web.xmlΒΆ

[engineDir]/configuration/reference/web.xml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
<?xml version="1.0" encoding="UTF-8"?>
<!--
  ========================================================================
   Configures the embedded Tomcat Webserver of Axon.ivy
  ========================================================================

  This file shows the default configuration of the the embedded Tomcat Webserver.

  Copy contents of this reference file to 'configuration/web.xml' before adjusting
  them to your needs. Changing this file has no effect.

  See apache tomcat documentation for more information about this configuration:
  http://tomcat.apache.org/tomcat-9.0-doc/config/

  After a change in the web.xml a restart of Axon.ivy is required
  to apply the new configuration.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0">

  <!-- ======================= Error pages ================================ -->
  <!--
      Custom error pages can be added with error-page elements.
      The referenced error-page must be placed in the folder 'webapps/ivy'.
      Use /faces location-prefix for xhtml pages.

      The pre-configured default error page is:
    -->
    <error-page>
      <location>/faces/ivy-error-page.xhtml</location>
    </error-page>
    <!--
      By adding the <exception-type> tag to the <error-page> configuration
      it is also possible to configure a specific error page for status codes
      or kind of exceptions:

    <error-page>
      <exception-type>java.lang.Throwable</exception-type>
      <location>/faces/custom-exception-error-page.xhtml</location>
    </error-page>
    <error-page>
      <error-code>404</error-code>
      <location>/faces/custom-404-error-page.xhtml</location>
    </error-page>

    Implementation:
    Use the 'ErrorPageMBean' to retrieve information about the thrown exception and the environment:
    https://developer.axonivy.com/doc/latest/public-api/ch/ivyteam/ivy/webserver/ErrorPageMBean.html
  -->

  <!-- ==================== Default Session Configuration ================= -->
  <session-config>
    <!--
    session-timeout: [default=30]

    Defines the amount of time in minutes after which an inactive user session will be closed.
    Closing sessions means that server side state (e.g. Html Dialog instance) is flushed.
    -->
    <session-timeout>30</session-timeout>

    <!--
    cookie-config/secure: [default=false]

    Enable the secure flag when accessing the Webserver over HTTPS (strongly recommended).
    When enabled the session cookie is only transmitted over HTTPS and not over HTTP.
    -->
    <!--
    <cookie-config>
      <secure>true</secure>
    </cookie-config>
    -->
  </session-config>

  <!-- ==================== Security Headers ============================== -->

  <!-- Some commonly recommended HTTP Security Headers are configured here  -->
  <!-- for all the web applications.                                        -->
  <!-- These Security Headers are added on the HTTP Responses               -->
  <!-- to the Client Browser.                                               -->
  <!-- But not all Security Headers are supported by all Web browsers.      -->
  <!-- See: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html     -->
  <!--                                                                      -->
  <!-- |=========================|===============|                          -->
  <!-- | HEADER                  | VALUE         |                          -->
  <!-- |=========================|===============|                          -->
  <!-- | X-Frame-Options         | SAMEORIGIN    |                          -->
  <!-- | X-XSS-Protection        | 1; mode=block |                          -->
  <!-- | X-Content-Type-Options  | nosniff       |                          -->
  <!-- |=========================|===============|                          -->

  <filter-mapping>
    <filter-name>httpSecurityHeaders</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <filter>
    <filter-name>httpSecurityHeaders</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
    </init-param>
  </filter>
</web-app>