tomcat8 (8.5.8-1) experimental; urgency=medium

  Migrating from Tomcat 8.0.x to 8.5.x

  Here is a summary of the known changes between 8.0.x and 8.5.x which may cause
  backwards compatibility problems when upgrading:

  * BIO connector removed

    The Java blocking IO implementation (BIO) for both HTTP and AJP has been
    removed. Users are recommended to switch to the Java non-blocking IO
    implementation (NIO).


  * Comet support removed

    Comet support has been removed without a direct replacement. Applications
    using Comet are recommended to migrate to WebSockets.


  * HTTP/2 support added

    HTTP/2 is supported for h2 (over TLS, negotiated via ALPN) and h2c (clear
    text, negotiated via HTTP/1.1 upgrade). HTTP/2 needs to be explicitly
    enabled for a connector. To enable it, insert:

        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />

    inside the connector for which you wish to enable HTTP/2. Note that to
    enable HTTP/2 for a secure NIO or NIO2 connector, those connectors must
    be using the OpenSSL engine for TLS.


  * TLS virtual hosting and multiple certificate support added

    Tomcat 8.5 supports multiple TLS virtual hosts for a single connector with
    each virtual host able to support multiple certificates. Virtual host
    definitions are nested inside the Connector element with the default
    specified using the defaultSSLHostConfigName attribute on the Connector
    if more than one virtual host is specified. Certificate definitions are
    nested inside the virtual host.

    The following example shows how to use this to configure a single APR/native
    connector for multiple TLS virtual hosts with each host having both an RSA
    and EC certificate.

        <Connector port="8443"
                   protocol="org.apache.coyote.http11.Http11AprProtocol"
                   maxThreads="150"
                   SSLEnabled="true"
                   defaultSSLHostConfigName="example.org">

          <SSLHostConfig hostName="example.org">
            <Certificate certificateKeyFile="conf/example.org-rsa-key.pem"
                         certificateFile="conf/example.org-rsa-cert.pem"
                         type="RSA" />
            <Certificate certificateKeyFile="conf/example.org-ec-key.pem"
                         certificateFile="conf/example.org-ec-cert.pem"
                         type="EC" />
          </SSLHostConfig>

          <SSLHostConfig hostName="example.com">
            <Certificate certificateKeyFile="conf/example.com-rsa-key.pem"
                         certificateFile="conf/example.com-rsa-cert.pem"
                         type="RSA" />
            <Certificate certificateKeyFile="conf/example.com-ec-key.pem"
                         certificateFile="conf/example.com-ec-cert.pem"
                         type="EC" />
          </SSLHostConfig>

        </Connector>


  * Internal APIs

    Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0
    there have been many changes at the detail level and they are not binary
    compatible. Developers of custom components that interact with Tomcat's
    internals should review the JavaDoc for the relevant API.

    Of particular note are:

    - Significant refactoring has taken place throughout the connectors
      to reduce duplicate code and to align behaviour across implementations.
    - The deprecated digest attribute has been removed from the Realm. This must
      now be configured via a CredentialHandler.
    - The AuthenticatorBase implementation has been changed to call
      doAuthenticate() rather than authenticate() on sub-classes.


  * JSR-77 implementation removed

    The JSR-77 (J2EE Management) implementation is incomplete and has been
    removed in 8.5.x. Specifically, the following methods that exposed to JMX
    have been removed:

    - StandardContext.getServlets()
    - StandardContext.isStateManageable()
    - StandardContext.getDeploymentDescriptor()
    - StandardWrapper.isStateManageable()


  * Clustering

    MessageDispatch15Interceptor had been used to add the Java 5 features
    to MessageDispatchInterceptor. MessageDispatch15Interceptor has been removed
    in Tomcat 8.5 by merging the Java 5 features to MessageDispatchInterceptor.


  * InstanceListener removed

    The support of InstanceListener has been removed in 8.5.x. Specifically,
    the following classes have been removed:

    - org.apache.catalina.InstanceListener
    - org.apache.catalina.InstanceEvent
    - org.apache.catalina.util.InstanceSupport


  * SessionManager

    The following session manager attributes have been completely removed
    in Tomcat 8.5:

    - distributable
    - maxInactiveInterval
    - sessionIdLength

    The replacements are as follows:

    - The distributable attribute has been deprecated in 8.0 and specified value
      is ignored. This should be configured via the Context. The value is
      inherited based on the presence or absence of the <distributable />
      element in /WEB-INF/web.xml.
    - The maxInactiveInterval attribute has been deprecated in 8.0. If the value
      is specified, a warning log is issued. This should be configured via the
      Context. The value is inherited based on the value of the <session-timeout>
      element in /WEB-INF/web.xml.
    - The sessionIdLength attribute of Manager has been replaced by the
      sessionIdLength attribute of SessionIdGenerator.


  * Cookies

    The default CookieProcessor is now the Rfc6265CookieProcessor.
    The CookieProcessor is configurable per Context and the LegacyCookieProcessor
    may be used to obtain the 8.0.x behaviour.


  * Web applications

    The Manager and HostManager web applications are configured by default with
    a RemoteAddrValve that limits access to those applications to connections
    from localhost.


  * Context configurations

    The clearReferencesStatic attribute has been removed in 8.5.x.

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 17 Nov 2016 23:54:35 +0100