| <?xml version="1.0" encoding="ISO-8859-1"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" |
| version="3.1"> |
| |
| <description> |
| JSPWiki is an open source JSP-based WikiClone. It is licensed |
| under the Apache 2.0 license. |
| |
| For more information, please come to http://jspwiki.apache.org/ |
| </description> |
| <display-name>JSPWiki</display-name> |
| |
| <!-- Resource bundle default location --> |
| <context-param> |
| <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name> |
| <param-value>templates.default</param-value> |
| </context-param> |
| |
| <!-- |
| WikiServletFilter defines a servlet filter which filters all requests. It was |
| introduced in JSPWiki 2.4. |
| |
| In 2.7/2.8, the WikiServlet filter also performs an important security function: |
| it sets authentication status based on container credentials. It should generally |
| execute first. Note that if you configure a filter *before* this one that returns |
| non-null values for getUserPrincipal() or getRemoteUser(), WikiSecurityFilter |
| will pick the credentials up, and set the user's WikiSession state to |
| "authenticated." WikiServletFlter will also set the WikiSession's' state |
| to "authenticated" if jspwiki.properties property "jspwiki.cookieAuthentication" |
| is set to true, and the user possesses the correct authentication cookie. |
| |
| Lastly, if jspwiki.properties property "jspwiki.cookieAssertions" is set to true, |
| WikiServletFilter will also set WikiSession state to "asserted" if the user |
| possesses the correct "assertion cookie." |
| --> |
| |
| <filter> |
| <filter-name>WikiServletFilter</filter-name> |
| <filter-class>org.apache.wiki.ui.WikiServletFilter</filter-class> |
| </filter> |
| <filter> |
| <filter-name>WikiJSPFilter</filter-name> |
| <filter-class>org.apache.wiki.ui.WikiJSPFilter</filter-class> |
| </filter> |
| |
| <filter-mapping> |
| <filter-name>WikiServletFilter</filter-name> |
| <url-pattern>/attach/*</url-pattern> |
| </filter-mapping> |
| <filter-mapping> |
| <filter-name>WikiServletFilter</filter-name> |
| <url-pattern>/atom/*</url-pattern> |
| </filter-mapping> |
| <filter-mapping> |
| <filter-name>WikiServletFilter</filter-name> |
| <url-pattern>/RPCU/</url-pattern> |
| </filter-mapping> |
| <filter-mapping> |
| <filter-name>WikiServletFilter</filter-name> |
| <url-pattern>/RPC2/</url-pattern> |
| </filter-mapping> |
| <filter-mapping> |
| <filter-name>WikiServletFilter</filter-name> |
| <url-pattern>/JSON-RPC</url-pattern> |
| </filter-mapping> |
| <filter-mapping> |
| <filter-name>WikiJSPFilter</filter-name> |
| <url-pattern>/wiki/*</url-pattern> |
| </filter-mapping> |
| <filter-mapping> |
| <filter-name>WikiJSPFilter</filter-name> |
| <url-pattern>*.jsp</url-pattern> |
| </filter-mapping> |
| |
| <!-- |
| HttpSessionListener used for managing WikiSession's. |
| --> |
| <listener> |
| <listener-class>org.apache.wiki.auth.SessionMonitor</listener-class> |
| </listener> |
| |
| <!-- servlet context listener to configure API's SPI --> |
| <listener> |
| <listener-class>org.apache.wiki.bootstrap.WikiSPIServletContextListener</listener-class> |
| </listener> |
| |
| <!-- |
| Now, let's define the XML-RPC interfaces. You probably don't have to |
| touch these. |
| |
| First, we'll define the standard XML-RPC interface. |
| --> |
| <servlet> |
| <servlet-name>XMLRPC</servlet-name> |
| <servlet-class>org.apache.wiki.xmlrpc.RPCServlet</servlet-class> |
| <init-param> |
| <param-name>handler</param-name> |
| <param-value>org.apache.wiki.xmlrpc.RPCHandler</param-value> |
| </init-param> |
| |
| <init-param> |
| <param-name>prefix</param-name> |
| <param-value>wiki</param-value> |
| </init-param> |
| </servlet> |
| |
| <!-- |
| OK, this then defines that our UTF-8 -capable server. |
| --> |
| |
| <servlet> |
| <servlet-name>XMLRPC-UTF8</servlet-name> |
| <servlet-class>org.apache.wiki.xmlrpc.RPCServlet</servlet-class> |
| <init-param> |
| <param-name>handler</param-name> |
| <param-value>org.apache.wiki.xmlrpc.RPCHandlerUTF8</param-value> |
| </init-param> |
| |
| <init-param> |
| <param-name>prefix</param-name> |
| <param-value>wiki</param-value> |
| </init-param> |
| </servlet> |
| |
| <!-- JSON AJAX API --> |
| <servlet> |
| <servlet-name>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-name> |
| <servlet-class>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-class> |
| </servlet> |
| |
| <!-- Atom Publishing Protocol --> |
| <servlet> |
| <servlet-name>ATOM</servlet-name> |
| <servlet-class>org.apache.wiki.rpc.atom.AtomAPIServlet</servlet-class> |
| </servlet> |
| |
| <!-- Maps short URLS to JSPs; also, detects webapp shutdown. --> |
| <servlet> |
| <servlet-name>WikiServlet</servlet-name> |
| <servlet-class>org.apache.wiki.WikiServlet</servlet-class> |
| <load-on-startup>1</load-on-startup> |
| </servlet> |
| |
| <!-- |
| Attachment exchange handler. |
| --> |
| |
| <servlet> |
| <servlet-name>AttachmentServlet</servlet-name> |
| <servlet-class>org.apache.wiki.attachment.AttachmentServlet</servlet-class> |
| </servlet> |
| |
| <servlet-mapping> |
| <servlet-name>AttachmentServlet</servlet-name> |
| <url-pattern>/attach/*</url-pattern> |
| </servlet-mapping> |
| |
| <servlet-mapping> |
| <servlet-name>WikiServlet</servlet-name> |
| <url-pattern>/wiki/*</url-pattern> |
| </servlet-mapping> |
| |
| <servlet-mapping> |
| <servlet-name>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-name> |
| <url-pattern>/JSON-RPC</url-pattern> |
| </servlet-mapping> |
| |
| <!-- This means that we don't have to use redirection |
| from index.html anymore. Yay! --> |
| <welcome-file-list> |
| <welcome-file>Wiki.jsp</welcome-file> |
| </welcome-file-list> |
| |
| <!-- Error pages --> |
| <error-page> |
| <error-code>403</error-code> |
| <location>/error/Forbidden.html</location> |
| </error-page> |
| |
| <!-- |
| CONTAINER-MANAGED AUTHENTICATION & AUTHORIZATION |
| |
| Here we define the users which are allowed to access JSPWiki. |
| These restrictions cause the web container to apply further |
| constraints to the default security policy in jspwiki.policy, |
| and should be suitable for a corporate intranet or public wiki. |
| |
| In particular, the restrictions below allow all users to |
| read documents, but only Authenticated users can comment |
| on or edit them (i.e., access the Edit.jsp page). |
| Users with the role Admin are the only persons who can |
| delete pages. |
| |
| To implement this policy, the container enforces two web |
| resource constraints: one for the Administrator resources, |
| and one for Authenticated users. Note that the "role-name" |
| values are significant and should match the role names |
| retrieved by your web container's security realm. The roles |
| of "Admin" and "Authenticated" are assigned by the web |
| container at login time. |
| |
| For example, if you are using Tomcat's built-in "memory realm", |
| you should edit the $CATALINA_HOME/conf/tomcat-users.xml file |
| and add the desired actual user accounts. Each user must possess |
| one or both of the Admin or Authenticated roles. For other realm |
| types, consult your web container's documentation. |
| |
| Alternatively, you could also replace all references to |
| "Authenticated" and "Admin" with role names that match those |
| returned by your container's security realm. We don't care |
| either way, as long as they match. |
| |
| Note that accessing protected resources will cause your |
| container to try to use SSL (default port for Tomcat is 8443) |
| to secure the web session. This, of course, assumes your |
| web container (or web server) is configured with SSL support. |
| If you do not wish to use SSL, remove the "user-data-constraint" |
| elements. |
| --> |
| |
| <security-constraint> |
| <web-resource-collection> |
| <web-resource-name>Administrative Area</web-resource-name> |
| <url-pattern>/Delete.jsp</url-pattern> |
| </web-resource-collection> |
| <auth-constraint> |
| <role-name>Admin</role-name> |
| </auth-constraint> |
| <user-data-constraint> |
| <transport-guarantee>NONE</transport-guarantee> |
| </user-data-constraint> |
| </security-constraint> |
| |
| <security-constraint> |
| <web-resource-collection> |
| <web-resource-name>Authenticated area</web-resource-name> |
| <url-pattern>/Edit.jsp</url-pattern> |
| <url-pattern>/Comment.jsp</url-pattern> |
| <url-pattern>/Login.jsp</url-pattern> |
| <url-pattern>/NewGroup.jsp</url-pattern> |
| <url-pattern>/Rename.jsp</url-pattern> |
| <url-pattern>/Upload.jsp</url-pattern> |
| <http-method>DELETE</http-method> |
| <http-method>GET</http-method> |
| <http-method>HEAD</http-method> |
| <http-method>POST</http-method> |
| <http-method>PUT</http-method> |
| </web-resource-collection> |
| |
| <web-resource-collection> |
| <web-resource-name>Read-only Area</web-resource-name> |
| <url-pattern>/attach</url-pattern> |
| <http-method>DELETE</http-method> |
| <http-method>POST</http-method> |
| <http-method>PUT</http-method> |
| </web-resource-collection> |
| |
| <auth-constraint> |
| <role-name>Admin</role-name> |
| <role-name>Authenticated</role-name> |
| </auth-constraint> |
| |
| <user-data-constraint> |
| <transport-guarantee>NONE</transport-guarantee> |
| </user-data-constraint> |
| </security-constraint> |
| |
| <login-config> |
| <auth-method>FORM</auth-method> |
| <form-login-config> |
| <form-login-page>/LoginForm.jsp</form-login-page> |
| <form-error-page>/LoginForm.jsp</form-error-page> |
| </form-login-config> |
| </login-config> |
| |
| <security-role> |
| <description> |
| This logical role includes all authenticated users |
| </description> |
| <role-name>Authenticated</role-name> |
| </security-role> |
| |
| <security-role> |
| <description> |
| This logical role includes all administrative users |
| </description> |
| <role-name>Admin</role-name> |
| </security-role> |
| |
| </web-app> |