Appendix E. web.xml reference

Table of Contents

E.1. Content security policy

The web.xml file is one step up from the main configuration directory. It is located in the <basedir>/www/WEB-INF directory. This configuration file contains settings that are related to the web application only. Most settings in this file should not be changed because they are vital for the functionality of BASE.

<error-page>

If an error occurs during a page request, the execution is forwarded to the specified JSP which will display information about the error.

<context-param>: max-url-length

This setting is here to resolve a potential problem with too long generated URL:s. This may happen when BASE needs to open a pop-up window and a user has selected a lot of items (e.g., several hundred). Typically the generated URL contains all selected ID:s. Some web servers have limitations on the length of an URL (e.g., Apache has a default max of 8190 bytes). If the generated URL is longer that this setting, BASE will re-write the request to make the URL shorter and supply the rest of the parameters as part of a POST request instead. This functionality can disabled by setting this value to 0. For more information see https://base.thep.lu.se/ticket/1032.

<servlet>: BASE

A servlet that starts BASE when Tomcat starts, and stops BASE when Tomcat stops. Do not modify.

<servlet>: view/download

File view/download servlet. It is possible to change the default MIME type for use with files of unknown type.

<servlet>: upload

Servlet for handling file uploads. Do not modify.

<servlet>: spotimage

Servlet for displaying spot images. Do not modify.

<servlet>: plotter

Servlet for the plot tool in the analysis section. You may specify max and default values for the width and height for the generated images. The supported image formats are "png" and "jpeg".

<servlet>: eeplotter

Servlet for the plot tool in the experiment explorer section. It can use the same configuration properties for size and image format as the plotter servlet.

<servlet>: news-feed

Servlet for generating a RSS feed for the news on the front page. Comment out this servlet if you do not want to use the RSS feed.

<servlet>: ExtensionsServlet

Servlet for handling startup/shutdown of the extensions system as well as requests to extension servlets. Do not modify. Do not disable even if extensions are not used.

<servlet>: jsp

Overrides the default JSP servlet defined by Tomcat. The parameters included with the distribution are required, but it may be customized if desired.

<servlet>: xjsp

Experimental servlet for compiling *.xjsp files used by extensions. The servlet redirects the compilation of *.xjsp files to a compiler that includes the extension supplied JAR file(s) in the class path. Can be disabled if no extensions use this feature. See also Section 22.1.4, “Installing the X-JSP compiler” for more information about how to enable this feature.

<servlet>: compile

Experimental servlet for compiling all JSP files. This is mostly useful for developers who want to make sure that no compilation error exists in any JSP file. Can also be used to pre-compile all JSP files to avoid delays during browsing. This servlet is disabled by default.

<filter>: characterEncoding

A filter that sets the character encoding for the JSP generated HTML. We recommend leaving this at the default UTF-8 encoding, this default should work with most language in all modern browsers.

E.1. Content security policy

Support for Content Security Policy was added in BASE 3.3. This is a technology that is used to prevent web browsers from accessing and executing content that is considered unsafe. This includes JavaScript, style sheets, images, browser plug-ins, etc. The policy is implemented by white-listing what is allowed, everything else is blocked.

In BASE, we have choosen a relatively restrictive policy which only allow resources to be lodaded from the BASE server. Browser plug-ins are always blocked. This should work well for a standard BASE installation. But some (older) extensions to BASE doesn't adhere to the restrictions implied by the policy and may not work unless it is relaxed a bit. Typically, the problem is that the extensions uses inline javascript code to handle mouse clicks and other events, which is forbidden by the default policy settings. In this case, the policy must be relaxed a bit. Typically, adding script-src 'self' 'unsafe-inline'; to the policy setting should take care of most issues. If this is not enough to make the extension work the following link is a good starting point for reading more about this: http://www.html5rocks.com/en/tutorials/security/content-security-policy/

<filter>: csp-filter

A filter that sets the Content security policy header in all responses from the BASE web server. This filter can be removed to disable content security policy, but use this only as a last resort if nothing else works.

The following parameters can be specified for the filter:

  • policy: The policy string that is sent in the response. The default value is: default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none';

  • report-only: If set, policy violations are only reported and not blocked

  • unsafe-resources-policy: An alternate policy string that is used for extensions that set <about safe-resources="0"> in their definition. The default value is: default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'unsafe-inline';

<servlet>: csp-report

This servlet is for logging violations to the content security policy. It is disabled by default. To enable logging, this servlet must be enabled and the policy setting for the csp-filter need to be updated with a report-uri statement. For example: report-uri /{context}/csp-report; where {context} is replaced with the path under which your BASE installation is installed.