升级Tomcat版本 apache-tomcat-7.0.77
diff --git a/tomcat-uid/conf/catalina.policy b/tomcat-uid/conf/catalina.policy
index b6369ae..67aa45a 100644
--- a/tomcat-uid/conf/catalina.policy
+++ b/tomcat-uid/conf/catalina.policy
@@ -14,15 +14,15 @@
// limitations under the License.
// ============================================================================
-// catalina.policy - Security Policy Permissions for Tomcat 6
+// catalina.policy - Security Policy Permissions for Tomcat 7
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
// to the permissions granted here, the following additional permissions are
-// granted to the codebase specific to each web application:
+// granted to each web application:
//
-// * Read access to its document root directory
-// * Read, write and delete access to its working directory
+// * Read access to the web application's document root directory
+// * Read, write and delete access to the web application's working directory
// ============================================================================
@@ -65,7 +65,7 @@
// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.io.FilePermission
- "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
+ "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
@@ -82,6 +82,7 @@
permission java.util.PropertyPermission "java.util.logging.config.class", "read";
permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
// Note: To enable per context logging configuration, permit read access to
@@ -120,7 +121,7 @@
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
-grant {
+grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
@@ -157,15 +158,38 @@
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
+ // All JSPs need to be able to read this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
+
// Precompiled JSPs need access to these packages.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.org.apache.jasper.runtime.*";
+
// Precompiled JSPs need access to these system properties.
permission java.util.PropertyPermission
"org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
- permission java.util.PropertyPermission "org.apache.el.parser.COERCE_TO_ZERO", "read";
+ permission java.util.PropertyPermission
+ "org.apache.el.parser.COERCE_TO_ZERO", "read";
+
+ // The cookie code needs these.
+ permission java.util.PropertyPermission
+ "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
+
+ // Applications using Comet need to be able to access this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
+
+ // Applications using the legacy WebSocket implementation need to be able to access this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.websocket";
+
+ // Applications using the JSR-356 WebSocket implementation need to be able to access these packages
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
};
@@ -177,13 +201,17 @@
// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
// You can assign additional permissions to particular web applications by
diff --git a/tomcat-uid/conf/catalina.properties b/tomcat-uid/conf/catalina.properties
index 0d9afc7..67c986a 100644
--- a/tomcat-uid/conf/catalina.properties
+++ b/tomcat-uid/conf/catalina.properties
@@ -20,7 +20,7 @@
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,\
-org.apache.naming.resources.,org.apache.tomcat.,sun.beans.
+org.apache.naming.resources.,org.apache.tomcat.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
@@ -36,48 +36,102 @@
#
#
-# List of comma-separated paths defining the contents of the "common"
+# List of comma-separated paths defining the contents of the "common"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank,the JVM system loader will be used as Catalina's "common"
+# If left as blank,the JVM system loader will be used as Catalina's "common"
# loader.
# Examples:
# "foo": Add this folder as a class repository
-# "foo/*.jar": Add all the JARs of the specified folder as class
+# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar
#
-# List of comma-separated paths defining the contents of the "server"
+# List of comma-separated paths defining the contents of the "server"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank, the "common" loader will be used as Catalina's "server"
+# If left as blank, the "common" loader will be used as Catalina's "server"
# loader.
# Examples:
# "foo": Add this folder as a class repository
-# "foo/*.jar": Add all the JARs of the specified folder as class
+# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
server.loader=
#
-# List of comma-separated paths defining the contents of the "shared"
+# List of comma-separated paths defining the contents of the "shared"
# classloader. Prefixes should be used to define what is the repository type.
# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
# the "common" loader will be used as Catalina's "shared" loader.
# Examples:
# "foo": Add this folder as a class repository
-# "foo/*.jar": Add all the JARs of the specified folder as class
+# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
-# "foo/bar.jar": Add bar.jar as a class repository
+# "foo/bar.jar": Add bar.jar as a class repository
# Please note that for single jars, e.g. bar.jar, you need the URL form
# starting with file:.
shared.loader=
+# List of JAR files that should not be scanned using the JarScanner
+# functionality. This is typically used to scan JARs for configuration
+# information. JARs that do not contain such information may be excluded from
+# the scan to speed up the scanning process. This is the default list. JARs on
+# this list are excluded from all scans. Scan specific lists (to exclude JARs
+# from individual scans) follow this. The list must be a comma separated list of
+# JAR file names.
+# The JARs listed below include:
+# - Tomcat Bootstrap JARs
+# - Tomcat API JARs
+# - Catalina JARs
+# - Jasper JARs
+# - Tomcat JARs
+# - Common non-Tomcat JARs
+# - Test JARs (JUnit, Cobertura and dependencies)
+tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
+bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
+annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
+catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
+jasper.jar,jasper-el.jar,ecj-*.jar,\
+tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
+tomcat-jni.jar,tomcat-spdy.jar,\
+tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
+tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
+tomcat-jdbc.jar,\
+tools.jar,\
+commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
+commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
+commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
+commons-math*.jar,commons-pool*.jar,\
+jstl.jar,taglibs-standard-spec-*.jar,\
+geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
+ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
+jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
+xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
+junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
+cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
+jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
+xom-*.jar
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for Servlet 3.0 pluggability features. These features include web
+# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
+# must be a comma separated list of JAR file names.
+org.apache.catalina.startup.ContextConfig.jarsToSkip=
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for TLDs. The list must be a comma separated list of JAR file names.
+org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
+
#
# String cache configuration.
tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
#tomcat.util.buf.StringCache.trainThreshold=500000
#tomcat.util.buf.StringCache.cacheSize=5000
+
+# Allow for changes to HTTP request validation
+# WARNING: Using this option will expose the server to CVE-2016-6816
+#tomcat.util.http.parser.HttpParser.requestTargetAllow=|
diff --git a/tomcat-uid/conf/context.xml b/tomcat-uid/conf/context.xml
index 7489ff2..5e3574d 100644
--- a/tomcat-uid/conf/context.xml
+++ b/tomcat-uid/conf/context.xml
@@ -20,7 +20,7 @@
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
-
+
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
@@ -31,21 +31,21 @@
<!--
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
-
- <Resource name="jdbc/uidman"
- auth="Container"
- description="DB Connection"
- type="javax.sql.DataSource"
- driverClassName="oracle.jdbc.driver.OracleDriver"
- url="jdbc:oracle:thin:@localhost:1521:dev"
- username="idc_u_uniauth"
- password="kingstar"
- maxIdle="20"
- maxWait="4000"
- maxActive="50"
- removeAbandoned="true"
- removeAbandonedTimeout="180"
- logAbandoned="true"
- factory="org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory" />
+
+ <Resource name="jdbc/uidman"
+ auth="Container"
+ description="DB Connection"
+ type="javax.sql.DataSource"
+ driverClassName="oracle.jdbc.driver.OracleDriver"
+ url="jdbc:oracle:thin:@localhost:1521:dev"
+ username="idc_u_uniauth"
+ password="kingstar"
+ maxIdle="20"
+ maxWait="4000"
+ maxActive="50"
+ removeAbandoned="true"
+ removeAbandonedTimeout="180"
+ logAbandoned="true"
+ factory="org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory" />
</Context>
diff --git a/tomcat-uid/conf/logging.properties b/tomcat-uid/conf/logging.properties
index 4558185..90d7ea7 100644
--- a/tomcat-uid/conf/logging.properties
+++ b/tomcat-uid/conf/logging.properties
@@ -56,9 +56,9 @@
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
-# For example, to log debug messages in ContextConfig and HostConfig
-# classes and to log only warnings and errors in other
-# org.apache.catalina.** classes, uncomment these lines:
-#org.apache.catalina.startup.ContextConfig.level = FINE
-#org.apache.catalina.startup.HostConfig.level = FINE
-#org.apache.catalina.level = WARNING
+# For example, set the org.apache.catalina.util.LifecycleBase logger to log
+# each component that extends LifecycleBase changing state:
+#org.apache.catalina.util.LifecycleBase.level = FINE
+
+# To see debug messages in TldLocationsCache, uncomment the following line:
+#org.apache.jasper.compiler.TldLocationsCache.level = FINE
diff --git a/tomcat-uid/conf/server.xml b/tomcat-uid/conf/server.xml
index a9e75b6..817e621 100644
--- a/tomcat-uid/conf/server.xml
+++ b/tomcat-uid/conf/server.xml
@@ -20,16 +20,18 @@
Documentation at /docs/config/server.html
-->
<Server port="8015" shutdown="SHUTDOWN">
-
+ <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+ <!-- Security listener. Documentation at /docs/config/listeners.html
+ <Listener className="org.apache.catalina.security.SecurityListener" />
+ -->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
- <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
- <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+ <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
@@ -46,19 +48,21 @@
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
- a single "Container" Note: A "Service" is not itself a "Container",
+ a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
-
+
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="150" minSpareThreads="4"/>
-->
- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="5000" minSpareThreads="400"/>
-
-
+
+
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
@@ -66,24 +70,24 @@
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
- <Connector executor="tomcatThreadPool"
- port="8018" protocol="HTTP/1.1"
- connectionTimeout="20000"
- redirectPort="8443" URIEncoding="UTF-8" />
+ <Connector port="8018" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="8443" executor="tomcatThreadPool" URIEncoding="UTF-8" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
- port="8080" protocol="HTTP/1.1"
- connectionTimeout="20000"
+ port="8080" protocol="HTTP/1.1"
+ connectionTimeout="20000"
redirectPort="8443" />
- -->
+ -->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
- This connector uses the JSSE configuration, when using APR, the
- connector should be using the OpenSSL style configuration
- described in the APR documentation -->
+ This connector uses the BIO implementation that requires the JSSE
+ style configuration. When using the APR/native implementation, the
+ OpenSSL style configuration is required as described in the APR/native
+ documentation -->
<!--
- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
- maxThreads="150" scheme="https" secure="true"
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
+ maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
@@ -98,8 +102,8 @@
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
- <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
- -->
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+ -->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
@@ -107,28 +111,21 @@
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
- -->
-
- <!-- The request dumper valve dumps useful debugging information about
- the request and response data received and sent by Tomcat.
- Documentation at: /docs/config/valve.html -->
- <!--
- <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
- <!-- This Realm uses the UserDatabase configured in the global JNDI
- resources under the key "UserDatabase". Any edits
- that are performed against this UserDatabase are immediately
- available for use by the Realm. -->
- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
+ <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+ via a brute-force attack -->
+ <Realm className="org.apache.catalina.realm.LockOutRealm">
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+ </Realm>
- <!-- Define the default virtual host
- Note: XML Schema validation will not work with Xerces 2.2.
- -->
<Host name="localhost" appBase="webapps"
- unpackWARs="true" autoDeploy="false"
- xmlValidation="false" xmlNamespaceAware="false">
+ unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
@@ -137,11 +134,11 @@
-->
<!-- Access log processes all example.
- Documentation at: /docs/config/valve.html -->
- <!--
- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
- prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
- -->
+ Documentation at: /docs/config/valve.html
+ Note: The pattern used is equivalent to using pattern="common" -->
+ <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+ prefix="localhost_access_log." suffix=".txt"
+ pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
diff --git a/tomcat-uid/conf/tomcat-users.xml b/tomcat-uid/conf/tomcat-users.xml
index 34e268d..410d18f 100644
--- a/tomcat-uid/conf/tomcat-users.xml
+++ b/tomcat-uid/conf/tomcat-users.xml
@@ -19,18 +19,23 @@
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
- you must define such a user - the username and password are arbitrary.
+ you must define such a user - the username and password are arbitrary. It is
+ strongly recommended that you do NOT use one of the users in the commented out
+ section below since they are intended for use with the examples web
+ application.
-->
<!--
- NOTE: The sample user and role entries below are wrapped in a comment
- and thus are ignored when reading this file. Do not forget to remove
- <!.. ..> that surrounds them.
+ NOTE: The sample user and role entries below are intended for use with the
+ examples web application. They are wrapped in a comment and thus are ignored
+ when reading this file. If you wish to configure these users for use with the
+ examples web application, do not forget to remove the <!.. ..> that surrounds
+ them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
- <user username="tomcat" password="tomcat" roles="tomcat"/>
- <user username="both" password="tomcat" roles="tomcat,role1"/>
- <user username="role1" password="tomcat" roles="role1"/>
+ <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
+ <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+ <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
</tomcat-users>
diff --git a/tomcat-uid/conf/web.xml b/tomcat-uid/conf/web.xml
index 4b2cb5a..d4f6524 100644
--- a/tomcat-uid/conf/web.xml
+++ b/tomcat-uid/conf/web.xml
@@ -16,9 +16,10 @@
limitations under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
- version="2.5">
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+ http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
<!-- ======================== Introduction ============================== -->
<!-- This document defines default values for *all* web applications -->
@@ -41,7 +42,8 @@
<!-- parameters (default values are in square brackets): -->
<!-- -->
<!-- debug Debugging detail level for messages logged -->
- <!-- by this servlet. [0] -->
+ <!-- by this servlet. Useful values are 0, 1, and -->
+ <!-- 11 where higher values mean more detail. [0] -->
<!-- -->
<!-- fileEncoding Encoding to be used to read static resources -->
<!-- [platform default] -->
@@ -62,7 +64,7 @@
<!-- commands like PUT and DELETE are -->
<!-- rejected? [true] -->
<!-- -->
- <!-- readmeFile File name to display with the directory -->
+ <!-- readmeFile File to display together with the directory -->
<!-- contents. [null] -->
<!-- -->
<!-- sendfileSize If the connector used supports sendfile, this -->
@@ -93,6 +95,10 @@
<!-- path that points to a location below either -->
<!-- $CATALINA_BASE/conf (checked first) or -->
<!-- $CATALINA_HOME/conf (checked second).[null] -->
+ <!-- -->
+ <!-- showServerInfo Should server information be presented in the -->
+ <!-- response sent to clients when directory -->
+ <!-- listings is enabled? [true] -->
<servlet>
<servlet-name>default</servlet-name>
@@ -109,37 +115,6 @@
</servlet>
- <!-- This servlet has been deprecated due to security concerns. Servlets -->
- <!-- should be explicitly mapped in web.xml -->
- <!-- -->
- <!-- The "invoker" servlet, which executes anonymous servlet classes -->
- <!-- that have not been defined in a web.xml file. Traditionally, this -->
- <!-- servlet is mapped to the URL pattern "/servlet/*", but you can map -->
- <!-- it to other patterns as well. The extra path info portion of such a -->
- <!-- request must be the fully qualified class name of a Java class that -->
- <!-- implements Servlet (or extends HttpServlet), or the servlet name -->
- <!-- of an existing servlet definition. This servlet supports the -->
- <!-- following initialization parameters (default values are in square -->
- <!-- brackets): -->
- <!-- -->
- <!-- debug Debugging detail level for messages logged -->
- <!-- by this servlet. [0] -->
-
-<!--
- <servlet>
- <servlet-name>invoker</servlet-name>
- <servlet-class>
- org.apache.catalina.servlets.InvokerServlet
- </servlet-class>
- <init-param>
- <param-name>debug</param-name>
- <param-value>0</param-value>
- </init-param>
- <load-on-startup>2</load-on-startup>
- </servlet>
--->
-
-
<!-- The JSP page compiler and execution servlet, which is the mechanism -->
<!-- used by Tomcat to support JSP pages. Traditionally, this servlet -->
<!-- is mapped to the URL pattern "*.jsp". This servlet supports the -->
@@ -163,9 +138,9 @@
<!-- pages. See the jasper documentation for more -->
<!-- information. -->
<!-- -->
- <!-- compilerSourceVM Compiler source VM. [1.5] -->
+ <!-- compilerSourceVM Compiler source VM. [1.6] -->
<!-- -->
- <!-- compilerTargetVM Compiler target VM. [1.5] -->
+ <!-- compilerTargetVM Compiler target VM. [1.6] -->
<!-- -->
<!-- development Is Jasper used in development mode? If true, -->
<!-- the frequency at which JSPs are checked for -->
@@ -188,6 +163,8 @@
<!-- engineOptionsClass Allows specifying the Options class used to -->
<!-- configure Jasper. If not present, the default -->
<!-- EmbeddedServletOptions will be used. -->
+ <!-- This option is ignored when running under a -->
+ <!-- SecurityManager. -->
<!-- -->
<!-- errorOnUseBeanInvalidClassAttribute -->
<!-- Should Jasper issue an error when the value of -->
@@ -217,6 +194,18 @@
<!-- print statement per input line, to ease -->
<!-- debugging? [true] -->
<!-- -->
+ <!-- maxLoadedJsps The maximum number of JSPs that will be loaded -->
+ <!-- for a web application. If more than this -->
+ <!-- number of JSPs are loaded, the least recently -->
+ <!-- used JSPs will be unloaded so that the number -->
+ <!-- of JSPs loaded at any one time does not exceed -->
+ <!-- this limit. A value of zero or less indicates -->
+ <!-- no limit. [-1] -->
+ <!-- -->
+ <!-- jspIdleTimeout The amount of time in seconds a JSP can be -->
+ <!-- idle before it is unloaded. A value of zero -->
+ <!-- or less indicates never unload. [-1] -->
+ <!-- -->
<!-- modificationTestInterval -->
<!-- Causes a JSP (and its dependent files) to not -->
<!-- be checked for modification during the -->
@@ -237,6 +226,8 @@
<!-- scratchdir What scratch directory should we use when -->
<!-- compiling JSP pages? [default work directory -->
<!-- for the current web application] -->
+ <!-- This option is ignored when running under a -->
+ <!-- SecurityManager. -->
<!-- -->
<!-- suppressSmap Should the generation of SMAP info for JSR45 -->
<!-- debugging be suppressed? [false] -->
@@ -245,11 +236,12 @@
<!-- actions or directives be trimmed? [false] -->
<!-- -->
<!-- xpoweredBy Determines whether X-Powered-By response -->
- <!-- header is added by generated servlet [false] -->
+ <!-- header is added by generated servlet. [false] -->
<!-- -->
- <!-- If you wish to use Jikes to compile JSP pages: -->
- <!-- Please see the "Using Jikes" section of the Jasper-HowTo -->
- <!-- page in the Tomcat documentation. -->
+ <!-- quoteAttributeEL When EL is used in an attribute value on a -->
+ <!-- JSP page should the rules for quoting of -->
+ <!-- attributes described in JSP.1.6 be applied to -->
+ <!-- the expression? [true] -->
<servlet>
<servlet-name>jsp</servlet-name>
@@ -335,14 +327,21 @@
<!-- -->
<!-- cgiPathPrefix The CGI search path will start at -->
<!-- webAppRootDir + File.separator + this prefix. -->
- <!-- [WEB-INF/cgi] -->
- <!-- -->
- <!-- debug Debugging detail level for messages logged -->
- <!-- by this servlet. [0] -->
+ <!-- If not set, then webAppRootDir is used. -->
+ <!-- Recommended value: WEB-INF/cgi -->
<!-- -->
<!-- executable Name of the executable used to run the -->
<!-- script. [perl] -->
<!-- -->
+ <!-- envHttpHeaders A regular expression used to select the HTTP -->
+ <!-- headers passed to the CGI process as -->
+ <!-- environment variables. Note that headers are -->
+ <!-- converted to upper case before matching and -->
+ <!-- that the entire header name must match the -->
+ <!-- pattern. -->
+ <!-- [ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST| -->
+ <!-- IF-[-0-9A-Z]*|REFERER|USER-AGENT] -->
+ <!-- -->
<!-- parameterEncoding Name of parameter encoding to be used with -->
<!-- CGI servlet. -->
<!-- [System.getProperty("file.encoding","UTF-8")] -->
@@ -359,14 +358,10 @@
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
- <param-name>debug</param-name>
- <param-value>0</param-value>
- </init-param>
- <init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi</param-value>
</init-param>
- <load-on-startup>5</load-on-startup>
+ <load-on-startup>5</load-on-startup>
</servlet>
-->
@@ -385,22 +380,10 @@
<url-pattern>/</url-pattern>
</servlet-mapping>
- <!-- The mapping for the deprecated invoker servlet -->
-<!--
- <servlet-mapping>
- <servlet-name>invoker</servlet-name>
- <url-pattern>/servlet/*</url-pattern>
- </servlet-mapping>
--->
-
- <!-- The mapping for the JSP servlet -->
+ <!-- The mappings for the JSP servlet -->
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
- </servlet-mapping>
-
- <servlet-mapping>
- <servlet-name>jsp</servlet-name>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
@@ -424,6 +407,45 @@
<!-- ================== Built In Filter Definitions ===================== -->
+ <!-- A filter that sets various security related HTTP Response headers. -->
+ <!-- This filter supports the following initialization parameters -->
+ <!-- (default values are in square brackets): -->
+ <!-- -->
+ <!-- hstsEnabled Should the HTTP Strict Transport Security -->
+ <!-- (HSTS) header be added to the response? See -->
+ <!-- RFC 6797 for more information on HSTS. [true] -->
+ <!-- -->
+ <!-- hstsMaxAgeSeconds The max age value that should be used in the -->
+ <!-- HSTS header. Negative values will be treated -->
+ <!-- as zero. [0] -->
+ <!-- -->
+ <!-- hstsIncludeSubDomains -->
+ <!-- Should the includeSubDomains parameter be -->
+ <!-- included in the HSTS header. -->
+ <!-- -->
+ <!-- antiClickJackingEnabled -->
+ <!-- Should the anti click-jacking header -->
+ <!-- X-Frame-Options be added to every response? -->
+ <!-- [true] -->
+ <!-- -->
+ <!-- antiClickJackingOption -->
+ <!-- What value should be used for the header. Must -->
+ <!-- be one of DENY, SAMEORIGIN, ALLOW-FROM -->
+ <!-- (case-insensitive). [DENY] -->
+ <!-- -->
+ <!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be -->
+ <!-- allowed? [] -->
+ <!-- -->
+ <!-- blockContentTypeSniffingEnabled -->
+ <!-- Should the header that blocks content type -->
+ <!-- sniffing be added to every response? [true] -->
+<!--
+ <filter>
+ <filter-name>httpHeaderSecurity</filter-name>
+ <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+-->
<!-- A filter that sets character encoding that is used to decode -->
<!-- parameters in a POST request -->
@@ -435,10 +457,10 @@
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
+ <async-supported>true</async-supported>
</filter>
-->
-
<!-- A filter that triggers request parameters parsing and rejects the -->
<!-- request if some parameters were skipped because of parsing errors or -->
<!-- request size limitations. -->
@@ -448,6 +470,7 @@
<filter-class>
org.apache.catalina.filters.FailedRequestFilter
</filter-class>
+ <async-supported>true</async-supported>
</filter>
-->
@@ -512,6 +535,15 @@
<!-- ==================== Built In Filter Mappings ====================== -->
+ <!-- The mapping for the HTTP header security Filter -->
+<!--
+ <filter-mapping>
+ <filter-name>httpHeaderSecurity</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ </filter-mapping>
+-->
+
<!-- The mapping for the Set Character Encoding Filter -->
<!--
<filter-mapping>
@@ -4622,15 +4654,17 @@
<!-- ==================== Default Welcome File List ===================== -->
<!-- When a request URI refers to a directory, the default servlet looks -->
- <!-- for a "welcome file" within that directory and, if present, -->
- <!-- to the corresponding resource URI for display. If no welcome file -->
- <!-- is present, the default servlet either serves a directory listing, -->
- <!-- or returns a 404 status, depending on how it is configured. -->
+ <!-- for a "welcome file" within that directory and, if present, to the -->
+ <!-- corresponding resource URI for display. -->
+ <!-- If no welcome files are present, the default servlet either serves a -->
+ <!-- directory listing (see default servlet configuration on how to -->
+ <!-- customize) or returns a 404 status, depending on the value of the -->
+ <!-- listings setting. -->
<!-- -->
<!-- If you define welcome files in your own application's web.xml -->
<!-- deployment descriptor, that list *replaces* the list configured -->
- <!-- here, so be sure that you include any of the default values that -->
- <!-- you wish to include. -->
+ <!-- here, so be sure to include any of the default values that you wish -->
+ <!-- to use within your application. -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>