + added removeValue method to MultiMap + +Jetty-2.4.1 - 9th April 2000 + + Removed debug println from ServletHolder. + + Set encoding before exception in FileHandler. + + Fixed bug in HtmlFilter for tags split between writes. + +Jetty-3.0.A6 - 9 Apr 2000 + + Integrated skeleton 2.1 Servlet container + + Improved portability of Frame and Debug. + + Dates forced to use US locale + + Removed Converter utilities and InetGateway. + + added bin/useJava2Collections to convert to JDK1.2 + +Jetty-2.4.0 - 24th March 2000 + + Upgraded to gnujsp 1.0.0 + + Added per servlet resourceBase configuration. + + Absolute URIs are returned by getRequestURI (if sent by browser). + + Improved parsing of stack trace in debug mode. + + Implemented full handling of cookie max age. + + Moved SetUID native code to contrib hierarchy + + Form parameters only decoded for POSTs + + RequestDispatcher handles URI parameters + + Fixed bug with RequestDispatcher.include() + + Fixed caste problem in UrlEncoded + + Fixed null pointer in ThreadedServer with stopAll + + Added VirtualHostHandler for virtual host handling + + Added doc directory with a small start + +Jetty-2.3.5 - 25th January 2000 + + Fixed nasty bug with HTTP/1.1 redirects. + + ProxyHandler sends content for POSTs etc. + + Force locale of date formats to US. + + Fixed expires bug in Cookies + + Added configuration option to turn off Keep-Alive in HTTP/1.0 + + Allow configured servlets to be auto reloaded. + + Allow properties to be configured for dynamic servlets. + + Added contrib/com/kiwiconsulting/jetty JSSE SSL adaptor to release. + +Jetty-2.3.4 - 18th January 2000 + + include from linux rather than genunix for native builds + + Fixed IllegalStateException handling in DefaultExceptionHandler + + MethodTag.invoke() is now public. + + Improved HtmlFilter.activate header modifications. + + Cookie map keyed on domain as well as name and path. + + DictionaryConverter handles null values. + + URI decodes applies URL decoding to the path. + + Servlet properties allow objects to be stored. + + Fixed interaction with resourcePaths and proxy demo. + +Jetty-3.0.A5 - 19 Oct 1999 + + Use ISO8859_1 instead of UTF8 for headers etc. + + Use char array in UrlEncoded.decode + + Do our own URL string encoding with 8859-1 + + Replaced LF wait in LineInput with state boolean. + +Jetty-2.3.3 - 19th October 1999 STABLE + + Replaced UTF8 encoding with ISO-8859-1 for headers. + + Use UrlEncoded for form parameters. + + Do our own URL encoding with ISO-8859-1 + + HTTP.HTML.EmbedUrl uses contents encoding. + +Jetty-2.3.2 - 17th October 1999 + + Fixed getReader bug with HttpRequest. + + Updated UrlEncoded with Jetty3 version. + +Jetty-3.0.A4 - 16 Oct 1999 + + Request attributes + + Basic Authentication Handler. + + Added LF wait after CR to LineInput. + + UTF8 in UrlDecoded.decodeString. + +Jetty-2.3.1 - 14th October 1999 + + Force UTF8 for FTP commands + + Force UTF8 for HTML + + Changed demo servlets to use writers in preference to outputstreams + + NullHandler/Server default name.name.PROPERTIES to load + prefix/name.name.properties + + Use UTF8 in HTTP headers + + Added Oracle DB adapter + + Added assert with no message to Code + + ThreadedServer calls setSoTimeout(_maxThreadIdleMs) on + accepted sockets. Idle reads will timeout. + + Prevented thread churn on idle server. + + HTTP/1.0 Keep-Alive (about time!). + + Fixed GNUJSP 1.0 resource bug. + +Jetty-3.0.A3 - 14 Oct 1999 + + Added LifeCycle interface to Utils implemented by + ThreadPool, ThreadedServer, HttpListener & HttpHandler + + StartAll, stopAll and destroyAll methods added to HttpServer. + + MaxReadTimeMs added to ThreadedServer. + + Added service method to HttpConnection for specialization. + +Jetty-3.0.A2 - 13 Oct 1999 + + UTF8 handling on raw output stream. + + Reduced flushing on writing response. + + Fixed LineInput problem with repeated CRs + + Cleaned up Util TestHarness. + + Prevent entity content for responses 100-199,203,304 + + Added cookie support and demo. + + HTTP/1.0 Keep-alive (about time!) + + Virtual Hosts. + + NotFound Handler + + OPTION * Handling. + + TRACE handling. + + HEAD handling. + +Jetty-3.0.A1 - 12 Oct 1999 + + LineInput uses own buffering and uses character encodings. + + Added MultiMap for common handling of multiple valued parameters. + + Added parameters to HttpRequest + + Quick port of FileHandler + + Setup demo pages. + + Added PathMap implementing mapping as defined in the 2.2 API + specification (ie. /exact, /prefix/*, *.extention & default ). + + Added HttpHandler interface with start/stop/destroy lifecycle + + Updated HttpListener is start/stop/destroy lifecycle. + + Implemented simple extension architecture in HttpServer. + +Jetty-3.0.A0 - 9 Oct 1999 + + Started fresh repository in CVS + + Moved com.mortbay.Base classes to com.mortbay.Util + + Cleanup of UrlEncoded, using 1.2 Collections. + + Cleanup of URI, using 1.2 Collections. + + Extended URI to handle absolute URLs + + Cleanup of LineInput, using 1.2 Collections. + + Moved HttpInput/OutputStream to ChunkableInput/OutputStream. + + Cleaned up chunking code to use LineInput and reduce buffering. + + Added support for transfer and content encoding filters. + + Added support for servlet 2.2 outbut buffer control. + + Generalized notification of outputStream events. + + Split HttpHeader into HttpFields and HttpMessage. + + HttpMessage supports chunked trailers. + + HttpMessage supports message states. + + Added generalized HTTP Connection. + + Cleanup of HttpRequest and decoupled from Servlet API + + Cleanup and abstraction of ThreadPool. + + ThreadedServer based on ThreadPool. + + Cleanup of HttpResponse and decoupled from Servlet API + + Created RFC2616 test harness. + + gzip and deflate request transfer encodings + + TE field coding and trailer handler + + HttpExceptions now produce error pages with specific detail + of the exception. + +Jetty-2.3.0 - 5th October 1999 + + Added SetUID class with native Unix call to set the + effective User ID. + + FTP closes files after put/get. + + FTP uses InetAddress of command socket for data socket. + +Jetty-2.3.0A - 22 Sep 1999 + + Added GNUJSP 1.0 for the JSP 1.0 API. + + Use javax.servlet classes from JWSDK1.0 + + Added "Powered by Jetty" button. + + ServerContext available to HtmlFilters via context param + + Made session IDs less predictable and removed race. + + Added BuildJetty.java file. + + Expanded tabs to spaces in source. + +Jetty-2.2.8 - 15 Sep 1999 + + Fixed bug in Element.attribute with empty string values. + + Made translation of getRequestURI() optional. + + Removed recursion from TranslationHandler + + Added disableLog() to turn off logging. + + Allow default table attributes to be overriden. + + Improved quoting in HTML element values + +Jetty-2.2.7 - 9 Sep 1999 + + Reverted semantics of getRequestURI() to return untranslated URI. + + Added GzipFilter for content encoding. + + Added default row, head and cell elements to Table. + + FileHandler passes POST request through if the file does not exist. + +Jetty-2.2.6 - 5 Sep 1999 + + New implementation of ThreadPool, avoids a thread leak problem. + + Fixed Cookie max age order of magnitude bug. + + Cookies always available from getCookies. + + Cookies parameter renamed to CookiesAsParameters + + HttpRequest.getSession() always returns a session as per + the latest API spec. + + Added destroy() method on all HttpHandlers. + + ServletHandler.destroy destroys all servlets. + + FileHandler does not server files ending in '/' + + Ignore duplicate single valued headers, rather than + reply with bad request, as IE4 breaks the rules. + + Allow the handling of getPathTranslated to + be configured in ServletHandler. + + Removed JRUN options from ServletHandler configuration. + + Added ServletRunnerHandler to the contrib directories. + + Updated HTML package to better support CSS: + - cssClass, cssID and style methods added to element. + - SPAN added to Block + - media added to Style + - class StyleLink added. + +Jetty-2.2.5 - 19 Aug 1999 + + Fixed bug with closing connections in ThreadedServer + + Made start and stop non final in ThreadedServer + + Better default handling of ServletExceptions + + Always close connection after a bad request. + + Set Expires header in HtmlFilter. + + Don't override the cookie as parameter option. + + Limited growth in MultiPartResponse boundary. + + Improved error messages from Jetty.Server. + + Close loaded class files so Win32 can overwrite + them before GC (what a silly file system!). + +Jetty-2.2.4 - 2 Aug 1999 + + ThreadedServer can use subclasses of Thread. + + Better help on Jetty.Server + + HttpRequests may be passed to HttpFilter constructors. + + HtmlFilter blanks IfModifiedSince headers on construction + + Fixed bugs in HtmlFilter parser and added TestHarness. + + Improved cfg RCS script. + +Jetty-2.2.3 - 27 July 1999 + + Fixed parser bug in HtmlFilter + + Made setInitialize public in ServletHolder + + Improved performance of com.mortbay.HTML.Heading + + Added stop call to HttpServer, used by Exit Servlet. + + Simplified JDBC connection handling so that it works + with Java1.2 - albeit less efficiently. + + FileHandler defaults to allowing directory access. + + JDBC tests modified to use cloudscape as DB. + +Jetty-2.2.2 - 22 July 1999 + + Fixed bug in HtmlFilter that prevented single char buffers + from being written. + + Implemented getResourceAsStream in FileJarServletLoader + + Fixed bug with CLASSPATH in FileJarServletLoader after attempt + to load from a jar. + + Fixed bug in com.mortbay.Util.IO with thread routines. + + Moved more test harnesses out of classes. + + File handler passes through not allowed options for + non existant files. + + NotFoundHandler can repond with SC_METHOD_NOT_ALLOWED. + + Improved com.mortbay.Base.Log handling of different JVMs + + Minor fixes to README + +Jetty-2.2.1 - 18 July 1999 + + Comma separate header fields. + + Protect against duplicate single valued headers. + + Less verbose debug in PropertyTree + + Ignore IOException in ThreadedServer.run() when closing. + + Limit maximum line length in HttpInputStream. + + Response with SC_BAD_REQUEST rather than close in more + circumstances + + Handle continuation lines in HttpHeader. + + HtmlFilter resets last-modified and content-length headers. + + Implemented com.mortbay.Util.IO as a ThreadPool + + Decoupled ExceptionHandler configuration from Handler stacks. + Old config style will produce warning and Default behavior. + See new config file format for changes. + + Added TerseExceptionHandler + + Added optional resourceBase property to HttpConfiguration. This + is used as a URL prefix in the getResource API and was suggested + by the JSERV and Tomcat implementors. + +Jetty-2.2.0 - 1 July 1999 + + Improved feature description page. + + Added Protekt SSL HttpListener + + Moved GNUJSP and Protekt listener to a contrib hierarchy. + + ThreadedServer.stop() closes socket before interrupting threads. + + Exit servlet improved (a little). + + Fixed some of the javadoc formatting. + +Jetty-2.2.Beta4 - 29 June 1999 + + FileHandler flushes files from cache in DELETE method. + + ThreadedServer.stop() now waits until all threads are stopped. + + Options "allowDir" added to FileHandler. + + Added getGlobalProperty to Jetty.Server and used this to + configure default page type. + + Updated README.txt + + Restructured com.mortbay.Jetty.Server for better clarity and + documentation. + + Added comments to configuration files. + + Made ServerSocket and accept call generic in ThreadedServer for + SSL listeners. + + Altered meaning of * in PropertyTree to assist in abbreviated + configuration files. + + Added JettyMinimalDemo.prp as an example of an abbreviated + configuration. + + Expanded Mime.prp file + + Added property handling to ServletHandler to read JRUN + servlet configuration files. + +Jetty-2.2.Beta3 - 22 June 1999 + + Re-implemented ThreadedServer to improve and balance performance. + + Added file cache to FileHandler + + Implemented efficient version of + ServletContext.getResourceAsStream() that does not open a + new socket connection (as does getResource()). + + LookAndFeelServlet uses getResourceAsStream to get the file + to wrap. This allows it to benefit from any caching done and + to wrap arbitrary content (not just files). + + Restructure demo so that LookAndFeel content comes from simple + handler stack. + + Fixed file and socket leaks in Include and Embed tags. + + Ran dos2unix on all text files + + Applied contributed patch of spelling and typo corrections + + Added alternate constructors to HTML.Include for InputStream. + + Server.shutdown() clears configuration so that server may + be restarted in same virtual machine. + + Improved Block.write. + + Fixed bug in HttpResponse flush. + +Jetty-2.2.Beta2 - 12 June 1999 + + Added all write methods to HttpOutputStream$SwitchOutputStream + + Added com.mortbay.Jetty.Server.shutdown() for gentler shutdown + of server. Called from Exit servlet + + HttpRequest.getParameterNames() no longer alters the order + returned by getQueryString(). + + Handle path info of a dynamic loaded servlets and + correctly set the servlet path. + + Standardized date format in persistent cookies. + +Jetty-2.2.Beta1 - 7 June 1999 + + Defined abstract ServletLoader, derivations of which can be + specified in HttpConfiguration properties. + + Implemented all HttpServer attribute methods by mapping to the + HttpConfiguration properties. Dynamic reconfiguration is NOT + supported by these methods (but we are thinking about it). + + Close files after use to avoid "file leak" under heavy load. + + Fixed missing copyright messages from some contributions + + Fixed incorrect version numbers in a few places. + + Improved ThreadPool synchronization and added minThreads. + + Allow configuration of MinListenerThreads, MaxListenerThreads, + MaxListenerThreadIdleMs + + HtmlFilter optimized for being called by a buffered writer. + + Don't warn about IOExceptions unless Debug is on. + + Limit the job queue only grow to the max number of threads. + + Included GNUJSP 0.9.9 + + Optional use of DateCache in log file format + + Fixed cache in FileJarServletLoader + + Destroy requests and responses to help garbage collector. + + Restructure ThreadedServer to reduce object creation. + +Jetty-2.2.Beta0 - 31 May 1999 + + Servlet loader handles jar files with different files separator. + + ThreadedServer gently shuts down. + + Handle malformed % characters in URLs. + + Included and improved version of ThreadPool for significant + performance improvement under high load. + + HttpRequest.getCookies returns empty array rather than null for no + cookies. + + Added HttpResponse.requestHandled() method to avoid bug with + servlet doHead method. + + Added Page.rewind() method to allow a page to be written multiple + times + + Added "Initialize" attribute to servlet configuration to allow + servlet to be initialized when loaded. + + LogHandler changed to support only a single outfile and optional + append. + + Included contributed com.mortbay.Jetty.StressTester class + + Token effort to keep test files out of the jar + + Removed support for STF + +Jetty-2.2.Alpha1 - 7 May 1999 + + ServletHolder can auto reload servlets + + Dynamic servlets can have autoReload configured + + Wait for requests to complete before reloading. + + Call destroy on old servlets when reloading. + + Made capitalization of config file more consistent(ish) + + Fixed bug in SessionDump + +Jetty-2.2.Alpha0 - 6 May 1999 + + Improved PropertyTree implementation + + Old Jetty.Server class renamed to Jetty.Server21 + + New Server class using PropertyTree for configuration + + HttpHandlers given setProperties method to configure via Properties. + + HttpListener class can be configured + + Mime suffix mapping can be configured. + + Removed historic API from sessions + + Improved SessionDump servlet + + Fixed date overflow in Cookies + + HttpResponse.sendError avoids IllegalStateException + + Added ServletLoader implementation if ClassLoader. + + Dynamic loading of servlets. + + Added reload method to ServletHolder, but no way to call it yet. + + Changed options for FileServer + + Implemented ServletServer + + Removed SimpleServletServer + +Jetty-2.1.7 - 22 April 1999 + + Fixed showstopper bug with getReader and getWriter in + requests and responses. + + HttpFilter uses package interface to get HttpOutputStream + +Jetty-2.1.6 - 21 April 1999 + + Reduced initial size of most hashtables to reduce + default memory overheads. + + Throw IllegalStateException as required from gets of + input/output/reader/writer in requests/responses. + + New simpler version of PropertyTree + + Updated PropertyTreeEditor + + Return EOF from HttpInputStream that has a content length. + + Added additional date formats for HttpHeader.getDateHeader + +Jetty-2.1.5 - 15 April 1999 + + Session URL encoding fixed for relative URLs. + + Reduced session memory overhead of sessions + + Form parameters protected against multiple decodes when redirected. + + Added setType methods to com.mortbay.FTP.Ftp + + Fixed bugs with invalid sessions + + Page factory requires response for session encoding + + Moved SessionHandler to front of stacks + + HtmlFilter now expands to the URL encoded session if + required. + + Instrumented most of the demo to support URL session encoding. + + Implemented HttpRequest.getReader() + + Servlet log has been diverted to com.mortbay.Base.Log.event() + Thus debug does not need to be turned on to see servlet logs. + + Fixed alignment bug in TableForm + + Removed RFCs from package + + Fixed bug in ServletDispatch for null pathInfo + +Jetty-2.1.4 - 26 March 1999 + + Fixed problem compiling PathMap under some JDKs. + + Reduced HTML dependence in HTTP package to allow minimal configuration + + Tightened license agreement so that binary distributions are required + to include the license file. + + HttpRequest attributes implemented. + + Session max idle time implemented. + + pathInfo returns null for zero length pathInfo (as per spec). + Sorry if this breaks your servlets - it is a pain! + + fixed bug in getRealPath + + getPathTranslated now call getRealPath with pathInfo (as per spec). + +Jetty-2.1.3 - 19 March 1999 + + Added support for suffixes to PathMap + + Included GNUJSP implementation of Java Server Pages + + Use Java2 javadoc + +Jetty-2.1.2 - 9 March 1999 + + JSDK 2.1.1 + + API documentation for JSDK 2.1.1 + + Cascading style sheet HTML element added. + + Fixed trailing / bug in FileHandler (again!). + + Converted most servlets to HttpServlets using do Methods. + +Jetty-2.1.1 - 5 March 1999 + + Reduced number of calls to getRemoteHost for optimization + + Faster version of HttpInputStream.readLine(). + + com.mortbay.Base.DateCache class added and used to speed date handling. + + Handle '.' in configured paths (temp fix until PropertyTrees) + + Fast char buffer handling in HttpInputStream + + Faster version of HttpHeader.read() + + Faster version of HttpRequest + + Size all StringBuffers + +Jetty-2.1.0 - 22 February 1999 + + Session URL Encoding + + PropertyTrees (see new Demo page) + + ServletDispatch (see new Demo page) + + image/jpg -> image/jpeg + + Deprecated com.mortbay.Util.STF + + getServlet methods return null. + +Jetty-2.1.B1 - 13 February 1999 + + Fixed bug with if-modified-since in FileHandler + + Added video/quicktime to default MIME types. + + Fixed bug with MultipartRequest. + + Updated DefaultExceptionHandler. + + Updated InetAddrPort. + + Updated URI. + + Implemented Handler translations and getRealPath. + + Improved handling of File.separator in FileHandler. + + Implemented RequestDispatcher (NOT Tested!). + + Implemented getResource and getResourceAsStream (NOT Tested!). + + Replace package com.mortbay.Util.Gateway with + class com.mortbay.Util.InetGateway + +Jetty-2.1.B0 - 30 January 1999 + + Uses JSDK2.1 API, but not all methods implemented. + + Added support for PUT, MOVE, DELETE in FileHandler + + FileHandler now sets content length. + + Added plug gateway classes com.mortbay.Util.Gateway + + Fixed command line bug with SimpleServletConfig + + Minor changes to support MS J++ and its non standard + language extensions - MMMmmm should have left it unchanged! + +Jetty-2.0.5 - 15 December 1998 + + Temp fix to getCharacterEncoding + + added getHeaderNoParams + +Jetty-2.0.4 - 10 December 1998 + + Use real release of JSDK2.0 (rather than beta). + + Portability issues solved for Apple's + + Improved error code returns + + Removed MORTBAY_HOME support from Makefiles + + Improved default Makefile behaviour + + Implement getCharacterEncoding + +Jetty-2.0.3 - 13 November 1998 + + Limit threads in ThreadedServer and low priority listener option + greatly improve performance under worse case loads. + + Fix bug with index files for Jetty.Server. Previously servers + configured with com.mortbay.Jetty.Server would not handle + index.html files. Need to make this configurable in the prp file. + + Fixed errors in README file: com.mortbay.Jetty.Server was called + com.mortbay.HTTP.Server + +Jetty-2.0.2 - 1 November 1998 + + Use JETTY_HOME rather than MORTBAY_HOME for build environment + + Add thread pool to threaded server for significant + performance improvement. + + Buffer files during configuration + + Buffer HTTP Response headers. + +Jetty-2.0.1 - 27 October 1998 + + Released under an Open Source license. + +Jetty-2.0.0 - 25 October 1998 + + Removed exceptional case from FileHandler redirect. + + Removed Chat demo (too many netscape dependencies). + + Fixed Code.formatObject handling of null objects. + + Added multipart/form-data demo. + +Jetty-2.0.Beta3 - 29 Sep 1998 + + Send 301 for directories without trailing / in FileHandler + + Ignore exception from HttpListener + + Properly implemented multiple listening addresses + + Added com.mortbay.Jetty.Server (see README.Jetty) + + Demo converted to an instance of com.mortbay.Jetty.Server + + Fixed Log Handler again. + + Added com.mortbay.HTTP.MultiPartRequest to handle file uploads + +Jetty-2.0Beta2 - July 1998 + + Fixed Log Handler for HTTP/1.1 + + Slight improvement in READMEEs + +Jetty-2.0Beta1 - June 1998 + + Improved performance of Code.debug() calls, significantly + in the case of non matching debug patterns. + + Fixed bug with calls to service during initialization of servlet + + Provided addSection on com.mortbay.HTML.Page + + Provided reset on com.mortbay.HTML.Composite. + + Proxy demo in different server instance + + Handle full URLs in HTTP requests (to some extent) + + Improved performance with special asciiToLowerCase + + Warn if MSIE used for multi part MIME. + +Jetty-2.0Alpha2 - May 1998 + + JDK1.2 javax.servlet API + + Added date format to Log + + Added timezone to Log + + Handle params in getIntHeader and getDateHeader + + Removed HttpRequest.getByteContent + + Use javax.servlet.http.HttpUtils.parsePostData + + Use javax.servlet.http.Cookie + + Use javax.servlet.http.HttpSession + + Handle Single Threaded servlets with servlet pool + +Jetty-1.3.5 May 1998 + + Fixed socket inet bug in FTP + + Debug triggers added to com.mortbay.Base.Code + + Added date format to Log + + Correct handling of multiple parameters + +Jetty-2.0Alpha1 Wed 8 April 1998 + + Fixed forward bug with no port number + + Removed HttpRequestHeader class + + Debug triggers added to com.mortbay.Base.Code + + Handle HTTP/1.1 Host: header + + Correct formatting of Date HTTP headers + + HttpTests test harness + + Add HTTP/1.1 Date: header + + Handle file requests with If-Modified-Since: or If-Unmodified-Since: + + Handle HEAD properly + + Send Connection: close + + Requires Host: header for 1.1 requests + + Sends chunked data for 1.1 responses of unknown length. + + handle extra spaces in HTTP headers + + Really fixed handling of multiple parameters + + accept chunked data + + Send 100 Continue for HTTP/1.1 requests (concerned about push???) + + persistent connections + +Jetty-1.3.4 - Sun 15 Mar 1998 + + Fixed handling of multiple parameters in query and form content. + "?A=1%2C2&A=C%2CD" now returns two values ("1,2" & "C,D") rather + than 4. + + ServletHandler now takes an optional file base directory + name which is used to set the translated path for pathInfo in + servlet requests. + + Dump servlet enhanced to exercise these changes. + +Jetty-1.3.3 + + Fixed TableForm.addButtonArea bug. + + TableForm.extendRow() uses existing cell + + Closed exception window in HttpListener.java + +Jetty-1.3.2 + + Fixed proxy bug with no port number + + Added per Table cell composite factories + +Jetty-1.3.1 + + Minor fixes in SmtpMail + + ForwardHandler only forwards as http/1.0 (from Tobias.Miller) + + Improved parsing of stack traces + + Better handling of InvocationTargetException in debug + + Minor release adjustments for Tracker + +Jetty-1.3.0 + + Added DbAdaptor to JDBC wrappers + + Beta release of Tracker + +Jetty-1.2.0 + + Reintroduced STF + + Fixed install bug for nested classes + + Better Debug configuration + + DebugServlet + + Alternate look and feel for Jetty + +Jetty-1.1.1 + + Improved documentation + +Jetty-1.1 + + Improved connection caching in java.mortbay.JDBC + + Moved HttpCode to com.mortbay.Util + +Jetty-1.0.1 + + Bug fixes + +Jetty-1.0 + + First release in com.mortbay package structure + + Included Util, JDBC, HTML, HTTP, Jetty + + + + + diff --git a/extras/cometd/src/main/java/org/mortbay/cometd/Bayeux.java b/extras/cometd/src/main/java/org/mortbay/cometd/Bayeux.java index bbc31c744..86c128deb 100644 --- a/extras/cometd/src/main/java/org/mortbay/cometd/Bayeux.java +++ b/extras/cometd/src/main/java/org/mortbay/cometd/Bayeux.java @@ -15,6 +15,7 @@ package org.mortbay.cometd; import java.io.IOException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; @@ -54,7 +55,7 @@ public class Bayeux HashMap _clients=new HashMap(); ServletContext _context; DateCache _dateCache=new DateCache(); - Random _random=new Random(System.currentTimeMillis()); + Random _random; HashMap _handlers=new HashMap(); HashMap _transports=new HashMap(); HashMap _filters=new java.util.HashMap(); @@ -80,6 +81,16 @@ public class Bayeux Bayeux(ServletContext context) { _context=context; + try + { + _random=SecureRandom.getInstance("SHA1PRNG"); + } + catch (Exception e) + { + context.log("Could not get secure random for ID generation",e); + _random=new Random(); + } + _random.setSeed(_random.nextLong()^hashCode()^(context.hashCode()<<32)^Runtime.getRuntime().freeMemory()); } /* ------------------------------------------------------------ */ @@ -248,9 +259,9 @@ void advise(Client client, Transport transport, Object advice) throws IOExceptio } /* ------------------------------------------------------------ */ - long getRandom() + long getRandom(long variation) { - long l=_random.nextLong(); + long l=_random.nextLong()^variation; return l<0?-l:l; } @@ -465,9 +476,9 @@ public void handle(Client client, Transport transport, Map message) // select a random channel ID if none specifified if (channel_id==null) { - channel_id=Long.toString(getRandom(),36); + channel_id=Long.toString(getRandom(message.hashCode()^client.hashCode()),36); while (getChannel(channel_id)!=null) - channel_id=Long.toString(getRandom(),36); + channel_id=Long.toString(getRandom(message.hashCode()^client.hashCode()),36); } // get the channel (or create if permitted) diff --git a/extras/cometd/src/main/java/org/mortbay/cometd/Channel.java b/extras/cometd/src/main/java/org/mortbay/cometd/Channel.java index 865c078e2..cdd19b9ae 100644 --- a/extras/cometd/src/main/java/org/mortbay/cometd/Channel.java +++ b/extras/cometd/src/main/java/org/mortbay/cometd/Channel.java @@ -132,8 +132,8 @@ public void publish(Object data, Client from) */ public String getToken(Client client, boolean subscribe, boolean send, boolean oneTime) { - String token=Long.toString(_bayeux.getRandom(),36); - // TODO register somewher + String token=Long.toString(_bayeux.getRandom(client.hashCode()),36); + // TODO register somewhere ? return token; } diff --git a/modules/jetty/src/main/java/org/mortbay/jetty/servlet/HashSessionIdManager.java b/modules/jetty/src/main/java/org/mortbay/jetty/servlet/HashSessionIdManager.java index 5a56fdcda..c47b0bcdd 100644 --- a/modules/jetty/src/main/java/org/mortbay/jetty/servlet/HashSessionIdManager.java +++ b/modules/jetty/src/main/java/org/mortbay/jetty/servlet/HashSessionIdManager.java @@ -14,6 +14,8 @@ package org.mortbay.jetty.servlet; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.Random; import javax.servlet.http.HttpServletRequest; @@ -22,6 +24,7 @@ import org.mortbay.component.AbstractLifeCycle; import org.mortbay.jetty.SessionIdManager; import org.mortbay.jetty.servlet.AbstractSessionManager.Session; +import org.mortbay.log.Log; import org.mortbay.util.MultiMap; /* ------------------------------------------------------------ */ @@ -30,10 +33,13 @@ */ public class HashSessionIdManager extends AbstractLifeCycle implements SessionIdManager { - private final static String __NEW_SESSION_ID="org.mortbay.jetty.newSessionId"; + private final static String __NEW_SESSION_ID="org.mortbay.jetty.newSessionId"; + protected final static String SESSION_ID_RANDOM_ALGORITHM = "SHA1PRNG"; + protected final static String SESSION_ID_RANDOM_ALGORITHM_ALT = "IBMSecureRandom"; MultiMap _sessions; protected Random _random; + private boolean _weakRandom; private String _workerName; /* ------------------------------------------------------------ */ @@ -45,6 +51,7 @@ public HashSessionIdManager() public HashSessionIdManager(Random random) { _random=random; + } /* ------------------------------------------------------------ */ @@ -75,8 +82,27 @@ public void setWorkerName(String workerName) protected void doStart() { if (_random==null) - _random=new Random(); - _random.nextLong(); + { + try + { + _random=SecureRandom.getInstance(SESSION_ID_RANDOM_ALGORITHM); + } + catch (NoSuchAlgorithmException e) + { + try + { + _random=SecureRandom.getInstance(SESSION_ID_RANDOM_ALGORITHM_ALT); + _weakRandom=false; + } + catch (NoSuchAlgorithmException e_alt) + { + Log.warn("Could not generate SecureRandom for session-id randomness",e); + _random=new Random(); + _weakRandom=true; + } + } + } + _random.setSeed(_random.nextLong()^System.currentTimeMillis()^hashCode()^Runtime.getRuntime().freeMemory()); _sessions=new MultiMap(); } @@ -145,11 +171,11 @@ public void invalidateAll(String id) /* ------------------------------------------------------------ */ /* * new Session ID. If the request has a requestedSessionID which is unique, - * that is used. The session ID is created as a unique random long, - * represented as in a base between 30 and 36, selected by timestamp. If the - * request has a jvmRoute attribute, that is appended as a worker tag, else - * any worker tag set on the manager is appended. @param request @param - * created @return Session ID. + * that is used. The session ID is created as a unique random long XORed with + * connection specific information, base 36. + * @param request + * @param created + * @return Session ID. */ public String newSessionId(HttpServletRequest request, long created) { @@ -169,10 +195,15 @@ public String newSessionId(HttpServletRequest request, long created) String id=null; while (id==null||id.length()==0||idInUse(id)) { - long r=_random.nextLong(); + long r=_weakRandom + ?(hashCode()^Runtime.getRuntime().freeMemory()^_random.nextInt()^(((long)request.hashCode())<<32)) + :_random.nextLong(); + r^=created; + if (request!=null && request.getRemoteAddr()!=null) + r^=request.getRemoteAddr().hashCode(); if (r<0) r=-r; - id=Long.toString(r,30+(int)(created%7)); + id=Long.toString(r,36); } request.setAttribute(__NEW_SESSION_ID,id); @@ -180,4 +211,17 @@ public String newSessionId(HttpServletRequest request, long created) } } + /* ------------------------------------------------------------ */ + public Random getRandom() + { + return _random; + } + + /* ------------------------------------------------------------ */ + public void setRandom(Random random) + { + _random=random; + _weakRandom=false; + } + } \ No newline at end of file