Google Git
Sign in
apache / jspwiki / 997c37740b8c2d63138236c94009f1d952a99827 / . / jspwiki-main / src / test / resources / WEB-INF / web.xml
blob: d7acc31d170019a76fa9b58a9745e99b06efe95f [file] [log] [blame]
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!-- This file differs from the production web.xml distributed in
src/main/webapp/WEB-INF in that both the JDBC JNDI references
and container-managed authentication are enabled.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<description>
JSPWiki is an open source JSP-based WikiClone. It is licensed
under the Apache 2.0 license.
For more information, please come to http://jspwiki.apache.org/
</description>
<display-name>JSPWiki</display-name>
<!-- Resource bundle default location -->
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>templates.default</param-value>
</context-param>
<!--
WikiServletFilter defines a servlet filter which filters all requests. It was
introduced in JSPWiki 2.4.
In 2.7/2.8, the WikiServlet filter also performs an important security function:
it sets authentication status based on container credentials. It should generally
execute first. Note that if you configure a filter *before* this one that returns
non-null values for getUserPrincipal() or getRemoteUser(), WikiSecurityFilter
will pick the credentials up, and set the user's WikiSession state to
"authenticated." WikiServletFlter will also set the WikiSession's' state
to "authenticated" if jspwiki.properties property "jspwiki.cookieAuthentication"
is set to true, and the user possesses the correct authentication cookie.
Lastly, if jspwiki.properties property "jspwiki.cookieAssertions" is set to true,
WikiServletFilter will also set WikiSession state to "asserted" if the user
possesses the correct "assertion cookie."
-->
<filter>
<filter-name>WikiServletFilter</filter-name>
<filter-class>org.apache.wiki.ui.WikiServletFilter</filter-class>
</filter>
<filter>
<filter-name>WikiJSPFilter</filter-name>
<filter-class>org.apache.wiki.ui.WikiJSPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/attach/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/atom/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/RPCU/</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/RPC2/</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiJSPFilter</filter-name>
<url-pattern>/wiki/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiJSPFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<!--
HttpSessionListener used for managing WikiSession's.
-->
<listener>
<listener-class>org.apache.wiki.auth.SessionMonitor</listener-class>
</listener>
<!-- servlet context listener to configure API's SPI -->
<listener>
<listener-class>org.apache.wiki.bootstrap.WikiSPIServletContextListener</listener-class>
</listener>
<!--
Now, let's define the XML-RPC interfaces. You probably don't have to
touch these.
First, we'll define the standard XML-RPC interface.
-->
<servlet>
<servlet-name>XMLRPC</servlet-name>
<servlet-class>org.apache.wiki.xmlrpc.RPCServlet</servlet-class>
<init-param>
<param-name>handler</param-name>
<param-value>org.apache.wiki.xmlrpc.RPCHandler</param-value>
</init-param>
<init-param>
<param-name>prefix</param-name>
<param-value>wiki</param-value>
</init-param>
</servlet>
<!--
OK, this then defines that our UTF-8 -capable server.
-->
<servlet>
<servlet-name>XMLRPC-UTF8</servlet-name>
<servlet-class>org.apache.wiki.xmlrpc.RPCServlet</servlet-class>
<init-param>
<param-name>handler</param-name>
<param-value>org.apache.wiki.xmlrpc.RPCHandlerUTF8</param-value>
</init-param>
<init-param>
<param-name>prefix</param-name>
<param-value>wiki</param-value>
</init-param>
</servlet>
<!-- WikiAjaxDispatcherServlet -->
<servlet>
<servlet-name>WikiAjaxDispatcherServlet</servlet-name>
<servlet-class>org.apache.wiki.ajax.WikiAjaxDispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Atom Publishing Protocol -->
<servlet>
<servlet-name>ATOM</servlet-name>
<servlet-class>org.apache.wiki.rpc.atom.AtomAPIServlet</servlet-class>
</servlet>
<!-- Maps short URLS to JSPs; also, detects webapp shutdown. -->
<servlet>
<servlet-name>WikiServlet</servlet-name>
<servlet-class>org.apache.wiki.WikiServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!--
Attachment exchange handler.
-->
<servlet>
<servlet-name>AttachmentServlet</servlet-name>
<servlet-class>org.apache.wiki.attachment.AttachmentServlet</servlet-class>
</servlet>
<!-- PLACEHOLDER FOR PRE-COMPILED JSP SERVLETS -->
<!--
And finally, let us tell the servlet container which
URLs should correspond to which XML RPC servlet.
-->
<!-- By default, this is disabled. If you want to enabled it,
just uncomment the whole section. -->
<!-- REMOVE ME TO ENABLE XML-RPC
<servlet-mapping>
<servlet-name>XMLRPC</servlet-name>
<url-pattern>/RPC2/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>XMLRPC-UTF8</servlet-name>
<url-pattern>/RPCU/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ATOM</servlet-name>
<url-pattern>/atom/*</url-pattern>
</servlet-mapping>
AND REMOVE ME TOO -->
<servlet-mapping>
<servlet-name>AttachmentServlet</servlet-name>
<url-pattern>/attach/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WikiServlet</servlet-name>
<url-pattern>/wiki/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WikiAjaxDispatcherServlet</servlet-name>
<url-pattern>/ajax/*</url-pattern>
<url-pattern>/admin/ajax/*</url-pattern>
</servlet-mapping>
<!-- This means that we don't have to use redirection
from index.html anymore. Yay! -->
<welcome-file-list>
<welcome-file>Wiki.jsp</welcome-file>
</welcome-file-list>
<!-- Error pages -->
<error-page>
<error-code>403</error-code>
<location>/error/Forbidden.html</location>
</error-page>
<resource-ref>
<description>
Resource reference to JNDI factory for the JDBCUserDatabase.
</description>
<res-ref-name>
jdbc/UserDatabase
</res-ref-name>
<res-type>
javax.sql.DataSource
</res-type>
<res-auth>
Container
</res-auth>
</resource-ref>
<resource-ref>
<description>
Resource reference to JNDI factory for the JDBCGroupDatabase.
</description>
<res-ref-name>
jdbc/GroupDatabase
</res-ref-name>
<res-type>
javax.sql.DataSource
</res-type>
<res-auth>
Container
</res-auth>
</resource-ref>
<!-- REMOVE ME TO ENABLE JAVAMAIL
<resource-ref>
<description>Resource reference to a container-managed JNDI JavaMail factory for sending e-mails.</description>
<res-ref-name>mail/Session</res-ref-name>
<res-type>javax.mail.Session</res-type>
<res-auth>Container</res-auth>
</resource-ref>
REMOVE ME TO ENABLE JAVAMAIL -->
<!--
CONTAINER-MANAGED AUTHENTICATION & AUTHORIZATION
Here we define the users which are allowed to access JSPWiki.
These restrictions cause the web container to apply further
contraints to the default security policy in jspwiki.policy,
and should be suitable for a corporate intranet or public wiki.
In particular, the restrictions below allow all users to
read documents, but only Authenticated users can comment
on or edit them (i.e., access the Edit.jsp page).
Users with the role Admin are the only persons who can
delete pages.
To implement this policy, the container enforces two web
resource constraints: one for the Administrator resources,
and one for Authenticated users. Note that the "role-name"
values are significant and should match the role names
retrieved by your web container's security realm. The roles
of "Admin" and "Authenticated" are assigned by the web
container at login time.
For example, if you are using Tomcat's built-in "memory realm",
you should edit the $CATALINA_HOME/conf/tomcat-users.xml file
and add the desired actual user accounts. Each user must possess
one or both of the Admin or Authenticated roles. For other realm
types, consult your web container's documentation.
Alternatively, you could also replace all references to
"Authenticated" and "Admin" with role names that match those
returned by your container's security realm. We don't care
either way, as long as they match.
Note that accessing protected resources will cause your
container to try to use SSL (default port for Tomcat is 8443)
to secure the web session. This, of course, assumes your
web container (or web server) is configured with SSL support.
If you do not wish to use SSL, remove the "user-data-constraint"
elements.
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<url-pattern>/Comment.jsp</url-pattern>
<url-pattern>/Login.jsp</url-pattern>
<url-pattern>/NewGroup.jsp</url-pattern>
<url-pattern>/Rename.jsp</url-pattern>
<url-pattern>/Upload.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Read-only Area</web-resource-name>
<url-pattern>/attach</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Authenticated</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.jsp</form-login-page>
<form-error-page>/LoginForm.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
This logical role includes all authenticated users
</description>
<role-name>Authenticated</role-name>
</security-role>
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>Admin</role-name>
</security-role>
</web-app>