Log Message:
Update to 7.0.67

Changelog:
Tomcat 7.0.67 (violetagg)

    Catalina

        add	56917: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later redirects \ 
to use relative URIs. This is controlled by a new attribute useRelativeRedirects \ 
on the Context and defaults to true. (markt)
        fix	58660: Correct a regression in 7.0.66 caused by the change that \ 
moved the redirection for context roots from the Mapper to the Default Servlet. \ 
(markt)
        fix	Fixed potential NPE in HostConfig while deploying an application. \ 
Issue reported by coverity scan. (violetagg)
        fix	58655: Fix an IllegalStateException when calling \ 
HttpServletResponse.sendRedirect() with the RemoteIpFilter. This was caused by \ 
trying to correctly generate the absolute URI for the redirect. With the fix for \ 
56917, redirects may now be relative making the sendRedirect() implementation \ 
for the RemoteIpFilter much simpler. This also addresses issues where the \ 
redirect may not have behaved as expected when redirecting from http to https to \ 
from https to http. (markt)

    WebSocket

        fix	58658: Correct a regression in 7.0.66 that prevented Tomcat from \ 
starting on Java 6 unless the WebSocket JARs (that require Java 7) were removed. \ 
(markt)

    Web Applications

        add	Add a description of the default value of heartbeatSleeptime \ 
attribute and optionCheck attribute in the cluster channel docs. (kfujino)

    Tribes

        fix	Fix potential NPE in AbstractReplicatedMap.breakdown(). (kfujino)

Tomcat 7.0.66 (violetagg)	not released

    General

        update	58596: Clarify the description in RUNNING.txt of how environment \ 
variables are used. (markt)

    Catalina

        fix	34319: Only load those keys in StoreBase.processExpire from \ 
JDBCStore, that are old enough, to be expired. Based on a patch by Tom Anderson. \ 
(fschumacher)
        fix	56777: Allow file based configuration resources (user database, \ 
certificate revocation lists, keystores and trust stores) to be configured using \ 
URLs as well as files. Back-port provided by Huxing Zhang. (markt/violetagg)
        add	57741: Enable the CGI servlet to use the standard error page \ 
mechanism. Note that if the CGI servlet's debug init parameter is set to 10 or \ 
higher then the standard error page mechanism will be bypassed and a debug \ 
response generated by the CGI servlet will be returned instead. (markt)
        add	58486: Protect against two further possible memory leaks associated \ 
with XML parsing. (markt)
        code	58497: Make AbstractHttp11Processor easy to extend. (markt)
        fix	58508: Escape role names when generating associated MBeans in case \ 
the role name contains characters not permitted in an MBean name. (markt)
        fix	58522: Fixed concurrency issue when iterating web application's \ 
resources. (violetagg)
        fix	58534: Removed repeated conditional tests in \ 
o.a.tomcat.websocket.pojo.PojoMethodMapping and o.a.tomcat.util.net.AprEndpoint \ 
Patch provided by Anthony Whitford. (violetagg)
        fix	58535: Use Collections.reverseOrder when a reverse ordering is \ 
needed. (violetagg)
        fix	58537: Some of the inner classes in \ 
o.a.catalina.valves.ExtendedAccessLogValve are made static. Patch provided by \ 
Anthony Whitford. (violetagg)
        fix	58540: Removed unused code from o.a.catalina.connector.Request. \ 
Patch provided by Anthony Whitford. (violetagg)
        fix	58541, 58544: It is more efficient to call Integer.toString(int) \ 
instead of Integer.valueOf(int).toString() when only a string representation of \ 
a primitive is needed. Based on a patch provided by Anthony Whitford. \ 
(violetagg)
        fix	58541, 58547: It is more efficient to call valueOf(...) instead of \ 
Number constructor. Based on a patch provided by Anthony Whitford. (violetagg)
        fix	58545: In some use cases it is more efficient to use Map.entrySet() \ 
instead of Map.keySet() Based on a patch provided by Anthony Whitford. \ 
(violetagg)
        add	Add a new RestCsrfPreventionFilter that provides basic CSRF \ 
protection for REST APIs. (violetagg)
        fix	58581: If a custom error page fails, fall back to the standard error \ 
page rather than throwing an NPE. Based on a patch by Huxing Zhang. (markt)
        fix	58582: Combined realm should perform background processing on its \ 
sub-realms. Based upon a patch provided by Aidan. (kkolinko)
        fix	Handle the unlikely case where different versions of a web \ 
application are deployed with different session settings. (markt)
        add	Add a new Context option, enabled by default, that enables an \ 
additional check that a client provided session ID is in use in at least one \ 
other web application before allowing it to be used as the ID for a new session \ 
in the current web application. (markt)
        add	Add support for DIGEST authentication to the JNDIRealm. Based on a \ 
patch by Alexis Hassler. (markt)
        fix	58603: Ensure that HttpServletRequest.getRequestURL() returns the \ 
correct value when using the RemoteIpFilter. (markt)
        fix	Ensure that in an embedded Tomcat the logging configuration is not \ 
lost during garbage collection. (violetagg)
        add	Move the functionality that provides redirects for context roots and \ 
directories where a trailing / is added from the Mapper to the DefaultServlet. \ 
This enables such requests to be processed by any configured Valves and Filters \ 
before the redirect is made. This behaviour is configurable via the \ 
mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes \ 
of the Context which may be used to restore the previous behaviour. (markt)
        fix	58635: Enable break points to be set within agent code when running \ 
Tomcat with a Java agent. Based on a patch by Huxing Zhang. (markt)

    Jasper

        fix	57136#c25: Implement a setting that controls what quoting rule is \ 
used when parsing EL expressions in attributes on a JSP page (chapter JSP.1.6 of \ 
specification). The setting name is quoteAttributeEL and it is configured as \ 
initialisation parameter of JSP Servlet (per web application configuration is \ 
possible) and as a command line option for JspC. The default value was changed \ 
to true, which restores behaviour implemented in Tomcat 7.0.64. It means that \ 
attribute quoting is applied on top of EL quoting. This provides better \ 
compatibility with older versions of Tomcat and other implementations. \ 
(kkolinko)

    Cluster

        fix	Optimize the session lock range in DeltaManager.requestCompleted. \ 
(kfujino)
        fix	Enable an explicit configuration of local member in the static \ 
cluster membership. (kfujino)
        fix	Fix potential integer overflow in DeltaSession. Reported by coverity \ 
scan. (fschumacher)

    Tribes

        code	Distinguish the handling of the shutdown payload and member \ 
verification clearly. When handling shutdown payload, verification completion \ 
message is not required. (kfujino)
        fix	When starting the StaticMembershipInterceptor, \ 
StaticMembershipInterceptor checks the required Interceptors. If the required \ 
Interceptor does not exist, it issues warning logs. (kfujino)
        fix	Ensure that the static member is registered to the add suspect list \ 
even if the static member that is registered to the remove suspect list has \ 
disappeared. (kfujino)
        fix	Correct the warning log of when the member that is not registered in \ 
the membership is detected. (kfujino)
        fix	When using a static cluster, add the members that have been cached \ 
in the membership service to the map members list in order to ensure that the \ 
map member is a static member. (kfujino)

    WebSocket

        fix	Use instance manager for server endpoint instances. (remm)
        add	55006: The WebSocket client now honors the \ 
java.net.java.net.ProxySelector configuration (using the HTTP type) when \ 
establishing WebSocket connections to servers. Based on a patch by Niki \ 
Dokovski. (markt)
        fix	58624: Correct a thread safety issue that meant that blocking \ 
message writes could block indefinitely if the WebSocket connection was closed \ 
while a message write was in progress. (markt)

    Web applications

        add	Make it clear in the documentation for the CGI servlet that the \ 
debug page is not considered secure and should not be used in production. \ 
(markt)
        fix	The domain attribute of StaticMember is not required but optional. \ 
(kfujino)
        fix	58631: Correct the continuation character use in the Windows Service \ 
How-To page of the documentation web application. (markt)

    jdbc-pool

        fix	58489: Correct QueryStatsComparator to hold up the general contract \ 
for Comparator. (fschumacher)
        fix	When creating a QueryStats object, ensure that maxQueries is \ 
checked. If maxQueries is a value less than or equal to 0, QueryStats are never \ 
created. (kfujino)
        fix	Fix potential integer overflow in ConnectionPool and \ 
PooledConnection. Reported by coverity scan. (fschumacher)

Tomcat 7.0.65 (violetagg)	released 2015-10-19

    Catalina

        add	57681: Add a web application class loader implementation that \ 
supports the parallel loading of web application classes. Use of this feature \ 
requires a Java 7 or later JRE. Based on a patch by Huxing Zhang. (markt)
        fix	58187: Correct a regression in the fix for 57765 that meant that \ 
deployment of web applications deployed via the Manager application was delayed \ 
until the next execution of the automatic deployment background process. (markt)
        fix	58284: Correctly implement session serialization so non-serializable \ 
attributes are skipped with a warning. Patch provided by Andrew Shore. (markt)
        fix	58313: Fix concurrent access of encoders map when clearing encoders \ 
prior to switch to async. (markt)
        fix	58320: Fix concurrent access of request attributes which is possible \ 
during asynchronous processing. (markt)
        code	In preparation for implementing enhancement 57681, replace the use \ 
of the StandardClassLoader with URLClassLoader. This removes the server class \ 
loader from JMX. (markt)
        fix	58352: Always trigger a thread dump if Tomcat fails to stop \ 
gracefully from catalina.sh even if using -force. Patch provided by Alexandre \ 
Garnier. (markt)
        fix	58416: Correctly detect when a forced stop fails to stop Tomcat \ 
because the Tomcat process is waiting on some system call or is uninterruptible. \ 
(markt)
        fix	58436: Fix some rare data races in JULI's ClassLoaderLogManager \ 
during shutdown. (markt)

    Coyote

        fix	Correct some edge cases in RequestUtil.normalize(). (markt)
        fix	58275: The IBM JREs accept cipher suite names starting with TLS_ or \ 
SSL_ but when listing the supported cipher suites only the SSL_ version is \ 
reported. This can break Tomcat's check that at least one requested cipher suite \ 
is supported. Tomcat now includes a work-around so either form of the cipher \ 
suite name can be used when running on an IBM JRE. (markt)
        fix	58357: For reasons not currently understood when the APR/native \ 
connector is used with OpenSSL reads can return an error code when there is no \ 
apparent error. This was work-around for HTTP upgrade connections by treating \ 
this as EAGAIN. The same fix has now been applied to the standard HTTP \ 
connector. (markt)
        fix	57799: Remove useless sendfile check for NIO SSL. (remm)

    Jasper

        fix	57136: Correct a regression in the previous fix for this issue. \${ \ 
should only be an escape for ${ within an EL expression. Within a JSP page \$ \ 
should be an escape for $. The EL specification applies when parsing the \ 
expression delimited by ${ and }. Parsing of the delimiting ${ and } is the \ 
responsibility of the JSP specification. (markt)
        fix	58296: Fix a memory leak in the JSP unloading feature that meant \ 
that using a value other than -1 for maxLoadedJsps triggered a memory leak once \ 
the limit was reached. (markt)
        fix	58340: Improve error reporting for tag files packaged in JARs. (markt)
        fix	58444: Ensure that JSPs work with any custom base class that meets \ 
the requirements defined in the JSP specification without requiring that base \ 
class to implement Tomcat specific code. (markt)

    Cluster

        fix	Fix a default clusterListeners in SimpleTcpCluster. The optimal \ 
default value is different for each session manager. ClusterSessionListener is \ 
never used in BackupManager. (kfujino)
        fix	Correct log messages in case of using BackupManager. (kfujino)

    WebSocket

        fix	58342: Fix a copy and paste error that meant MessageHandler removal \ 
could fail for binary and pong MessageHandlers. Patch provided by DJ. (markt)
        fix	58414: Correctly handle sending zero length messages when using per \ 
message deflate. (markt)

    Web applications

        fix	Correct documentation for cluster-howto. (kfujino)

    Extras

        fix	Ensure JULI adapters does not include the LogFactoryImpl class. \ 
Patch provided by Benjamin Gandon. (markt)

    Tribes

        add	Add support for configurations of ChannelListener and \ 
MembershipListener in server.xml. (kfujino)
        fix	Correct log messages in case of using ReplicatedMap. (kfujino)

    jdbc-pool

        fix	Make sure the pool has been properly configured when attributes that \ 
related to the pool size are changed via JMX. (kfujino)