web.xmlΒΆ

[engineDir]/webapps/ivy/WEB-INF/web.xml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
  ========================================================================
   Configures the embedded Tomcat Webserver of Axon.ivy
  ========================================================================

  Please keep the web.xml file on the designer and engine synchronous
  to have the same settings on designer and engine,
  because this file is not deployed from the designer to the engine.

  See apache tomcat documentation for more information about this configuration:
  http://tomcat.apache.org/tomcat-9.0-doc/config/
  
  After a change in the web.xml a restart of Axon.ivy is required 
  to apply the new configuration.
  
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
  version="3.0"
  metadata-complete="false">

	<!-- ====================== Html Dialog Configuration =================== -->
	
	<!--
	THEME:
	https://developer.axonivy.com/doc/latest/DesignerGuideHtml/ivy.userinterface.html#ivy-htmldialogs-themes
	To set the primefaces theme (default is 'modena-ivy', was 'ivy' with 5.1)
	remove the comment markers from around the context-param below
	See available themes: http://primefaces.org/themes.html
		-->
	<!--
	<context-param>
		<param-name>primefaces.THEME</param-name>
		<param-value>#{ivyPrimefacesThemeResolver.getTheme('modena-ivy')}</param-value>
	</context-param>
	-->
	 
	<!--
	#{ivyThemeResolver.getThemes()} returns a list of all by default available themes. 
	If additional customer specific themes are installed they can be configured as comma separated list in the context-param below.
	#{ivyThemeResolver.getThemes()} will then additionally also return the configured customer specific themes.
	-->
	<!--
	<context-param>
		<param-name>primefaces.customer.themes</param-name>
		<param-value></param-value>
	</context-param>
	-->  


	<!-- ======================= Error pages ================================ -->
	<!-- 
	    Custom error pages can be added with error-page elements bellow. 
	    The referenced error-page must be placed in the folder 'webapps/ivy'.
	    
	    The pre-configured default error page is: 
	    
		<error-page>
			<location>/ivy-error-page.xhtml </location>
		</error-page>
	    
	    By adding the <exception-type> tag to the <error-page> configuration 
	    it is also possible to configure a specific error page for status codes 
	    or kind of exceptions:
	    
		<error-page>
			<exception-type>java.lang.Throwable</exception-type>
			<location>/custom-exception-error-page.xhtml</location>
		</error-page>
		<error-page>
			<error-code>404</error-code>
			<location>/custom-404-error-page.xhtml</location>
		</error-page>
	    
		Implementation:
		Use the 'ErrorPageMBean' to retrieve information about the thrown exception and the environment: 
		https://developer.axonivy.com/doc/latest/PublicAPI/ch/ivyteam/ivy/webserver/ErrorPageMBean.html 
	-->
	<!--
	<error-page>
		<error-code>404</error-code>
		<location>/custom-404-error-page.xhtml</location>
	</error-page>
	-->


	<!-- ==================== Default Session Configuration ================= -->
	<session-config>
		<!-- 
		session-timeout: [default=30]
		
		Defines the amount of time in minutes after which an inactive user session will be closed. 
		Closing sessions means that server side state (e.g. Html Dialog instance) is flushed.
		      -->
		<session-timeout>30</session-timeout>
		
		<!--
		cookie-config/secure: [default=false]
		
	 	Enable the secure flag when accessing the Webserver over HTTPS (strongly recommended).
		When enabled the session cookie is only transmitted over HTTPS and not over HTTP.
		-->
		<!-- 
		<cookie-config>
			<secure>true</secure>
		</cookie-config>
		-->
	</session-config>


	<!-- ==================== Security Headers ============================== -->
	<!--                                                                      -->
	<!-- Some commonly recommended HTTP Security Headers are configured here  -->
	<!-- for the /ivy web application.                                        -->
	<!-- These Security Headers are added on the HTTP Responses               -->
	<!-- to the Client Browser.                                               -->
	<!-- But not all Security Headers are supported by all Web browsers.      -->
	<!-- See: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html     -->
	<!--                                                                      -->
	<!-- |=========================|===============|                          -->
	<!-- | HEADER                  | VALUE         |                          -->
	<!-- |=========================|===============|                          -->
	<!-- | X-Frame-Options         | SAMEORIGIN    |                          -->
	<!-- | X-XSS-Protection        | 1; mode=block |                          -->
	<!-- | X-Content-Type-Options  | nosniff       |                          -->
	<!-- |=========================|===============|                          -->
	<!--                                                                      -->
	<filter-mapping>
		<filter-name>httpSecurityHeaders</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
	</filter-mapping>
	<filter>
		<filter-name>httpSecurityHeaders</filter-name>
		<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
		<async-supported>true</async-supported>
		<init-param>
			<param-name>antiClickJackingOption</param-name>
			<param-value>SAMEORIGIN</param-value>
		</init-param>
		<init-param>
			<param-name>xssProtectionEnabled</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>blockContentTypeSniffingEnabled</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>
</web-app>