This update is now obsolete.

Please see the WebObjects Current Patch List , TIL article 70037, for information on the most current updates for WebObjects. This obsolete update is provided here as a convenience to our customers who have not yet upgraded to the most current update.

This update introduces password protection on the event logging setup (WOEventSetup) page and the statistics (WOStats) page. For both pages the default configuration has been changed so that the pages are not available. Enabling access to either page requires setting a password. (Refer to the release notes below for specific behavior for each page.) Application instances read the passwords from the user defaults at startup. The passwords may be stored in the defaults database using the 'defaults' command, or provided to the instances on the command line using Monitor. (Refer to the documentation of the Foundation NSUserDefaults class for more about the user defaults system.) In either case the password is stored as plain text, either in the defaults database or in the site config. Additionally, the password is delivered across the network as plain text when being submitted to the application. For a secure deployment environment proper care must be taken to restrict access to the application server machine and the network to which it is connected.

If the 'defaults' command is used to store the password(s) in the defaults database, it must be executed as the same user that executes the application instances. If Monitor and wotaskd are used to start instances, then by default the instances will run with the same user identity as wotaskd. If this user is not normally allowed to log in or does not have a home directory, additional steps may be necessary prior to using the defaults command. (In particular, on the Windows platform it may be necessary to configure wotaskd to log on using an account other than the System account.)

An empty string can be specified as the password by using double quotes either with the defaults command or on the command line in Monitor, as follows:

defaults write MyApplicationDomain WOStatisticsPassword ""

or

-WOStatisticsPassword ""

The above example sets the password for the WOStats page to the empty string. See the individual release note below for the corresponding setting for the WOEventSetup page.

This update includes modified WebObjects Adaptor binaries. The update installer places the modified adaptor binaries in the WebObjects installation but does not copy them to the appropriate web server directory. To use the new adaptors, you must install them in the correct location for the web server being used. Refer to the WebObjects documentation for more detailed instructions.

The update also includes all modified Adaptor source files. The following files were changed: appcfg.c, appcfg.h, loadaverage.c, loadbalancing.c, random.c, roundrobin.c, and xyzzy.c.

Installing WebObjects 4.5 Update 2 on Mac OS X Server 1.2

1. Download WO45MOSXSUpdate2.pkg.tar, the update installer for Mac OS X Server.
The update is available at: http://asu.info.apple.com/swupdates.nsf/artnum/n11822
and
ftp.info.apple.com//Apple_Support_Area/Apple_Software_Updates/MultiCountry/Enterprise/webobjects/patches/4.5/WO45MOSXSUpdate2.pkg.tar

2. Untar the update package. Your web browser or FTP client may perform this step for you.

3. Log in as root on your Mac OS X Server system. If you're not sure how to log in as root, see your system administrator.

4. Double-click on WO45MOSXSUpdate2.pkg.

5. Click the Install button in the Installer package window. An Install Package panel will open.

6. Make sure that there are no WebObjects or EOF applications running.

7. Click 'Install' in the Install Package panel and, when prompted for confirmation, click OK to proceed. The Installer window displays information about the progress of the installation, which may take several minutes.

8. When the installation completes, the system must be rebooted. Log out and use the reboot button on the login panel.

9. If desired, manually install the updated .class and .jar files needed to resolve "Resource loading broken in deployment for (Direct To) Java Client applications (Apple reference #2503498)" by copying them to your web server's document root as described in detail in the release note below.

1. Download WO45WinUpdate2.exe, the self-extracting update installer for Windows NT and 2000.
The update is available at: http://asu.info.apple.com/swupdates.nsf/artnum/n11829
and
ftp.info.apple.com//Apple_Support_Area/Apple_Software_Updates/MultiCountry/Enterprise/webobjects/patches/4.5/WO45WinUpdate2.exe

2. Log in as a user with Administrator privileges.

3. Make sure that there are no WebObjects or EOF applications running.

4. Double-click on the update installer, WO45WinUpdate2.exe, to start the installation process.

5. A screen will appear with some information about this update. After you have read it, click "Next" to continue.

6. The license agreement for this update will appear. To agree to the license and continue the installation, click "Yes".

7. The update will now be installed on your system and you will be asked if you want to reboot. Select "Yes, I want to restart my computer now" to reboot your Windows system. The WinZip self-extractor will automatically quit and remove the temporary installation in about 20 seconds.

8. If desired, manually install the updated .class and .jar files needed to resolve "Resource loading broken in deployment for (Direct To) Java Client applications (Apple reference #2503498)" by copying them to your web server's document root as described in detail in the release note below.

1. Download WO45SolarisUpdate2.TAR.Z, the update installer for Solaris, or WO45HPUXUpdate2.TAR.Z, the update installer for HP-UX. Also download the update installation script, patcher.sh available at: ftp://ftp.info.apple.com/Apple_Support_Area/Apple_Software_Updates/MultiCountry/Enterprise/scripts/patcher.sh
Solaris update available at: http://asu.info.apple.com/swupdates.nsf/artnum/n11830
and
ftp.info.apple.com//Apple_Support_Area/Apple_Software_Updates/MultiCountry/Enterprise/webobjects/patches/4.5/WO45SolarisUpdate2.TAR.Z

HP-UX update available at: http://asu.info.apple.com/swupdates.nsf/artnum/n11831
and
ftp.info.apple.com//Apple_Support_Area/Apple_Software_Updates/MultiCountry/Enterprise/webobjects/patches/4.5/WO45HPUXUpdate2.TAR.Z

2. Log in as root. If you're not sure how to log in as root, see your system administrator.

3. Make sure that there are no WebObjects or EOF applications running.

4. Change to the directory containing the update and the update installation script, "patcher.sh".

5. At a shell prompt, type:

patcher.sh -install WO45SolarisUpdate2.TAR.Z

or

patcher.sh -install WO45HPUXUpdate2.TAR.Z

For more information on using the "patcher.sh" program, type the following at the command prompt:
patcher.sh -help

6. Reboot your Unix system.

7. If desired, manually install the updated .class and .jar files needed to resolve "Resource loading broken in deployment for (Direct To) Java Client applications (Apple reference #2503498)" by copying them to your web server's document root as described in detail in the release note below.

Load average + logging causes crash

Apple reference #2436050

ISSUE:

The WebObjects adaptor can crash if logging is set above the WO_INFO level.

RESOLUTION:

The problem has been corrected.

Adding days hangs at 1/1/2002

Apple reference #2437169

ISSUE:

The NSCalendarDate method -dateByAddingYears:months:days:hours:minutes:seconds: could get stuck in an infinite loop for some values of the calculated resulting date.

RESOLUTION:

NSCalendarDate now correctly calculates the resulting date.

Monitor hyperlinks use target="new" instead of target="_blank"

Apple reference #2438434

ISSUE:

Monitor hyperlinks would all open in the same browser window.

RESOLUTION:

You now get a brand new window every time you click on an instances hyperlink in the DetailView of Monitor.

Leak: +[NSTask launchedTaskWithLaunchPath:arguments:]

Apple reference #2438767

ISSUE:

The task object returned by +[NSTask launchedTaskWithLaunchPath:arguments:] is never autoreleased.

RESOLUTION:

The NSTask object is now autoreleased.

Turn off refuseNewSessions when an instance comes back

Apple reference #2440558

ISSUE:

If the refuseNewSessions flag gets set in the WebObjects adaptor it never gets reset, even after the application instance restarts.

RESOLUTION:

The random and roundrobin schedulers have been modified to ignore the refuse new sessions flag. If an instance which is refusing new sessions
receives a request that would generate a new session, the request will be redirected. Some browsers occasionally report redirection related errors when this occurs, but only during a request which does not include a specific instance number. Additionally, the loadaverage scheduler does not work properly when instance scheduling is enabled in Monitor. These issues remain under investigation.

[WOApp terminate], and [WOApp terminateAfterTimeInterval] are broken

Apple reference #2451483

ISSUE:

Applications continue running after either [WOApp terminate] or [WOApp terminateAfterTimeInterval] are called, even though [WOApp isTerminating] returns YES.

RESOLUTION:

Applications now exit properly. Please note that currently a scheduled application shutdown is incorrectly counted as an application death by Monitor. As of the release of WebObjects 4.5 Update 2, this issue remains open as Apple reference #2488890.

wotaskd dies on Windows 2000 when laptop network adaptor has no traffic

Apple reference #2453853

ISSUE:

On Windows 2000 wotaskd encounters an error during multicast initialization if the network cable is not connected. This error results in wotaskd exiting.

RESOLUTION:

wotaskd for the Windows platform has been modified to merely log the error and continue running when the multicast initialization fails in this particular case. The logged error is "setsockopt() IP_ADD_MEMBERSHIP failed, Error: WSAEADDRNOTAVAIL". If multicast support is required then wotaskd must be restarted once the network cable is connected.

Fetch strips trailing spaces

Apple reference #2456497

ISSUE:

The OracleEOAdaptor released in WebObjects 4.5 stripped trailing spaces from VARCHAR2 data.

RESOLUTION:

OracleEOAdaptor now only strips whitespace from CHAR data. (This is consistent with the behavior of the Oracle adaptor released in WebObjects 4.0.1 Update 3, Apple ref #2436771.)

Leftover .wos files after 4.0.1 -> 4.5 upgrade on Mac OS X Server

Apple reference #2462263

ISSUE:

Some scripted classes in WebObjects 4.0.1 were changed to compiled classes in WebObjects 4.5, but upgrading a 4.0.1 installation to 4.5 did not remove the .wos files if the user did not follow the recommended installation instructions and uninstall WebObjects 4.0.1 before installing WebObjects 4.5. The presence of the old .wos files can cause exceptions related to API differences. Exceptions have been observed in WOInfoCenter and Monitor.

RESOLUTION:

This update includes a script which will move the unneeded .wos files to a "401wosfiles" subdirectory of their original location on Mac OS X Server.

wotaskd doesn't notice running instances after restart

Apple reference #2465109

ISSUE:

On Windows, wotaskd would not see running instances if it stopped and restarted. If the apps were set to autorecover they would be launched again, but still wouldn't be noticed by wotaskd. This would continue until the machine ran out of resources.

RESOLUTION:

wotaskd can now restart on Windows and receive lifebeats from running instances.

Monitor/wotaskd slow when hosts in siteconfig don't exist in DNS

Apple reference #2466108

ISSUE:

Adding a hostname to Monitor which cannot be resolved to an IP address caused unwanted delays.

RESOLUTION:

Monitor now will not add a hostname for which it cannot resolve an IP address. However, an invalid hostname already in the site configuration before installing this update will continue to cause delays. To completely eliminate this problem, site administators should remove invalid hosts from their configuration before upgrading or reset their configuration files.

urlVersion and wasRemoved not set correctly in WOInstance initializer

Apple reference #2467042

ISSUE:

The urlVersion and wasRemoved entries in the WOInstance initialization list were not set correctly, though this did not cause any problems in the running adaptor.

RESOLUTION:

urlVersion and wasRemoved are now set correctly.

A request with a large, malformed http header can crash a WOApp

Apple reference #2470254

ISSUE:

Under some circumstances a http request with a sufficiently large header could crash a WebObjects application.

RESOLUTION:

The WebObjects request parser has been modified to properly process large http request headers.

Very similar session ID strings generated

Apple reference #2470258

ISSUE:

Session IDs are essentially randomly generated strings. On a system with a poor random number generator, the resulting session id strings could be very similar.

RESOLUTION:

The session ID generator has been modified to produce better session id strings on all platforms.

forgetSnapshotsForGlobalIDs raises NSRangeException

Apple reference #2472460

ISSUE:

The EODatabase method forgetSnapshotsForGlobalIDs raises an NSRangeException.

RESOLUTION:

The forgetSnapshotsForGlobalIDs method has been corrected.

WOHTMLUtilities will crash if input string contains null bytes

Apple reference #2475236

ISSUE:

The WOHTMLUtilities method appendHTMLAttributeValue:withEncoding: can crash if the value string contains null characters.

RESOLUTION:

Null characters are now processed correctly.

Event logging needs password protection

Apple reference #2477049

ISSUE:

The event logging feature (WOEventSetup page) introduced in WebObjects 4.5 should provide support for password protection.

RESOLUTION:

Event logging has been modified to support password protection. The password policy is as follows:

If no password is set, no access is allowed. This is to provide maximum protection for the default configuration on a deployment machine.

If the password is set to an empty string, full access is allowed and the user is not prompted for a password. Setting the password to an empty string provides access equivalent to the WebObjects 4.5 released version.

If the password is set to any other string, that string must be provided to access or modify the event logging setup page.

Passwords may be set in two ways: by calling +[EOEventCenter setPassword:] in the application, or by setting "EOEventLoggingPassword" in the user defaults.

Cannot deploy D2W apps on Windows or Mac OS X Server

Apple reference #2478821

ISSUE:

Some files required for deployment of Direct to Web apps were omitted from the deployment installation on Mac OS X Server and Windows platforms. (These files are present in the developer installation.)

RESOLUTION:

The required files are included in this update.

Monitor doesn't actually remove instances when deleting hosts or applications

Apple reference #2480058

ISSUE:

When deleting a host or application in Monitor, if an instance was set to autorecover, it would be killed but would restart and not appear in Monitor.

RESOLUTION:

The instances are now halted correctly when an application or host is deleted in Monitor.

WOStats should be disabled by default

Apple reference #2480687

ISSUE:

The WOStats page is enabled in all WebObjects applications by default.

RESOLUTION:

Access to the WOStats page is now disabled by default, and optionally protected by a password. The password policy is as follows:

If no password is set, no access is allowed. This is to provide maximum protection for the default configuration on a deployment machine.

If the password is set to an empty string, full access is allowed and the user is not prompted for a password. Setting the password to an empty string provides access equivalent to the WebObjects 4.5 released version.

If the password is set to any other string, that string must be provided to access the WOStats page. A standard login screen is presented which prompts for both user and password, but the username is ignored.

Passwords may be set in two ways: by calling -[WOStatisticsStore setPassword:] in the application, or by setting the key "WOStatisticsPassword" in the user defaults.

xyzzy should be disabled by default in the adaptors

Apple reference #2480691

ISSUE:

The 'xyzzy' page is accessible in the default configuration.

RESOLUTION:

The adaptors have been modified so that the xyzzy page is not accessible in the default configuration. Specifically, if no username is configured then the page is not available. If the username is set to "public" then the page will be available with no password required. Setting the username to "disabled" will still disable the page.

See the section "Disabling or Protecting Administrator Access" in the article "What's New in the WebObjects Framework" in WOInfoCenter for instructions on changing these settings in each of the adaptors.

Monitor: deleting death history feature doesn't work

Apple reference #2481012

ISSUE:

Death and Exception histories would come back after clearing them in Monitor.

RESOLUTION:

The histories are now permanently removed.

classForObjectWithGlobalID: should tolerate a nil model group

Apple reference #2487221

ISSUE:

The EOEntity method classForObjectWithGlobalID: can crash if an entity's model does not have a model group and it is unable to find a class for the entity.

RESOLUTION:

classForObjectWithGlobalID: has been modified to handle this situation.

"Stop All" instances from Monitor doesn't stop all instances

Apple reference #2489092

ISSUE:

"Stop All" instances in Monitor left some instances running on busy Windows machines.

RESOLUTION:

"Stop All" now results in all instances being killed.

Resource loading broken in deployment for (Direct To) Java Client applications

Apple reference #2503498

ISSUE:

When icon files or string table files are fetched by a direct to java client application running using a web server, a relative URL is used and the fetch fails. (The resources are fetched properly when using direct connect.)

RESOLUTION:

The java client has been modified to construct a full URL when fetching the resources. This fix affects two files in the WODocument root. They are:

$NEXT_ROOT/Library/WebObjects/WODocumentRoot/WebObjects/Java/eojavaclient.jar

$NEXT_ROOT/Library/WebObjects/WODocumentRoot/WebObjects/Java/com/apple/client/eoapplication/_EORemoteRequestUtilities.class

This update places upgraded versions of these files in the WebObjects installation. To enable this fix for deployment these files must be manually replaced in the web server document root in the following locations:

{web server doc root}/WebObjects/Java/eojavaclient.jar

{web server doc root}/WebObjects/Java/com/apple/client/eoapplication/_EORemoteRequestUtilities.class

Corrected in WebObjects 4.5 Update 1

[[NSHost currentHost] name] on Windows 2000 returns an uppercase name

Apple reference #2446389

ISSUE:

Windows 2000 will report an uppercase hostname unless you specify a lowercase one in the System control panel. This can cause Monitor to fail to start applications with an "Invalid host name" error.

RESOLUTION:

Monitor and wotaskd are now case insensitive for hostnames. With the version of Monitor that shipped with the 4.5 release it was possible to add the same host more than once using different capitalizations of the name. This would create multiple entries in the configuration file for the host. The patched version of Monitor will only display one name for the host even though there may be more than one entry in the configuration file. In this case deleting a host will only delete one entry from the configuration, so it will be necessary to delete the host multiple times to remove all references.

wotaskd periodically exits its listen thread

Apple reference #2446401

ISSUE:

On Windows 2000, recvfrom() sometimes returns with error status. This could cause wotaskd to enter an unusable state.

RESOLUTION:

The observed errors returned from recvfrom() are transient conditions, so wotaskd on the Windows platform has been modified to retry the recvfrom(). If many consecutive tries return errors, wotaskd will exit and restart. Any errors encountered will be logged, and a log is written if wotaskd exits. Additionally, wotaskd has been modified to wait 10 seconds before starting any application instances, to allow time to collect lifebeats from running processes.

Deferred faulting raises if destination entity class is in a java package

Apple reference #2448175

ISSUE:

Deferred faulting raises an exception if the destination entity class is in a java package, because EOAccess incorrectly looks up a class by name.

RESOLUTION:

EOAccess has been changed to properly look up the class.

Interface Builder fails to save on every second try

Apple reference #2452069

ISSUE:

Saving a .nib file on a Windows 2000 volume fails the second time the file is saved. The .nib wrapper contains no files. This happens because when InterfaceBuilder saves a .nib, it first writes the .nib to a temporary location named <myNib>.nib.~+~, where <myNib> is the name of your .nib file.

RESOLUTION:

This problem is the result of unexpected behavior from the Windows 2000 filesystem. Interface Builder has been modified to use <myNib>.~+~ as the temporary name rather than <myNib>.nib.~+~ on Windows platforms to work around this problem.

NSInvalidArgumentException while removing configured Monitor apps

Apple reference #2464806

ISSUE:

In Monitor, if you delete an application when there is more than one instance of that application is running, an exception is raised. Half of the running instances are removed, but the application is not deleted.

RESOLUTION:

Monitor now properly deletes all running instances when removing an applicaion.