Installation Instructions for Hot Fix "tomcat-4.1.18-hotfix1" on Unix


BEFORE DOWNLOADING:


The hot fix "tomcat-4.1.18-hotfix1" addresses the issue(s) in Version 4.1.18 of 
Tomcat as documented in SAS Note(s):  

      SN-011132 Potential security/data integrity issues when using Tomcat 4.1.18

which may be reviewed at:

      http://support.sas.com/techsup/unotes/SN/011/011132.html


The hot fix package that is downloaded is in tar format.  The name of the file 
is tomcat-4.1.18-hotfix1.tar and it contains the following file:

       * server/classes/org/apache/catalina/session/StandardSession.class


IMPORTANT NOTE(S):

1.  You must have Tomcat 4.1.18 installed on your system before applying this hot fix.



AFTER DOWNLOADING:

The following instructions describe the steps for installing the files listed 
above.  In this example, $CATALINA_HOME, the directory where Tomcat 4.1.18 is 
installed, for example:

      /usr/local/jakarta-tomcat-4.1.18-LE-jdk14


STEP 1:
Assuming the tar file is downloaded to the user's HOME directory, follow 
these procedures to install the package.

      $> cd $CATALINA_HOME 
      $> tar xf $HOME/tomcat-4.1.18-hotfix1.tar


STEP 2:
Check to be sure the necessary class file exists:

      $> ls $CATALINA_HOME/server/classes/org/apache/catalina/session/StandardSession.class 

STEP 3 (optional):
To verify that the patch has been installed correctly, use the following
procedure.  The following assumes the "examples" Web application is still
available in the Tomcat 4.1.18 installation.  If this is not the case,
any Web application containing a JSP file that creates a session may be
substituted.  Just specify the appropriate docBase attribute in the
first step and an appropriate URL in the third step.

1.  In a Tomcat 4.1.18 or 4.1.18-LE-jdk14 installation, under the
    $CATALINA_HOME/webapps directory, create the following file:
    

<!-- ===== patchtest.xml ===== / -->
<Context path="/patchtest" docBase="examples">
    <Logger className="org.apache.catalina.logger.FileLogger" prefix="patchtest_log." suffix=".txt"/>
    <Manager className="org.apache.catalina.session.PersistentManager" debug="2"/>
</Context>
<!-- ===== patchtest.xml ===== / -->


    This will serve the "examples" Web application under the context
    name "patchtest".

2.  Be sure that you have the environment variable JAVA_HOME set to
    the root directory of your JDK installation directory.  For example
    if your JDK is installed in /bin/java/j2sdk1.4.1_02, JAVA_HOME would
    be must be set to that directory.

3.  Start Tomcat from the CATALINA_HOME directory using the command:

    bin/startup.sh

4.  Access a JSP page in the "patchtest" context, for example:

    http://localhost:8080/patchtest/jsp/snp/snoop.jsp
    
    Note: The JSP file accessed must create a session.  This excludes the
    Date example found in the "examples" web application.
    
5.  Stop Tomcat from the CATALINA_HOME directory using the command;

    bin/shutdown.sh
    
6.  Examine the "patchtest_log.<date>.txt" file in the $CATALINA_HOME/logs
    directory.  Verify the following text:
    
    	Using modified version of StandardSession that disables session recycling.
    
    appears in this file.  Its presence indicates the patch is successfully
    installed.
    
7.  Delete the patchtest.xml and patchtest_log.<date>.txt files.
    


This completes the installation of hot fix "tomcat-4.1.18-hotfix1" on Unix.