web.xml

[engineDir]/configuration/reference/web.xml

  1<?xml version="1.0" encoding="UTF-8"?>
  2<!--
  3  ========================================================================
  4   Configures the embedded Tomcat Webserver of Axon Ivy
  5  ========================================================================
  6
  7  This file shows the default configuration of the the embedded Tomcat Webserver.
  8
  9  Copy contents of this reference file to 'configuration/web.xml' before adjusting
 10  them to your needs. Changing this file has no effect.
 11
 12  See apache tomcat documentation for more information about this configuration:
 13  http://tomcat.apache.org/tomcat-9.0-doc/config/
 14
 15  After a change in the web.xml a restart of Axon Ivy is required
 16  to apply the new configuration.
 17-->
 18<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 19  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 20  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
 21                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
 22  version="4.0">
 23
 24  <!-- ======================= Error pages ================================ -->
 25  <!--
 26      Custom error pages can be added with error-page elements.
 27      The referenced error-page must be placed in the folder 'webapps/ivy'.
 28      Use /faces location-prefix for xhtml pages.
 29
 30      The pre-configured default error page is:
 31    -->
 32    <error-page>
 33      <location>/faces/ivy-error-page.xhtml</location>
 34    </error-page>
 35    <!--
 36      By adding the <exception-type> tag to the <error-page> configuration
 37      it is also possible to configure a specific error page for status codes
 38      or kind of exceptions:
 39
 40    <error-page>
 41      <exception-type>java.lang.Throwable</exception-type>
 42      <location>/faces/custom-exception-error-page.xhtml</location>
 43    </error-page>
 44    <error-page>
 45      <error-code>404</error-code>
 46      <location>/faces/custom-404-error-page.xhtml</location>
 47    </error-page>
 48
 49    Implementation:
 50    Use the 'ErrorPageMBean' to retrieve information about the thrown exception and the environment:
 51    @doc.url.current@/public-api/ch/ivyteam/ivy/webserver/ErrorPageMBean.html
 52  -->
 53
 54  <!-- ==================== Default Session Configuration ================= -->
 55  <session-config>
 56    <!--
 57    session-timeout: [default=30]
 58
 59    Defines the amount of time in minutes after which an inactive user session will be closed.
 60    Closing sessions means that server side state (e.g. Html Dialog instance) is flushed.
 61    -->
 62    <session-timeout>30</session-timeout>
 63
 64    <!--
 65    cookie-config/secure: [default=false]
 66
 67    Enable the secure flag when accessing the Webserver over HTTPS (strongly recommended).
 68    When enabled the session cookie is only transmitted over HTTPS and not over HTTP.
 69    -->
 70    <!--
 71    <cookie-config>
 72      <secure>true</secure>
 73    </cookie-config>
 74    -->
 75  </session-config>
 76
 77  <!-- ==================== Security Headers ============================== -->
 78
 79  <!-- Some commonly recommended HTTP Security Headers are configured here  -->
 80  <!-- for all the web applications.                                        -->
 81  <!-- These Security Headers are added on the HTTP Responses               -->
 82  <!-- to the Client Browser.                                               -->
 83  <!-- But not all Security Headers are supported by all Web browsers.      -->
 84  <!-- See: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html     -->
 85  <!--                                                                      -->
 86  <!-- |=========================|===============|                          -->
 87  <!-- | HEADER                  | VALUE         |                          -->
 88  <!-- |=========================|===============|                          -->
 89  <!-- | X-Frame-Options         | SAMEORIGIN    |                          -->
 90  <!-- | X-XSS-Protection        | 1; mode=block |                          -->
 91  <!-- | X-Content-Type-Options  | nosniff       |                          -->
 92  <!-- |=========================|===============|                          -->
 93
 94  <filter-mapping>
 95    <filter-name>httpSecurityHeaders</filter-name>
 96    <url-pattern>/*</url-pattern>
 97    <dispatcher>REQUEST</dispatcher>
 98  </filter-mapping>
 99  <filter>
100    <filter-name>httpSecurityHeaders</filter-name>
101    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
102    <async-supported>true</async-supported>
103    <init-param>
104      <param-name>antiClickJackingOption</param-name>
105      <param-value>SAMEORIGIN</param-value>
106    </init-param>
107  </filter>
108
109  <!-- ==================== Reverse Proxy Headers ============================== -->
110  <!--
111    RemoteIpFilter is activated by default. This is needed for proper integration
112    with a reverse proxy. The reverse proxy modifies headers which needs to be
113    interpreted by the Axon Ivy Engine to generate correct absolute URIs.
114    You are able to rename those headers - to reconfigure the RemoteIPFilter.
115    See: https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/filters/RemoteIpFilter.html
116  -->
117  <!--
118  <filter>
119    <filter-name>org.apache.catalina.filters.RemoteIpFilter</filter-name>
120    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
121    <init-param>
122      <param-name>protocolHeader</param-name>
123      <param-value>x-forwarded-proto</param-value>
124    </init-param>
125  </filter>
126  -->
127</web-app>