Table of Contents
The web.xml file is one step up from the main configuration
directory. It is located in the <basedir>/www/WEB-INF
directory. This configuration file contains settings that are related to the web
application only. Most settings in this file should not be changed because they
are vital for the functionality of BASE.
<error-page>If an error occurs during a page request, the execution is forwarded to the specified JSP which will display information about the error.
<context-param>: max-url-lengthThis setting is here to resolve a potential problem with too long generated URL:s. This may happen when BASE needs to open a pop-up window and a user has selected a lot of items (e.g., several hundred). Typically the generated URL contains all selected ID:s. Some web servers have limitations on the length of an URL (e.g., Apache has a default max of 8190 bytes). If the generated URL is longer that this setting, BASE will re-write the request to make the URL shorter and supply the rest of the parameters as part of a POST request instead. This functionality can disabled by setting this value to 0. For more information see https://base.thep.lu.se/ticket/1032.
<servlet>: BASEA servlet that starts BASE when Tomcat starts, and stops BASE when Tomcat stops. Do not modify.
<servlet>: view/downloadFile view/download servlet. It is possible to change the default MIME type for use with files of unknown type.
<servlet>: uploadServlet for handling file uploads. Do not modify.
<servlet>: spotimageServlet for displaying spot images. Do not modify.
<servlet>: plotterServlet for the plot tool in the analysis section. You may specify max and default values for the width and height for the generated images. The supported image formats are "png" and "jpeg".
<servlet>: eeplotterServlet for the plot tool in the experiment explorer section. It can use the same configuration properties for size and image format as the plotter servlet.
<servlet>: news-feedServlet for generating a RSS feed for the news on the front page. Comment out this servlet if you do not want to use the RSS feed.
<servlet>: ExtensionsServletServlet for handling startup/shutdown of the extensions system as well as requests to extension servlets. Do not modify. Do not disable even if extensions are not used.
<servlet>: jspOverrides the default JSP servlet defined by Tomcat. The parameters included with the distribution are required, but it may be customized if desired.
<servlet>: xjspExperimental servlet for compiling *.xjsp files used by extensions. The servlet redirects the compilation of *.xjsp files to a compiler that includes the extension supplied JAR file(s) in the class path. Can be disabled if no extensions use this feature. See also Section 22.1.4, “Installing the X-JSP compiler” for more information about how to enable this feature.
<servlet>: compileExperimental servlet for compiling all JSP files. This is mostly useful for developers who want to make sure that no compilation error exists in any JSP file. Can also be used to pre-compile all JSP files to avoid delays during browsing. This servlet is disabled by default.
<filter>: characterEncodingA filter that sets the character encoding for the JSP generated HTML. We recommend leaving this at the default UTF-8 encoding, this default should work with most language in all modern browsers.
Support for Content Security Policy was added in BASE 3.3. This is a technology that is used to prevent web browsers from accessing and executing content that is considered unsafe. This includes JavaScript, style sheets, images, browser plug-ins, etc. The policy is implemented by white-listing what is allowed, everything else is blocked.
In BASE, we have choosen a relatively restrictive policy which only allow resources
to be lodaded from the BASE server. Browser plug-ins are always blocked. This should
work well for a standard BASE installation. But some (older) extensions to BASE
doesn't adhere to the restrictions implied by the policy and may not work unless it
is relaxed a bit. Typically, the problem is that the extensions uses inline javascript
code to handle mouse clicks and other events, which is forbidden by the default policy
settings. In this case, the policy must be relaxed a bit. Typically,
adding script-src 'self' 'unsafe-inline';
to the policy setting should take care of most issues. If this is not
enough to make the extension work the following link is a good starting point
for reading more about this:
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
<filter>: csp-filterA filter that sets the Content security policy header in all responses from the BASE web server. This filter can be removed to disable content security policy, but use this only as a last resort if nothing else works.
The following parameters can be specified for the filter:
policy: The policy string that is sent in the response. The default value
is: default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none';
report-only: If set, policy violations are only reported and not blocked
unsafe-resources-policy:
An alternate policy string that is used for extensions that set
<about safe-resources="0">default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'unsafe-inline';
<servlet>: csp-report
This servlet is for logging violations to the content security policy. It is disabled by
default. To enable logging, this servlet must be enabled and the policy
setting for the csp-filter need to be updated with a report-uri
statement. For example: report-uri /{context}/csp-report; where {context}
is replaced with the path under which your BASE installation is installed.