web.xml
[engineDir]/webapps/ivy/WEB-INF/web.xml
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!--
3 ========================================================================
4 Configures the embedded Tomcat Webserver of Axon.ivy
5 ========================================================================
6
7 Please keep the web.xml file on the designer and engine synchronous
8 to have the same settings on designer and engine,
9 because this file is not deployed from the designer to the engine.
10
11 See apache tomcat documentation for more information about this configuration:
12 http://tomcat.apache.org/tomcat-9.0-doc/config/
13
14 After a change in the web.xml a restart of Axon.ivy is required
15 to apply the new configuration.
16
17-->
18<web-app xmlns="http://java.sun.com/xml/ns/javaee"
19 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
20 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
21 http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
22 version="3.0"
23 metadata-complete="false">
24
25 <!-- ====================== Html Dialog Configuration =================== -->
26
27 <!--
28 THEME:
29 @designer.guide.url@/user-interface/user-dialogs/html-dialog-themes.html
30 To set the primefaces theme (default is 'modena-ivy', was 'ivy' with 5.1)
31 remove the comment markers from around the context-param below
32 See available themes: http://primefaces.org/themes.html
33 -->
34 <!--
35 <context-param>
36 <param-name>primefaces.THEME</param-name>
37 <param-value>#{ivyPrimefacesThemeResolver.getTheme('modena-ivy')}</param-value>
38 </context-param>
39 -->
40
41 <!--
42 #{ivyThemeResolver.getThemes()} returns a list of all by default available themes.
43 If additional customer specific themes are installed they can be configured as comma separated list in the context-param below.
44 #{ivyThemeResolver.getThemes()} will then additionally also return the configured customer specific themes.
45 -->
46 <!--
47 <context-param>
48 <param-name>primefaces.customer.themes</param-name>
49 <param-value></param-value>
50 </context-param>
51 -->
52
53
54 <!-- ======================= Error pages ================================ -->
55 <!--
56 Custom error pages can be added with error-page elements.
57 The referenced error-page must be placed in the folder 'webapps/ivy'.
58 Use /faces location-prefix for xhtml pages.
59
60 The pre-configured default error page is:
61
62 <error-page>
63 <location>/faces/ivy-error-page.xhtml</location>
64 </error-page>
65
66 By adding the <exception-type> tag to the <error-page> configuration
67 it is also possible to configure a specific error page for status codes
68 or kind of exceptions:
69
70 <error-page>
71 <exception-type>java.lang.Throwable</exception-type>
72 <location>/faces/custom-exception-error-page.xhtml</location>
73 </error-page>
74 <error-page>
75 <error-code>404</error-code>
76 <location>/faces/custom-404-error-page.xhtml</location>
77 </error-page>
78
79 Implementation:
80 Use the 'ErrorPageMBean' to retrieve information about the thrown exception and the environment:
81 @doc.url.current@/public-api/ch/ivyteam/ivy/webserver/ErrorPageMBean.html
82 -->
83
84
85 <!-- ==================== Default Session Configuration ================= -->
86 <session-config>
87 <!--
88 session-timeout: [default=30]
89
90 Defines the amount of time in minutes after which an inactive user session will be closed.
91 Closing sessions means that server side state (e.g. Html Dialog instance) is flushed.
92 -->
93 <session-timeout>30</session-timeout>
94
95 <!--
96 cookie-config/secure: [default=false]
97
98 Enable the secure flag when accessing the Webserver over HTTPS (strongly recommended).
99 When enabled the session cookie is only transmitted over HTTPS and not over HTTP.
100 -->
101 <!--
102 <cookie-config>
103 <secure>true</secure>
104 </cookie-config>
105 -->
106 </session-config>
107
108
109 <!-- ==================== Security Headers ============================== -->
110 <!-- -->
111 <!-- Some commonly recommended HTTP Security Headers are configured here -->
112 <!-- for the /ivy web application. -->
113 <!-- These Security Headers are added on the HTTP Responses -->
114 <!-- to the Client Browser. -->
115 <!-- But not all Security Headers are supported by all Web browsers. -->
116 <!-- See: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html -->
117 <!-- -->
118 <!-- |=========================|===============| -->
119 <!-- | HEADER | VALUE | -->
120 <!-- |=========================|===============| -->
121 <!-- | X-Frame-Options | SAMEORIGIN | -->
122 <!-- | X-XSS-Protection | 1; mode=block | -->
123 <!-- | X-Content-Type-Options | nosniff | -->
124 <!-- |=========================|===============| -->
125 <!-- -->
126 <filter-mapping>
127 <filter-name>httpSecurityHeaders</filter-name>
128 <url-pattern>/*</url-pattern>
129 <dispatcher>REQUEST</dispatcher>
130 </filter-mapping>
131 <filter>
132 <filter-name>httpSecurityHeaders</filter-name>
133 <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
134 <async-supported>true</async-supported>
135 <init-param>
136 <param-name>antiClickJackingOption</param-name>
137 <param-value>SAMEORIGIN</param-value>
138 </init-param>
139 <init-param>
140 <param-name>xssProtectionEnabled</param-name>
141 <param-value>true</param-value>
142 </init-param>
143 <init-param>
144 <param-name>blockContentTypeSniffingEnabled</param-name>
145 <param-value>true</param-value>
146 </init-param>
147 </filter>
148</web-app>