7. Changes in this release

7.1. Bug Fixes

Application Client

999465 - appclient.xml wrong naming version

The naming subsystem would fail to start because of an incorrect version number in the appclient.xml file, causing a dependency issue. This version has been corrected, and the appclient launches successfully.
1003104 - appclient hang when executing .jar file outside an .ear

An issue existed with the appclient code that prevented the direct execution of .jar files. Additional code has been added to the appclient to correct this issue, and jar files can now be executed directly.

Class Loading

959478 - Add sun.nio.cs & sun.nio.ext paths to sun.jdk module

Missing packages in the sun.jdk module resulted in a ServiceConfigurationError exception being thrown when attempting to load custom character sets when using sun.jdk. This release of JBoss EAP 6 has added the missing packages sun.nio.cs and sun.nio.cs.ext, and as a result, custom character sets can be used with the sun.jdk module.

CLI

977407 - jboss-cli.sh throws IllegalArgumentException when using tab complete

In some situations the jboss-cli tool was exiting when the tab completion feature was triggered by the user. This has been fixed and tab completion now works as expected.
990227 - jboss-cli.sh freeze when run unattended - e.g. from scripts

In previous versions of Red Hat JBoss Enterprise Application Platform, if the server was automated with a script that closed, or set to null, STDIN, the server would exit upon reaching a point where user input was required. In the most recent release of the product, however, this was not the case and the server would hang in that scenario. This release of the product includes an updated verions of Aesh (Another Extendable Shell) that reinstates the original behavior. Servers started with an automated script exit as expected, and no longer hang when requiring user input.
977426 - jboss-cli.sh throws NullPointerException while not connected and in batch mode

Attempting to add a command to a batch with the jboss-cli tool when it was disconnected from the server would cause the jboss-cli to exit. This has been corrected. Attempting to add commands to a batch when disconnected from a server will now result in the following error message being displayed to the user:
Command is not supported or unavailable in the current context: Failed to load operation description: not connected

Clustering

974967 - jvmRoute in standalone.xml can create org.infinispan.marshall.NotSerializableException

When using mod_jk with a load balancer and the sticky session flag to create a farming architecture, distributed applications would fail to deploy because clustering was not enabled. This was because without clustering configuration the LOCAL_ADDRESS of the RegistryService was initialised to a default value which was not serializable. This non-serializable LOCAL_ADDRESS prevented successful deployment in this scenario. Now LOCAL_ADDRESS is initialised to a serializable value and deployment of distributable applications works as expected in this scenario.
918791 - Starting a server with multiple web apps, causes deployment failures

In some cases, web applications on a clustered server would fail to deploy if multiple applications were being deployed. Each application in this situation would attempt to lock the cache manager to create its cache, and the first application that obtained a lock would deploy successfully. However, depending on the time taken to deploy, any other deployments could timeout while waiting for access to the cache manager and fail to deploy. JBoss EAP 6 now includes a GlobalComponentRegistryService which handles this scenario and applications now deploy successfully in this situation.

Domain Management

983980 - EAP6 CLI command should not allow same runtime-name to be used at another deploy

Two deployments with the same runtime name would incorrectly be allowed to be deployed onto the same JBoss EAP 6 instance.

As a result, the instance may enter an inconsistent state in using the runtime name for the wrong deployment.

This issue has been fixed in this release of JBoss EAP 6, and a runtime name is now only allowed to be used once per JBoss EAP 6 instance. If an attempt is made to deploy an application with a runtime name already in use, the following error will be displayed:
There is already a deployment called ${name} with the same runtime name ${runtime-name} on server group ${server-group}
1021763 - Domain controller fails to restart due to an inconsistent rollback of a redeploy

The handler for the full-replace-deployment includes logic that deletes deployment content which has been added as part of an operation which is being rolled back. This logic was not checking whether the added content was the same as the existing content, so that if it was, the existing content would incorrectly be deleted.

As a result of this situation, if the same content is redeployed in a managed domain using the deploy --force CLI command, and if the redeploy failed for any reason (for example, because a depended-upon service such as a datasource is missing on a server), then the deployment would also fail and the content would be removed from all hosts as part of the rollback process. However, the existing configuration item for the deployment would remain, and if the host was restarted, an attempt to deploy non-existent content would be made, resulting in a failure to boot.

This issue has been fixed in this release of JBoss EAP 6. The rollback logic now recognizes that if the content was unchanged, it will not remove the content as part of the rollback process.

As a result, the rollback will leave the domain in a consistent state equivalent to what it was before the redeploy attempt was made, and the content will remain available on all hosts along with the configuration referencing the content.
960820 - Recursive expression resolution

Expressions contained in the output of other expressions were not being resolved. This meant that it was not possible to use expressions in configuration to refer to other expressions, such as one that referred to a vault expression. This occurred because the output of expression resolution was not checked for the existence of further expressions to resolve.

Expression resolution is now recursive. When an expression is resolved, a check is made for any further expressions to resolve in the output. This continues until no further expressions are found.

Expressions can now be used to refer to other expressions in configuration.

EJB

991444 - EJB2 CMP wrong cache access if optimistic-locking=true

When optimistic locking was configured for EJB2 Entity Beans, cached entity beans were never being found in the cache. This occurred because the cache lookup was being performed using the wrong identifier. The entity primary key was being used to locate the correct transaction cache instead of the transaction identifier. This has been corrected and cache access for EJB2 Entity Beans now works as expected when optimistic locking is enabled.
1005110 - ClassLoader memory leak with EJB Asynchronous invocations

In some situations, asynchronous EJB calls could result in the deployment’s classloader being "leaked".

This occurred because the execute method could lead to new thread creation. When this occurs the new thread assigns itself the context classloader of the parent thread, which would be the classloader of the deployment. To prevent this the Thread Context Classloader (TCCL) is set to null before the execute method is invoked, and then restored afterwards.

Asynchronous EJB calls can no longer result in deployment classloader leaks.
1019894 - EJB should not be remotely accessible until all of its dependencies have been started

In some situations EJBs could be remotely invoked before they were fully started, resulting in an unresponsive EJB client. This occurred because remote interfaces were bound before any dependencies of the EJB were fully resolved. Thus a bean could be invoked before it was fully able to respond. This has been fixed and an EJB’s remote interfaces are not available until all of its dependencies have been resolved.
1005093 - Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread

An EJB that is called asynchronously from a servlet can potentially lose its security context if the servlet invocation completes first. This occurred when security context of the servlet was cleared because both the servlet and the EJB threads share the same SecurityContext instance. Now the SecurityContext attributes are copied from the instance on the servlet thread to a new instance of the SecurityContext object on the EJB thread. Updates to SecurityContext instances on one thread no longer affect instances on other threads as expected.

Hibernate

998841 - Permanent fix of HHH-8447 (HQL delete with multiple subqueries failing (incorrect alias used))

If a HQL delete query contained multiple subqueries, only the first subquery would use the correct root table alias. The generated SQL for the other subqueries would use an incorrect alias.

This issue was caused by improper processing of multiple subqueries when generating the SQL query.

This issue has been fixed in this release of JBoss EAP 6 so that HQL delete queries with multiple subqueries will now use the correct root table alias when generating SQL for all subqueries.
947946 - Incorrect "to_char" function in HSQL dialect

A bug in the HSQL dialect implementation of the to_char function resulted in incorrect conversions of objects to strings, and when used in a comparison would result in a java.lang.IllegalArgumentException exception.

In this release of JBoss EAP 6, the to_char function in the HSQL dialect has been fixed by properly converting objects to a string. As a result, comparisons made using the to_char should no longer throw java.lang.IllegalArgumentException exceptions.
990587 - [HHH-7959] Hibernate/Infinispan 2nd Level Caches set to transaction-mode=NONE stop functioning after an explicit eviction

An Infinispan second-level cache configured with transaction-mode=NONE would be invalidated when programmatically forcing an eviction. This invalid state would result in performance degradation, and TRACE level log messages of Could not invalidate region: null.

This issue was caused by unhandled null values related to attempting to use a TransactionManager in a non-transactional configuration, resulting in NullPointerExceptions.

This issue has been fixed in this release of JBoss EAP 6 so that proper null checks now allow the eviction and valid state to occur. As a result, programmatically forcing an eviction on an Infinispan second-level cache configured with transaction-mode=NONE will no longer trigger an invalid state and associated performance degradation.
1018146 - [HHH-8605] ManyToManyTest.testManyToManyWithFormula fails on mssql2008R2, mssql2012, sybase157

On Sybase and Microsoft SQL Server, HQL queries which had tuples in subqueries would throw exceptions. Neither Sybase nor Microsoft SQL Server support tuples in subqueries, such as the following query:

delete from Table1 where (col1, col2) in (select col1, col2 from Table2)

This issue occurred because the Hibernate dialects for Sybase and Microsoft SQL Server did not configure the supportsTuplesInSubqueries property to false.

In this release of JBoss EAP 6, the Hibernate dialects for Sybase and Microsoft SQL Server have been updated to accurately reflect the lack of support for tuples in subqueries. As a result, warnings are now produced rather than throwing exceptions.
1003468 - HHH-8464 Using JPA2 specific quoting character (double quote) for JoinColumn results in DuplicateMappingException.

Using a JPA2-specific quoting character ( ") for a JoinColumn would result in a DuplicateMappingException. This issue was caused by the quoting character not being normalized internally.

This issue has been fixed in this release so that using " for a JoinColumn is now normalized properly, and will no longer result a DuplicateMappingException.
991578 - HHH-8390 Foreign key reference generated before unique constraint exists

Creating a schema in which a foreign key was declared before it was defined as unique or as a primary key, would fail on Oracle and possibly other dialects.

This issue has been fixed in this release of JBoss EAP 6 by forcing unique key constraints to be created before foreign key constraints as part of the schema export process.

As a result, exported schemas should no longer fail on Oracle because of a foreign key being declared before a unique constraint exists.
977520 - HHH-8318 "delete" with "member of" query fails

An bug in the conversion of HQL delete queries that contained a member of clause would result in incorrect SQL being generated. As a result, the incorrect SQL delete query would fail. This issue was caused by the member of subquery using an incorrect alias.

This issue has been fixed in this release of JBoss EAP 6 by making member of subqueries use the correct alias when used as part of a HQL delete query, and as a result, will now produce correct SQL.

HornetQ

1019378 - Message Redistribution could lead to loss of messages if paging and reading with batched Transactions

In a rare circumstances, if messages were being acknowledged too fast with big chunks on a HornetQ server, a message redistribution could read a record before the transaction was instantiated on the page system. This situation would result in message loss.

This issue has been fixed in this release of JBoss EAP 6 by making sure the paging system will correctly instantiate a page transaction, and only writing the file after the page transaction is instantiated.

As a result of this fix, under the same circumstances there will be no lost messages.
988321 - WARN - Replication Large MessageID 164 is not available on backup server. Ignoring replication message

After a certain sequence of events, a large message deletion may be called twice, resulting in an erroneous warning message on a backup HornetQ server, similar to below:
11:33:23,825 WARN  [org.hornetq.core.server] (Old I/O client worker ([id: 0x2b37b4ea, /192.168.40.1:60844 => /192.168.40.1:5445])) HQ222090: Replication Large MessageID 164  is not available on backup server. Ignoring replication message

This issue was fixed by stopping the erroneous warning from appearing in the JBoss EAP 6 logs. As a result, on a backup HornetQ server there should no longer be erroneous warning messages related to large messages not being available.

Installer

977736 - Appclient starting script and configuration file shouldn't be installed without appclient option selected

When using the installer for JBoss EAP 6, if the AppClient+ check box on the Pack Installation screen was cleared, AppClient files would still be installed.

This issue with the installer has been fixed in this release of JBoss EAP 6 so that AppClient files will only be installed if the AppClient+ check box is selected.
1013973 - Installer: Cannot use Ctrl+c to quit installation (windows)

An issue with specifying a JLine dependency resulted in the Ctrl-C keyboard command not functioning in the console installer of JBoss EAP 6 on Microsoft Windows Server.

In this release of JBoss EAP 6, JLine has been updated so that when Ctrl-C is entered during a console installation on Microsoft Windows Server, the installer now quits as expected. Also note that the Insert key is read as the same character as Ctrl-C, and will also quit the console installer if pressed.
1013972 - Tab Extends for auto-completing home directory path is not working correctly

In the console installer for JBoss EAP 6, using the Tab key to autocomplete home directory paths would not work as expected. Instead of autocompleting the home directory paths, on Microsoft Windows Server nothing was shown, and on Linux /home was incorrectly inserted.

This issue has been fixed in this release of JBoss EAP 6, so that when entering ~ and pressing Tab, the home directory path is autocompleted as expected. On Microsoft Windows Server the path is C:\Users\USERNAME, and on Linux it is /home/USER.
963304 - Native components check box is invisible when installing EAP 6.0.0 through jar installer

On Unix-derived operating systems the installer did not properly check the system-release file if there was more than one *-release file present in the /etc/ directory. This resulted in the installer not recognizing the server operating system, and consequently did not show the Native Components check box on the Pack Installation screen. This issue has been fixed in this release of JBoss EAP 6, and the installer now properly checks the system-release file on Unix-derived operating systems. As a result, the Native Components check box on the Pack Installation screen is shown as expected.

JCA

952277 - disable xa-data-source causes that data-source loses its attribute enabled set to false and after reload it becomes enabled

When an XA data source was set to disabled, and the data source was already disabled, the data source was enabled on the next restart. The cause of this issue has now been resolved. In the same circumstances, the data source now remains disabled.
1007608 - Memory leak if hashCode of Transaction isn't stable

The JCA TransactionSynchronizer was found to leak memory if the Transaction hashCode was not stable. This memory leak could cause OutOfMemoryErrors after a period of time.

An update to the JCA component has corrected this potential lead and the associated OutOfMemoryErrors no longer present.

JSF

991276 - WAR_BUNDLE_JSF_IMPL does not work inside an EAR

If a JSF implementation was packaged in a WAR, WAR_BUNDLE_JSF_IMPL could be used to allow it to work rather than the container’s implementation. This option was not working if it was instead packaged in an EAR. The cause of this issue was that only the (sub-)deployment was checked for the JSF marker, causing it not to be found when it was in a distinct top-level deployment (EAR). To resolve this issue, an additional check has been implemented to check the top-level deployment for the JSF marker.

Maven Repository

1011918 - Unable to get dependencies for jbossws-cxf-client -- Failure to find org.apache.ws.security:wss4j:jar:1.6.11-redhat-1

The build process was changed in this release of JBoss EAP to provide more conventional Maven POM files which are more consistent with community Maven POMs. The POM files in the EAP Maven repository now have dependencies on some community artifact versions.

Users should refer to the JBoss Enterprise Application Platform Developer Guide for information on how to configure the appropriate Maven BOM file. Configuring the appropriate Maven BOM file will ensure that the user build includes the correct transitive dependency version (the JBoss EAP version will be used for supported artifacts and the community version for unsupported artifacts).

Other

985204 - Socket not closed when web executor drops task

This release of JBoss EAP corrects a bug which caused web connector sockets to not be closed properly when tasks were dropped by the executor. The cause was traced to the QueueExecutor class not throwing a RejectedExecutionException when there was no handoffExecutor set (as QueuelessExecutor does). In these cases the task would be dropped, which was not the expected behavior. The QueueExecutor class has been updated to throw the required exception when a task cannot be added to the queue and, as a result, sockets are now closed correctly.
901210 - Cleanup deploy directories - AS7-6031

This release of JBoss EAP 6.2 includes a fix that ensures files and directories created in the JBOSS_HOME/tmp and JBOSS_HOME/tmp/vfs folders are removed before they can interfere with newly (re)started EAP instances.

In previous versions of JBoss EAP, older files may have been left behind after a server is shutdown unexpectedly (as JBoss EAP removes files in JBOSS_HOME/tmp and JBOSS_HOME/tmp/vfs as part of the shutdown process).

The fix in this release provides a failsafe to mitigate that scenario. If a JBoss EAP 6.2 server does not shut down gracefully the server will not have an opportunity to clean up these temporary files. Upon restart however, the server now queries the above locations and, if files from a previous instance are present, it initiates a rename/remove process that allows the creation of fresh files for the new instance (the old directories are renamed so as to avoid interfering with newly created files). These processes happen in parallel.

Upon restarting JBoss EAP (either gracefully or otherwise) old temporary files are now removed (either at shutdown or restart), to ensure they do not take up unnecessary disk space.

NOTE Users should avoid using the -Xrs JAVA_OPT as this limits signals processing and can result in the size of the tmp/vfs directories continuing to grow.

PicketLink

977761 - PLINK2-25 characterEncoding parameter not used in for Post Requests in ServiceProviderAuthenticator

A timing issue was found in Picketlink which resulted in parameters being read from post requests in the ServiceProviderAuthenticator using the default encoding instead of the desired encoding. The issue was caused when PicketLink read its parameters before the Tomcat valve had set the encoding. To resolve this issue the encoding has been moved so that it is the very first step in the authenticate method.

Remoting

1025319 - Trouble with EJB invocation from a server with/without SSL

When creating an outbound remote connection, the service that creates the connection would apply the default settings after applying user-defined configuration settings. This resulted in the default settings incorrectly overriding any user-defined settings that had the same key.

As a result of this situation, SSL could not be disabled on remote EJB connections which originated from the server.

This issue has been fixed in this release of JBoss EAP 6. User-defined settings are now applied after the default settings, which ensures that user-defined settings take precedence.

As a result, SSL can now be disabled on outbound remote connections.
1025185 - Remoting subsystem: Concurrent modification exception during server shutdown

A service in the remoting subsystem would iterate over a collection in a non-thread-safe manner.

As a result of this issue, a ConcurrentModificationException exception would occasionally be thrown during server shutdown. Other than this exception, the shutdown would complete normally.
WARN  [org.jboss.msc.service.fail] (MSC service thread 1-55) MSC000004: Failure during stop of service jboss.remoting.endpoint.management.channel.management: java.util.ConcurrentModificationException
	at java.util.HashMap$HashIterator.nextEntry(HashMap.java:793) [rt.jar:1.6.0_45]
	at java.util.HashMap$KeyIterator.next(HashMap.java:828) [rt.jar:1.6.0_45]
	at java.util.AbstractCollection.addAll(AbstractCollection.java:305) [rt.jar:1.6.0_45]
	at java.util.HashSet.<init>(HashSet.java:100) [rt.jar:1.6.0_45]
	at org.jboss.as.remoting.AbstractChannelOpenListenerService.stop(AbstractChannelOpenListenerService.java:123)
...

This issue has been fixed in this release of JBoss EAP 6. Iteration over the collection is now done in a thread-safe manner, with the collection object’s monitor held by the iterating thread.

As a result, ConcurrentModificationException exceptions are no longer thrown.

RPMs

998319 - RPMs put important data in /var/tmp

RPMs put important data in /var/tmp, including /domain/data. /var/tmp is meant to contain temporary data which could be removed at any time. /domain/data should not be redirected to /var/tmp/ since it contains important data that should not be lost, including the transaction recovery journal and HornetQ large message store and journal.

This error has been fixed for this release of JBoss EAP 6. For new installations, /usr/share/jbossas/domain/data will be a directory instead of a link.

However, for existing installations, one of the following must be performed:
  • Re-install and migrate the config and data files (including the temp directories) to the new installation directories, or
  • Uninstall tmpwatch to disable clean up of /var/tmp/jbossas, or
  • Configure tmpwatch not to remove the files that jbossas puts in to /var/tmp/jbossas.

Scripts and Commands

998913 - standalone.bat still sets -XX:+TieredCompilation JVM option

An issue has been resolved in the standalone.bat batch file, used on Microsoft Windows Server. The batch file previously contained a JVM option which set tiered compilation: -XX:+TieredCompilation. This setting has been removed as it is known to cause performance problems in some circumstances.
916960 - Standalone.bat does not work if parentheses are on path to EAP.

In previous releases of JBoss EAP, batch files provided - e.g. standalone.bat and add-user.bat failed to work as expected on Microsoft Windows Server if the path in which they were stored contained parentheses or spaces. The batch files have been improved by use of quotation characters to ensure that the full path is evaluated. As a result, the batch files now works as expected with paths including parentheses and spaces.

Security

920160 - Unauthorized access to a web application protected with a custom authorization module results in HTTP 200 (OK) instead of HTTP 403 (Forbidden)

In JBoss EAP 6.1.0, unauthorized access to a web application protected with a custom authorization module resulted in an HTTP response of 200 (OK) instead of HTTP 403 (Forbidden). This issue has been resolved and the correct response is now provided.

Server

1022223 - Deployment descriptor overlays do not override JSPs

Deployment descriptor overlays should allow an administrator to override a JSP in a deployment. However the overlay functionality did not work because JBoss Web does not use VFS for serving content, and so the JSP files were not visible. An additional test of the deployment method has been added and the overriding of deployment descriptors now works as expected.

Transaction Manager

1016120 - Transaction JDBC object store does not start on PostgreSQL Plus 9.2

The JBoss Transaction Manager did not have a properly configured driver class for PostgreSQL Plus 9.2. This resulted in a ClassNotFoundException exception when attempting to use a JDBC transaction object store on PostgreSQL Plus 9.2.

In this release of JBoss EAP 6, the JBoss Transaction Manager as been updated with a PostgreSQL Plus 9.2 driver class ( jdbc.drivers.postgres_driver), and JDBC object stores can now be used with PostgreSQL Plus 9.2 servers.

Web

997009 - requiredSecret attribute on the AJP connector

When using a load balancing Apache server in front of JBoss EAP 5.x, you can set the "requiredSecret" attribute of the AJP connector. This is used to only allow requests from load-balancer workers with the same secret keyword, to be accepted.

In JBoss EAP 6.0.x and 6.1.x it was not possible to configure this value. This issue has now resolved and you can now set a system property to your required value for the "requiredSecret" attribute:
org.apache.coyote.ajp.DEFAULT_REQUIRED_SECRET=yoursecretvalue
996558 - Https connection hangs after adding https connector

When adding an HTTPS connector via the management CLI, any attempted connection would hang, despite each command completing successful. The cause of the issue was that the connector was started as soon as it was created, yet its configuration was incomplete, preventing the connector working as expected. A workaround in this instance was to wrap the configuration commands in a batch, end-batch sequence, so that all configuration statements were completed together. The root cause of this issue has been resolved and access to a HTTP connector is successful, whether or not the configuration statements are completed in sequence or as a management CLI batch.

Web Console

947913 - Admin Console: The Resource Adapter Properties becomes editable clicking in the configured Resource Adapters.

When viewing the properties of a resource adapter (RA) in the web management console, it was possible that the adapter’s properties became editable fields, allowing existing fields to be changed or deleted, and new fields added. These fields should have been presented as read-only fields, since there is no functionality for editing them in the web management console. If any such field was edited, the edited values would remain in their edited form, yet not be stored in the resource adapter’s configuration file. This issue was now been resolved and the properties of all resource adapters now remain presented as read-only fields.
900063 - Missing error message when creation of Custom Handler fails

In previous JBoss EAP 6 releases, when the creation of a custom logging handler in the web management console failed, no feedback was given to the user. As a result, the user might reasonably assume that the custom logging handler was created. To resolve this issue, an error message now appears in these circumstances, making it clear to the user that the creation failed.
1012539 - "Started?" field in messaging bridge settings in incorrect

The runtime information field Started? has been removed from the Profile → Messaging → Connections → Bridges screen in this release of JBoss EAP 6.

This was because the field was found to sometimes display incorrect information and, since it was not editable, provided no functionality to users.
996889 - Unable to change port offset for servers in domain

When changing the port offset for servers in a domain, the action failed with the resulting message: "Internal server error". The underlying cause was that the value of socket-binding-group on the server-config resource was undefined, so the attempt to change the server configuration, no value was pre-selected in the Socket binding select box. Consequently the first part of composite operation failed. The root cause has now been resolved and the port offset for servers in a domain can now be set in the web management console.

Web Services

1026992 - Picketlink STS doesn't work with CXF update

The fix applied to JBoss EAP to address CVE-2013-2133 implies authorization checks by the container before running JAXWS handlers attached to EJB3 based WS endpoints. As a consequence, some PicketLink usage scenario can be affected, as the PicketLink SAML2Handler is meant for establishing the security principal that will later used.

Customers can disable the additional authorization checks and keep on using the existing PicketLink deployments either by setting the org.jboss.ws.cxf.disableHandlerAuthChecks system property to true or by specifying the org.jboss.ws.cxf.disableHandlerAuthChecks property in a jboss-webservices.xml descriptor as follows:
<?xml version="1.1" encoding="UTF-8"?>
<webservices xmlns="http://www.jboss.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  version="1.2" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee">

  <property>
    <name>org.jboss.ws.cxf.disableHandlerAuthChecks</name>
    <value>true</value>
  </property>
</webservices>

The descriptor is to be placed in META-INF within the customer deployment for which the handler authorization checks are to be disabled.

The system property setup will affect any deployment on the server, instead.

Note that enabling the org.jboss.ws.cxf.disableHandlerAuthChecks property renders a system vulnerable to CVE-2013-2133. If the application expects security restrictions declared on EJB methods to be applied and does not apply them independent to the JAX-WS handler, then the property should not be enabled. The property should only be used for backwards-compatibility purposes when needed to avoid application breakage.
988318 - CLI - after undefine operation on wsdl-host attribute of webservices subsystem and reload war with webservice can not be deployed

A bug that caused application deployments to fail when the wsdl-host attribute was undefined has been corrected in this release of JBoss EAP 6.
999223 - wsconsume.sh fails with the default target version - 2.2

In previous versions of JBoss EAP, it was found that WSConsume failed to compile JAXWS 2.2 level sources when OpenJDK version 1.6 was used.

This has been resolved in this release.

Weld

956631 - CLONE - Cross-context forward/include call from another web app breaks HttpRequestContext cleanup

For forwarded requests, WeldListener would clean-up a bound context request when the servlet that was processing it finished, even though it was being sent to another servlet.

As a result, when the other servlet would try to access the context, it would produce a NullPointerException.

This issue has been fixed in this release of JBoss EAP 6 by not cleaning up a bound context if the servlet is being redirected.

As a result, using getRequestDispatcher().include() to forward requests between servlets should no longer produce exceptions related to incorrect WeldListener clean-ups.
910185 - Weld's TypeSafeObserverResolver cache is unbounded

The Weld class TypeSafeObserverResolver used by TransactionalObserverNotifier does not have any configuration options for limiting or expiring entries. Usually the number of CDI qualifiers is small, but this may not be true if an application uses AnnotationLiteral-derived classes with arbitrary data in the annotation.

As a result, the TypeSafeObserverResolver cache could grow very large and cause an OutOfMemoryError if a large number of distinct qualifiers are used.

This issue has been fixed in this release of JBoss EAP 6 by implementing a configurable upper boundary for the resolved cache in TypeSafeObserverResolver.

Users can configure the org.jboss.weld.resolution.cacheSize property to limit the maximum number of resolved cache entries. The default value of the maximum boundary is 1048576 cache entries.

Web Services

969924 - Picketlink STS doesn't work with CXF update

The fix applied to JBoss EAP to address CVE-2013-2133 implies authorization checks by the container before running JAXWS handlers attached to EJB3 based WS endpoints. As a consequence, some PicketLink usage scenario can be affected, as the PicketLink SAML2Handler is meant for establishing the security principal that will later used.

Customers can disable the additional authorization checks and keep on using the existing PicketLink deployments either by setting the org.jboss.ws.cxf.disableHandlerAuthChecks system property to true or by specifying the org.jboss.ws.cxf.disableHandlerAuthChecks property in a jboss-webservices.xml descriptor as follows:
  <?xml version="1.1" encoding="UTF-8"?>
  <webservices xmlns="http://www.jboss.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    version="1.2" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee">

    <property>
      <name>org.jboss.ws.cxf.disableHandlerAuthChecks</name>
      <value>true</value>
    </property>

  </webservices>

The descriptor is to be placed in `META-INF` within the customer deployment for which the handler authorization checks are to be disabled. The system property setup will affect any deployment on the server, instead. Note that enabling the `org.jboss.ws.cxf.disableHandlerAuthChecks` property renders a system vulnerable to CVE-2013-2133. If the application expects security restrictions declared on EJB methods to be applied and does not apply them independent to the JAX-WS handler, then the property should not be enabled. The property should only be used for backwards-compatibility purposes when needed to avoid application breakage.

mod_cluster

958991 - mod_cluster core when use ProxyPass / balancer://bal and CreateBalancers 1

A regression found in versions 6.1.0 and 6.1.1 of JBoss EAP caused setting CreateBalancers 1 in /conf.d/mod_cluster.conf without setting the stickysession=JSESSIONID|jsessionid configuration to result in a segmentation fault. This issue has been resolved in JBoss EAP 6.2. The stickysession element has now been added to the CreateBalancers configuration.
960243 - Regression in ProxyPass integration

A regression in an earlier version of mod_proxy_cluster.so (bug 960246) returned HTTP 503 errors when accessing a directory (for example <filename class="directory">/app/clusterbench/requestinfo/</filename>. This issue has been corrected in this release of JBoss EAP and mod_proxy_cluster.so now works as expected when accessing directories.
963720 - mod_cluster: proxy DNS lookup failure with IPv6 on Solaris

In previous versions of EAP 6 it was found that attempting to use IPv6 addresses within a Solaris system would result in a DNS lookup failure.

The source of this issue was traced to the IPv6 zone-id string of IPv6 adresses.

Since this information is of no use to the HTTPD, the string is no longer used and mod_cluster now operates as expected on Solaris systems.