Catalina 51294: Add support for unpacking WARs located outside of the Host's appBase in to the appBase. (markt) 55656: Configure the Digester to use the server class loader when parsing server.xml rather than the class loader that loaded StandardServer. Patch provided by Roberto Benedetti. (markt) 55664: Correctly handle JSR 356 WebSocket Encoder, Decoder and MessageHandler implementations that use a generic type such as Encoder.Text<List<String>> . Includes a test case by Niki Dokovski. (markt) Correctly handle WebSocket Encoder s, Decoder s and MessageHandler s that use arrays of generic types. (markt) 55681: Ensure that the WebSocket session is made available to MessageHandler method calls. (markt) Updated servlet spec version and documentation section-number reported when JAR files are rejected for containing a trigger class (e.g. javax.servlet.Servlet). (schultz) Modify the WebSocket handshake process so that the user properties Map exposed by the ServerEndpointConfig during the call to Configurator.modifyHandshake() is unique to the connection rather than shared by all connections associated with the Endpoint. This allows for easier configuration of per connection properties from within modifyHandshake() . (markt) 55684: Log a warning but continue if the memory leak detection code is unable to access all threads to check for possible memory leaks when a web application is stopped. (markt) Define the web-fragment.xml in tomcat7-websocket.jar as a Servlet 3.0 web fragment rather than as a Servlet 3.1 web fragment. (markt) 55715: Add a per web application executor to the WebSocket implementation and use it for calling SendHandler.onResult() when there is a chance that the current thread also initiated the write. (markt) Prevent file descriptors leak and ensure that files are closed when configuring the web application. (violetagg) Fixed the name of the provider-configuration file located in tomcat7-websocket.jar!/META-INF/services that exposes information for javax.websocket.server.ServerEndpointConfig$Configurator implementation. (violetagg) 55760: Remove the unnecessary setting of the javax.security.auth.useSubjectCredsOnly system property in the SpnegoAuthenticator as in addition to it being unnecessary, it causes problems with using SPNEGO with IBM JDKs. Patch provided by Arunav Sanyal. (markt) 55772: Ensure that the request and response are recycled after an error during asynchronous processing. Includes a test case based on code contributed by Todd West. (markt) 55778: Add an option to the JNDI Realm to control the QOP used for the connection to the LDAP server after authentication when using SPNEGO with delegated credentials. This value is used to set the javax.security.sasl.qop environment property for the LDAP connection. (markt) 55798: Log an error if the MemoryUserDatabase is unable to find the specified user database file. (markt) 55799: Correctly enforce the restriction in JSR356 that no more than one data message may be sent to a remote WebSocket endpoint at a time. (markt) When Catalina parses TLD files, always use a namespace aware parser to be consistent with how Jasper parses TLD files. The tldNamespaceAware attribute of the Context is now ignored. (markt) Deprecate the tldNamespaceAware Context attribute as TLDs are always parsed with a namespace aware parser. (markt) Correct a logic error that meant that unpackWARs was ignored and the WAR was always expanded if a WAR failed to deploy. (markt) Add support for defining copyXML on a per Context basis. (markt) Define the expected behaviour of the automatic deployment and align the implementation to that definition. (markt) When running under a security manager, change the default value of the Host's deployXML attribute to false . (markt) If a Host is configured with a value of false for deployXML , a web application has an embedded descriptor at META-INF/context.xml and no explicit descriptor has been defined for this application, do not allow the application to start. The reason for this is that the embedded descriptor may contain configuration necessary for secure operation such as a RemoteAddrValve . (markt) Prevent an NPE in the WebSocket ServerContainer when processing an HTTP session end event. (markt) 55801: Add the ability to set a custom SSLContext to use for client wss connections. Patch provided by Maciej Lypik. (markt) 55804: If the GSSCredential for the cached Principal expires when using SPNEGO authentication, force a re-authentication. (markt) 55811: If the main web.xml contains an empty absolute-ordering element and validation of web.xml is not enabled, skip parsing any web-fragment.xml files as the result is never used. (markt) 55839: Extend support for digest prefixes {MD5}, {SHA} and {SSHA} to all Realms rather than just the JNDIRealm. (markt) 55842: Ensure that if a larger than default response buffer is configured that the full buffer is used when a Servlet outputs via a Writer. (markt) 55851: Further fixes to enable SPNEGO authentication to work with IBM JDKs. Based on a patch by Arunav Sanyal. (markt) Fix CVE-2013-4590: Add an option to the Context to control the blocking of XML external entities when parsing XML configuration files and enable this blocking by default when a security manager is used. The block is implemented via a custom resolver to enable the logging of any blocked entities. (markt) Coyote Implement a number of small refactorings to the APR/native handler for upgraded HTTP connections. (markt) Fix an issue with upgraded HTTP connections over HTTPS (e.g. secure WebSocket) when using the APR/native connector that resulted in the unexpected closure of the connection. (markt) Ensure that the application class loader is used when calling the ReadListener and WriteListener methods when using non-blocking IO. A side effect of not doing this was that JNDI was not available when processing WebSocket events. (markt) Make the time that the internal executor (if used) waits for request processing threads to terminate before continuing with the connector stop process configurable. (markt) 55749: Improve the error message when SSLEngine is disabled in the AprLifecycleListener and SSL is configured for an APR/native connector. (markt) If a request that includes an Expect: 100-continue header receives anything other than a 2xx response, close the connection This protects against misbehaving clients that may not sent the request body in that case and send the next request instead. (markt) Improve the parsing of trailing headers in HTTP requests. (markt) Jasper 55735: Fix a regression caused by the fix to 55198. When processing JSP documents, attributes in XML elements that are template content should have their text xml-escaped, but output of EL expressions in them should not be escaped. (markt) 55807: The JSP compiler used a last modified time of -1 for TLDs in JARs expanded in to WEB-INF/classes (IDEs often do this expansion) when creating the dependency list for JSPs that used that TLD. This meant JSPs using that TLD were recompiled on every access. (markt) Cluster Add log message that initialization of AbstractReplicatedMap has been completed. (kfujino) The logger of AbstractReplicatedMap should be non-static in order to enable logging of each application. Side-effects of this change is to throw RuntimeException in MapMessage#getKey() and getValue() instead of Null return and error log. (kfujino) Simplify the code of DeltaManager#startInternal() . Reduce unnecessary nesting for acquisition of cluster instance. (kfujino) Remove unnecessary attributes of stateTransferCreateSendTime and receiverQueue from cluster manager template. These attributes should not be defined as a template. (kfujino) Fix MBean attribute definition of stateTransfered . The method name is not isStateTransfered() but getStateTransfered() . (kfujino) Correct stop failure log of cluster. Failure cause is not only Valve. (kfujino) Remove unnecessary sleep when sending session blocks on session sync phase. (kfujino) Expose stateTimestampDrop of org.apache.catalina.ha.session.DeltaManager via JMX. (kfujino) When the ping timeouted, make sure that memberDisappeared method is not called by specifying the members that has already been removed. (kfujino) Add log message of session relocation when member disappeared. (kfujino) If ping message fails, prevent wrong timeout detection of normal member that is no failure members. (kfujino) Web applications Add some documentation on the SSL configuration options for WebSocket clients. (markt) Add to cluster document a description of notifyLifecycleListenerOnFailure and heartbeatBackgroundEnabled . (kfujino) Update the documentation with information for WebSocket 1.0 specification and javadoc. (violetagg) 55703: Clarify the role of the singleton attribute for JNDI resource factories. (markt) 55746: Add documentation on the allRolesMode to the CombinedRealm and LockOutRealm . Patch by Cédric Couralet. (markt) Expand the information on web applications that ship as part of Tomcat in the security how-to section of the documentation web application. (markt) Expand the description of the WebSocket buffers in the documentation web application to clarify their purpose. (markt) Correct the documentation for Cluster manager. (kfujino) Add information on how to configure integrated Windows authentication when Tomcat is running on a non-Windows host. (markt) Extras Update commons-logging to version 1.1.3. (rjung) Other 52323: Add support for the Cobertura code coverage tool when running the unit tests. Based on a patch by mhasko. (markt/kkolinko) Update sample Eclipse IDE project. Explicitly use a Java 6 SE JDK. Exclude JSR356 WebSocket classes from build path, as they cannot be compiled with Java 6. (kkolinko) Update the Eclipse compiler to 4.3.1. (kkolinko/markt)