The new stable release 4.1.0 is now available via http://jetty.mortbay.org

The 4.1.x series represents a refactoring of the Jetty architecture
to make it more suitable for the current servlet spec. As such
Jetty 4.1.0 provides improvements in performance and compliance.

Jetty 4.1 also support many new features such as AJP13 integration.
While the new features do continue to stabilize, the core of
Jetty 4.1.0 has been stable and reliable for many months now.

4.1.0 also contains a priority security fix for the CGI servlet
running on windows platforms. This remotely exploitable problem
effects all previous versions of Jetty that use the CGI servlet
on windows without a permissions file configured for the context.
The CGI servlet from 4.1.0 may be used in 4.0 releases.

Jetty-4.1.0 - 22 September 2002
+ Fixed CGI+windows security hole.
+ Fixed AJP13 handling of mod_jk loadbalancing.
+ Stop servlets in opposite order to start.
+ NCSARequest log buffered default
+ WEB-INF/classes before WEB-INF/lib
+ Sorted directory listings.
+ Handle unremovable tempdir.
+ Context Initparams to control session cookie domain, path and age.
+ ClientCertAuthenticator protected from null subjectDN
+ Added LimitedNCSARequestLog
+ Use javac -target 1.2 for normal classes

Jetty-4.1.0RC6 - 14 September 2002
+ Don't URL encode FileURLS.
+ Improved HashUserRealm doco
+ FormAuthenticator uses normal redirections now.
+ Encode URLs of Authentication redirections.
+ Added logon.jsp for no cookie form authentication.
+ Extended Session API to pass request for jvmRoute handling
+ Fixed problem with AJP 304 responses.
+ Improved look and feel of demo
+ Cleaned up old debug.
+ Added redirect to welcome file option.

Jetty-4.1.0RC5 - 8 September 2002
+ AJP13Listener caught up with HttpConnection changes.
+ Added commandPrefix init param to CGI
+ More cleanup in ThreadPool for idle death.
+ Improved errors for misconfigured realms.
+ Implemented security-role-ref for isUserInRole.

Jetty-4.1.0RC4 - 30 August 2002
+ Included IbmJsseListener in the contrib directory.
+ Updated jasper2 to 4.1.10 tag.
+ Reverted to 302 for all redirections as all clients do not understand 303
+ Created statsLock sync objects to avoid deadlock when stopping.

Jetty-4.1.0RC3 - 28 August 2002
+ Fixed security problem for suffix matching with trailing "/"
+ addWebApplications encodes paths to allow for spaces in file names.
+ Improved handling of PUT,DELETE & MOVE.
+ Improved handling of path encoding in Resources for bad JVMs
+ Added buffering to request log
+ Created and integrated the Jetty Launcher
+ Made Resource canonicalize it's base path for directories
+ Allow WebApplicationHandler to be used with other handlers.
+ Added defaults descriptor to addWebApplications.
+ Allow FORM auth pages to be within security constraint.

Jetty-4.1.0RC2 - 20 August 2002
+ Conveninace setClassLoaderJava2Compliant method.
+ Clear interrupted status in ThreadPool
+ Fixed HttpFields cache overflow
+ Improved ByteArrayPool to handle multiple sizes.
+ Added HttpListener.bufferReserve
+ Use system line separator for log files.
+ Updated to Jasper2 (4_1_9 tag)
+ Build ant, src and zip versions with the release

Jetty-4.1.0RC1 - 11 August 2002
+ Fixed forward query string handling
+ Fixed setCharacterEncoding to work with getReader
+ Fixed getContext to use canonical contextPathSpec
+ Improved the return codes for PUT
+ Made HttpServer serializable
+ Updated international URI doco
+ Updated jasper to CVS snapshot 200208011920
+ Fixed forward to jsp-file servlet
+ Fixed handling of relative sendRedirect after forward.

Jetty-4.1.0RC0 - 31 July 2002
+ Fixed getRealPath for packed war files.
+ Changed URI default charset back to ISO_8859_1
+ Restructured Password into Password and Credentials
+ Added DigestAuthenticator
+ Added link to a Jetty page in Korean.
+ Added ExpiryHandler which can set a default Expires header.

Jetty-4.1.B1 - 19 July 2002
+ Updated mini.http.jar target
+ CGI Servlet, pass all HTTP headers through.
+ CGI Servlet, catch and report program invocation failure status.
+ CGI Servlet, fixed suffix mapping problem.
+ CGI Servlet, set working directory for exec
+ Support HTTP/0.9 requests again
+ Reversed order of ServletContextListener.contextDestroyed calls
+ Moved dynamic servlet handling to Invoker servlet.
+ Moved webapp resource handling to Default servlet.
+ Sessions create attribute map lazily.
+ Added PUT,DELETE,MOVE support to webapps.
+ Added 2.4 Filter dispatching support.

Jetty-4.1.B0 - 13 July 2002
+ Added work around of JDK1.4 bug with NIO listener
+ Moved 3rd party jars to $JETTY_HOME/ext
+ Fixed ThreadPool bug when minThreads <= CPUs
+ close rather than disable stream after forward
+ Allow filter init to access servlet context methods.
+ Keep notFoundContext out of context mapping lists.
+ mod_jk FAQ
+ Fixed close problem with load balancer.
+ Stopped RD.includes closing response.
+ RD.forward changes getRequestURI.
+ NCSARequestLog can log to stderr

Jetty-4.1.D2 - 24 June 2002
+ Support trusted external authenticators.
+ Moved jmx classes from JettyExtra to here.
+ Set contextloader during webapplicationcontext.start
+ Added AJP13 listener for apache integration.
+ Fixed ChunkableOutputStream close propagation
+ Better recycling of HttpRequests.
+ Protect session.getAttributeNames from concurrent modifications.
+ Allow comma separated cookies and headers
+ Back out Don't chunk 30x empty responses.
+ Conditional header tested against welcome file not directory.
+ Improved ThreadedServer stopping on bad networks
+ Use ThreadLocals to avoid unwrapping in Dispatcher.

Jetty-4.1.D1 - 8 June 2002
+ Recycle servlet requests and responses
+ Added simple buffer pool.
+ Reworked output buffering to keep constant sized buffers.
+ Don't chunk 30x empty responses.
+ Fixed "" contextPaths in Dispatcher.
+ Removed race for the starting of session scavaging
+ Fixed /foo/../bar// bug in canonical path.
+ Merged ResourceBase and SecurityBase into HttpContext

Jetty-4.1.D0 - 5 June 2002
+ The 4.1 Series started looking for even more performance
within the 2.3 specification.
+ Removed the HttpMessage facade mechanism
+ BRAND NEW WebApplicationHandler & WebApplicationContext
+ Added TypeUtil to reduce Integer creation.
+ General clean up of the API for for MBean getters/setters.
+ Experimental CLIENT-CERT Authenticator
+ Restructured ResourceHandler into ResourceBase
+ Fixed web.dtd references.
+ Fixed handler/context start order.
+ Added OptimizeIt plug.



--
Greg Wilkins<gregw@...> Phone/fax: +44 7092063462
Mort Bay Consulting Australia and UK. http://www.mortbay.com