context.xml
[engineDir]/webapps/ivy/META-INF/context.xml
1<?xml version="1.0" encoding="UTF-8"?>
2<!--
3 ========================================================================
4 Configures Valves and Realms of the embedded Tomcat Webserver
5 ========================================================================
6
7 Please keep the context.xml file on the designer and engine in sync
8 to have the same settings on designer and engine
9 as this file is not deployed from the designer to the engine
10
11 See apache tomcat documentation for more information about context configuration:
12 https://tomcat.apache.org/tomcat-9.0-doc/config/context.html
13
14-->
15<Context antiResourceLocking="false" privileged="true" >
16
17
18 <!-- ====================== Cookies ====================== -->
19
20 <!--
21 Prevents CSRF attacks by preventing the browser from sending cookies with cross-site requests.
22 More information can be found here: https://www.owasp.org/index.php/SameSite
23 Possible values are:
24 - 'strict': prevent cooky sharing in all cross-site browsing contexts.
25 Warning! This breakes process start and task mail links from third party sites and web mail clients.
26 - 'lax': provides a reasonable balance between security and usability for websites
27 - 'none': do not use same site cookie header
28 By default the value 'lax' is used.
29 -->
30 <!-- <CookieProcessor sameSiteCookies="lax"/> -->
31
32 <!-- ====================== Tomcat Valves ====================== -->
33
34 <!--
35 Limits the access to the ivy application to clients connecting from localhost.
36 -->
37 <!--
38 <Valve className="org.apache.catalina.valves.RemoteAddrValve"
39 allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
40 -->
41
42 <!--
43 Creates an access log entry for each request against the ivy application.
44 -->
45 <!--
46 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
47 prefix="access_log." suffix=".txt"
48 pattern="%h %l %u %t "%r" %s %b" />
49 -->
50
51 <!-- ====================== Axon.ivy Valves ==================== -->
52
53 <!--
54 SingleSignOnValve:
55
56 Enables single sign on of the user given in a request header field.
57 The name of the request header field can be configured in the attribute 'userNameHeader'.
58
59 !! Only use this Valve if you exclusively access Axon.ivy over the WebApplication Firewall. !!
60 !! Otherwise this will be a security issue. !!
61
62 This Valve is useful if Axon.ivy is protected by a WebApplication Firewall (WAF) with an integrated
63 Identity and Access Management (IAM). Those systems will authenticate and authorize users.
64 The identified user is then sent from the WAF to Axon.ivy using a HTTP request header.
65
66 WebBrowser ==> WAF ==> Axon.ivy
67
68 ^ |
69 | |
70 v v
71
72 IAM ==> Active Directory
73
74 @engine.guide.url@/integration/web-application-firewall.html#single-sign-on
75 -->
76 <!--
77 <Valve className="ch.ivyteam.ivy.webserver.security.SingleSignOnValve" userNameHeader="user"/>
78 -->
79
80
81
82 <!-- ====================== Custom Valves ====================== -->
83
84 <!--
85 You can configure any third party valve or even your own implementation of a valve.
86 A full valve sample implementation can be found on GitHub:
87
88 https://github.com/ivy-samples/ivy-extension-demos/tree/master/ProcessingValve
89
90 -->
91
92</Context>