Update documentation to reflect removal of APR connector

Author: markt-asf

BUILDING.txt

@@ -326,29 +326,29 @@ directory:
 
     output/build/logs
 
-By default the testsuite is run three times to test 3 different
-implementations of Tomcat connectors: NIO, NIO2 and APR. (If you are not
-familiar with Tomcat connectors, see config/http.html in documentation for
-details).
+By default the testsuite is run twice to test the 2 different implementations
+of Tomcat connectors: NIO and NIO2. (If you are not familiar with Tomcat
+connectors, see config/http.html in documentation for details).
 
-The 3 runs are enabled and disabled individually by the following
+The 2 runs are enabled and disabled individually by the following
 properties, which all are "true" by default:
 
     execute.test.nio=true
     execute.test.nio2=true
-    execute.test.apr=true
 
-The APR connector can be tested only if Tomcat-Native library binaries are
-found by the testsuite. The "test.apr.loc" property specifies the directory
-where the library binaries are located.
+The SSL tests will be run twice. Once with the JSSE implementation and once
+with the OpenSSL implementation. The OpenSSL implementation can only can be
+tested if Tomcat-Native library binaries are found by the testsuite. The
+"test.apr.loc" property specifies the directory where the library binaries are
+located.
 
 By default the "test.apr.loc" property specifies the following location:
 
     output/build/bin/native/
 
-If you are on Windows and want to test the APR connector you can put the
-tcnative-1.dll file into ${tomcat.source}/bin/native/ and it will be copied
-into the above directory when the build runs.
+If you are on Windows and want to test the OpenSSL TLS implementation you can
+put the tcnative-1.dll file into ${tomcat.source}/bin/native/ and it will be
+copied into the above directory when the build runs.
 
 The unit tests include tests of the clustering functionality which require
 multicast to be enabled. There is a simple application provided in the Tomcat

RUNNING.txt

@@ -373,10 +373,9 @@ If you do use them, do not forget to read their documentation.
 Apache Tomcat Native library
 -----------------------------
 
-It is a library that allows to use the "Apr" variant of HTTP and AJP
-protocol connectors in Apache Tomcat. It is built around OpenSSL and Apache
-Portable Runtime (APR) libraries. Those are the same libraries as used by
-Apache HTTPD Server project.
+It is a library that allows to use the OpenSSL variant of the TLS implementation
+for the HTTP connector in Apache Tomcat. It is built around OpenSSL and Apache
+Portable Runtime (APR) libraries.
 
 This feature was especially important in the old days when Java performance
 was poor. It is less important nowadays, but it is still used and respected
@@ -390,13 +389,10 @@ For further reading:
 
       https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/apr.html
 
-    * Documentation for the HTTP and AJP protocol connectors in the Tomcat
-      Configuration Reference
+    * Documentation for the HTTP connector in the Tomcat Configuration Reference
 
       https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/http.html
 
-      https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/ajp.html
-
  - Apache Tomcat Native project home
 
       https://tomcat.apache.org/native-doc/

TOMCAT-NEXT.txt

@@ -33,3 +33,7 @@ Deferred until 10.1.x:
     the JRE with project Panama.
 
  2. Review code forked from Commons projects and consider removing unused code.
+
+ 3. Implement OCSP checks for client certs with NIO/NIO2.
+    Useful reference:
+    https://stackoverflow.com/questions/5161504/ocsp-revocation-on-client-certificate

build.properties.default

@@ -44,8 +44,6 @@ execute.validate=false
 execute.download=true
 execute.test.nio=true
 execute.test.nio2=true
-# Still requires APR/native library to be present
-execute.test.apr=true
 # Stop testing if a failure occurs
 test.haltonfailure=false
 # Activate AccessLog during testing

conf/server.xml

@@ -78,8 +78,7 @@
     <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
          This connector uses the NIO implementation. The default
          SSLImplementation will depend on the presence of the APR/native
-         library and the useOpenSSL attribute of the
-         AprLifecycleListener.
+         library and the useOpenSSL attribute of the AprLifecycleListener.
          Either JSSE or OpenSSL style configuration may be used regardless of
          the SSLImplementation selected. JSSE style configuration is used below.
     -->

res/tomcat.nsi

@@ -146,7 +146,7 @@ Var ServiceInstallLog
   LangString DESC_SecTomcat ${LANG_ENGLISH} "Install the Tomcat Servlet container as a Windows service."
   LangString DESC_SecTomcatCore ${LANG_ENGLISH} "Install the Tomcat Servlet container core and create the Windows service."
   LangString DESC_SecTomcatService ${LANG_ENGLISH} "Automatically start the Tomcat service when the computer is started."
-  LangString DESC_SecTomcatNative ${LANG_ENGLISH} "Install APR based Tomcat native .dll for better performance and scalability in production environments."
+  LangString DESC_SecTomcatNative ${LANG_ENGLISH} "Install APR based Tomcat native .dll to enable the OpenSSL based TLS implementation for HTTP connectors."
   LangString DESC_SecMenu ${LANG_ENGLISH} "Create a Start Menu program group for Tomcat."
   LangString DESC_SecDocs ${LANG_ENGLISH} "Install the Tomcat documentation bundle. This includes documentation on the servlet container and its configuration options, on the Jasper JSP page compiler, as well as on the native webserver connectors."
   LangString DESC_SecManager ${LANG_ENGLISH} "Install the Tomcat Manager administrative web application."

test/org/apache/coyote/http2/TestHttp2Limits.java

@@ -291,9 +291,9 @@ private void doTestHeaderLimits(int headerCount, int headerSize, int maxHeaderPa
             String limitMessage = sm.getString("http2Parser.headerLimitSize", "\\d++", "3");
             limitMessage = limitMessage.replace("[", "\\[").replace("]", "\\]");
             // Connection reset. Connection ID will vary so use a pattern
-            // On some platform / Connector combinations (e.g. Windows / APR),
-            // the TCP connection close will be processed before the client gets
-            // a chance to read the connection close frame which will trigger an
+            // On some platform / Connector combinations the TCP connection close
+            // will be processed before the client gets a chance to read the
+            // connection close frame which will trigger an
             // IOException when we try to read the frame.
             // Note: Some platforms will allow the read if if the write fails
             //       above.

webapps/docs/apr.xml

@@ -37,12 +37,7 @@
 
   <p>
       Tomcat can use the <a href="https://apr.apache.org/">Apache Portable Runtime</a> to
-      provide superior scalability, performance, and better integration with native server
-      technologies. The Apache Portable Runtime is a highly portable library that is at
-      the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO
-      functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number
-      generation, system status, etc), and native process handling (shared memory, NT
-      pipes and Unix sockets).
+      provide an OpenSSL based TLS implementation for the HTTP connectors.
   </p>
 
   <p>
@@ -111,65 +106,15 @@
 
   <p>
     Once the libraries are properly installed and available to Java (if loading fails, the library path
-    will be displayed), the Tomcat connectors will automatically use APR. Configuration of the connectors
-    is similar to the regular connectors, but have a few extra attributes which are used to configure
-    APR components. Note that the defaults should be well tuned for most use cases, and additional
-    tweaking shouldn't be required.
+    will be displayed), the Tomcat connectors will automatically use APR.
   </p>
 
-  <p>
-    When APR is enabled, the following features are also enabled in Tomcat:
-  </p>
-  <ul>
-    <li>Secure session ID generation by default on all platforms (platforms other than Linux required
-        random number generation using a configured entropy)</li>
-    <li>OS level statistics on memory usage and CPU usage by the Tomcat process are displayed by
-        the status servlet</li>
-  </ul>
-
   </section>
 
   <section name="APR Lifecycle Listener Configuration">
     <p>See <a href="config/listeners.html#APR_Lifecycle_Listener_-_org.apache.catalina.core.AprLifecycleListener">the
     listener configuration</a>.</p>
   </section>
 
-  <section name="APR Connectors Configuration">
-
-    <p><strong>Note: The APR/Native AJP and HTTP Connectors are deprecated and
-    will be removed in Tomcat 10.1.x onwards.</strong></p>
-
-    <subsection name="HTTP/HTTPS">
-
-      <p>For HTTP configuration, see the <a href="config/http.html">HTTP</a>
-      connector configuration documentation.</p>
-
-      <p>For HTTPS configuration, see the
-      <a href="config/http.html#SSL_Support">HTTPS</a> connector configuration
-      documentation.</p>
-
-      <p>An example SSL Connector declaration is:</p>
-      <source><![CDATA[    <Connector port="443"
-               protocol="org.apache.coyote.http11.Http11AprProtocol"
-               SSLEnabled="true" scheme="https" secure="true"
-               socket.directBuffer="true" socket.directSslBuffer="true">
-        <SSLHostConfig protocols="TLSv1.3">
-            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
-                         type="RSA" />
-        </SSLHostConfig>
-    </Connector>]]></source>
-
-
-    </subsection>
-
-    <subsection name="AJP">
-
-      <p>For AJP configuration, see the <a href="config/ajp.html">AJP</a>
-      connector configuration documentation.</p>
-
-    </subsection>
-
-  </section>
-
 </body>
 </document>

webapps/docs/config/ajp.xml

@@ -36,9 +36,6 @@
 
 <section name="Introduction">
 
-  <p><strong>Note: The APR/Native AJP Connector is deprecated and will be
-  removed in Tomcat 10.1.x onwards.</strong></p>
-
   <p>The <strong>AJP Connector</strong> element represents a
   <strong>Connector</strong> component that communicates with a web
   connector via the <code>AJP</code> protocol.  This is used for cases
@@ -202,8 +199,6 @@
         - non blocking Java NIO connector.<br/>
         <code>org.apache.coyote.ajp.AjpNio2Protocol</code>
         - non blocking Java NIO2 connector.<br/>
-        <code>org.apache.coyote.ajp.AjpAprProtocol</code>
-        - the APR/native connector (deprecated - will be removed in 10.1.x).<br/>
         Custom implementations may also be used.<br/>
         Take a look at our <a href="#Connector_Comparison">Connector
         Comparison</a> chart.
@@ -288,9 +283,8 @@
 
   <p>To use AJP, you must specify the protocol attribute (see above).</p>
 
-  <p>The standard AJP connectors (NIO, NIO2 and APR/native) all support the
-  following attributes in addition to the common Connector attributes listed
-  above.</p>
+  <p>The standard AJP connectors (NIO and NIO2) both support the following
+  attributes in addition to the common Connector attributes listed above.</p>
 
   <attributes>
 
@@ -325,11 +319,7 @@
       default, the connector will listen on the loopback address. Unless the JVM
       is configured otherwise using system properties, the Java based connectors
       (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
-      with either <code>0.0.0.0</code> or <code>::</code>. The APR/native
-      connector will only listen on IPv4 addresses if configured with
-      <code>0.0.0.0</code> and will listen on IPv6 addresses (and optionally
-      IPv4 addresses depending on the setting of <strong>ipv6v6only</strong>) if
-      configured with <code>::</code>.</p>
+      with either <code>0.0.0.0</code> or <code>::</code>.</p>
     </attribute>
 
     <attribute name="allowedRequestAttributesPattern" required="false">
@@ -371,10 +361,7 @@
       <p>When client certificate information is presented in a form other than
       instances of <code>java.security.cert.X509Certificate</code> it needs to
       be converted before it can be used and this property controls which JSSE
-      provider is used to perform the conversion. For example it is used with
-      the AJP connectors, the <a href="http.html">HTTP APR connector</a> and
-      with the <a href="valve.html#SSL_Authenticator_Valve">
-      org.apache.catalina.valves.SSLValve</a>.If not specified, the default
+      provider is used to perform the conversion. If not specified, the default
       provider will be used.</p>
     </attribute>
 
@@ -771,34 +758,6 @@
     </attributes>
   </subsection>
 
-  <subsection name="APR/native specific configuration">
-
-    <p><strong>Note: The APR/Native AJP Connector is deprecated and will be
-    removed in Tomcat 10.1.x onwards.</strong></p>
-
-    <p>The APR/native implementation supports the following attributes in
-    addition to the common Connector and AJP attributes listed above.</p>
-
-    <attributes>
-      <attribute name="ipv6v6only" required="false">
-        <p>If listening on an IPv6 address on a dual stack system, should the
-        connector only listen on the IPv6 address? If not specified the default
-        is <code>false</code> and the connector will listen on the IPv6 address
-        and the equivalent IPv4 address if present.</p>
-      </attribute>
-
-      <attribute name="pollTime" required="false">
-        <p>Duration of a poll call in microseconds. Lowering this value will
-        slightly decrease latency of connections being kept alive in some cases
-        , but will use more CPU as more poll calls are being made. The default
-        value is 2000 (2ms).
-        </p>
-    </attribute>
-
-    </attributes>
-
-  </subsection>
-
 </section>
 
 
@@ -836,61 +795,51 @@
         <th />
         <th style="text-align: center;">Java Nio Connector<br />NIO</th>
         <th style="text-align: center;">Java Nio2 Connector<br />NIO2</th>
-        <th style="text-align: center;">APR/native Connector<br />APR<br />(deprecated)</th>
       </tr>
       <tr>
         <th>Classname</th>
         <td><code class="noHighlight">AjpNioProtocol</code></td>
         <td><code class="noHighlight">AjpNio2Protocol</code></td>
-        <td><code class="noHighlight">AjpAprProtocol</code></td>
       </tr>
       <tr>
         <th>Tomcat Version</th>
         <td>7.x onwards</td>
         <td>8.x onwards</td>
-        <td>5.5.x onwards</td>
       </tr>
       <tr>
         <th>Support Polling</th>
         <td>YES</td>
         <td>YES</td>
-        <td>YES</td>
       </tr>
       <tr>
         <th>Polling Size</th>
         <td><code class="noHighlight">maxConnections</code></td>
         <td><code class="noHighlight">maxConnections</code></td>
-        <td><code class="noHighlight">maxConnections</code></td>
       </tr>
       <tr>
         <th>Read Request Headers</th>
         <td>Blocking</td>
         <td>Blocking</td>
-        <td>Blocking</td>
       </tr>
       <tr>
         <th>Read Request Body</th>
         <td>Blocking</td>
         <td>Blocking</td>
-        <td>Blocking</td>
       </tr>
       <tr>
         <th>Write Response Headers and Body</th>
         <td>Blocking</td>
         <td>Blocking</td>
-        <td>Blocking</td>
       </tr>
       <tr>
         <th>Wait for next Request</th>
         <td>Non Blocking</td>
         <td>Non Blocking</td>
-        <td>Non Blocking</td>
       </tr>
       <tr>
         <th>Max Connections</th>
         <td><code class="noHighlight">maxConnections</code></td>
         <td><code class="noHighlight">maxConnections</code></td>
-        <td><code class="noHighlight">maxConnections</code></td>
       </tr>
     </table>