1<?xml version="1.0" encoding="UTF-8"?>
2<!--
3
4    Copyright (c) 2010, 2018 Oracle and/or its affiliates. All rights reserved.
5
6    This program and the accompanying materials are made available under the
7    terms of the Eclipse Public License v. 2.0, which is available at
8    http://www.eclipse.org/legal/epl-2.0.
9
10    This Source Code may also be made available under the following Secondary
11    Licenses when the conditions for such availability set forth in the
12    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
13    version 2 with the GNU Classpath Exception, which is available at
14    https://www.gnu.org/software/classpath/license.html.
15
16    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
17
18-->
19
20<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
21    <context-param>
22        <param-name>com.sun.jsftemplating.DEBUG</param-name>
23        <param-value>false</param-value>
24    </context-param>
25    <context-param>
26        <param-name>com.sun.faces.enableMultiThreadedStartup</param-name>
27        <param-value>true</param-value>
28    </context-param>
29    <context-param>
30        <param-name>com.sun.jsftemplating.FS_DENY_PATHS</param-name>
31        <param-value>META-INF/:WEB-INF/:*.jsf:*.inc:*.xhtml:*.xml</param-value>
32    </context-param>
33    <context-param>
34        <param-name>com.sun.jsftemplating.CLASSLOADER</param-name>
35        <param-value>org.glassfish.admingui.common.plugin.ConsoleClassLoader</param-value>
36    </context-param>
37    <context-param>
38        <param-name>com.sun.jsftemplating.RESOURCE_PREFIX</param-name>
39        <param-value>/html</param-value>
40    </context-param>
41    <context-param>
42        <param-name>com.sun.faces.enableRestoreView11Compatibility</param-name>
43        <param-value>true</param-value>
44    </context-param>
45    <context-param>
46        <param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name>
47        <param-value>false</param-value>
48    </context-param>
49    <context-param>
50        <param-name>javax.faces.validator.DISABLE_DEFAULT_BEAN_VALIDATOR</param-name>
51        <param-value>true</param-value>
52    </context-param>
53
54    <filter>
55        <filter-name>UploadFilter</filter-name>
56        <filter-class>com.sun.webui.jsf.util.UploadFilter</filter-class>
57        <init-param>
58            <param-name>maxSize</param-name>
59            <param-value>-1</param-value>
60        </init-param>
61    </filter>
62    <filter-mapping>
63        <filter-name>UploadFilter</filter-name>
64        <servlet-name>FacesServlet</servlet-name>
65    </filter-mapping>
66    <servlet>
67        <servlet-name>FacesServlet</servlet-name>
68        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
69        <load-on-startup>1</load-on-startup>
70    </servlet>
71    <servlet>
72        <servlet-name>ThemeServlet</servlet-name>
73        <servlet-class>com.sun.webui.theme.ThemeServlet</servlet-class>
74        <load-on-startup>2</load-on-startup>
75    </servlet>
76    <servlet>
77	<servlet-name>DownloadServlet</servlet-name>
78	<servlet-class>org.glassfish.admingui.common.servlet.DownloadServlet</servlet-class>
79	<init-param>
80	    <param-name>ContentSources</param-name>
81	    <param-value>
82                org.glassfish.admingui.common.servlet.LBConfigContentSource,
83                org.glassfish.admingui.common.servlet.ClientStubsContentSource,
84                org.glassfish.admingui.common.servlet.LogFilesContentSource
85                org.glassfish.admingui.common.servlet.LogViewerContentSource
86	    </param-value>
87	</init-param>
88	<init-param>
89		<param-name>contentSourceId</param-name>
90		<param-value>LBConfig</param-value>
91	</init-param>
92    </servlet>
93    <servlet-mapping>
94	<servlet-name>DownloadServlet</servlet-name>
95	<url-pattern>/download/*</url-pattern>
96    </servlet-mapping>
97    <servlet-mapping>
98        <servlet-name>FacesServlet</servlet-name>
99        <url-pattern>/resource/*</url-pattern>
100    </servlet-mapping>
101    <servlet-mapping>
102        <servlet-name>FacesServlet</servlet-name>
103        <url-pattern>/html/*</url-pattern>
104    </servlet-mapping>
105    <servlet-mapping>
106        <servlet-name>FacesServlet</servlet-name>
107        <url-pattern>/faces/*</url-pattern>
108    </servlet-mapping>
109    <servlet-mapping>
110        <servlet-name>FacesServlet</servlet-name>
111        <url-pattern>*.jsf</url-pattern>
112    </servlet-mapping>
113    <servlet-mapping>
114        <servlet-name>ThemeServlet</servlet-name>
115        <url-pattern>/theme/*</url-pattern>
116    </servlet-mapping>
117    <session-config>
118        <cookie-config>
119            <http-only>true</http-only>
120        </cookie-config>
121    </session-config>
122    <!-- following mapping added to avoid JSF warning. refer to GLASSFISH-19403 -->
123    <mime-mapping>
124        <extension>jsp</extension>
125        <mime-type>text/html</mime-type>
126    </mime-mapping>
127
128    <welcome-file-list>
129        <welcome-file>/index.jsf</welcome-file>
130    </welcome-file-list>
131    <error-page>
132        <exception-type>javax.faces.application.ViewExpiredException</exception-type>
133        <location>/</location>
134    </error-page>
135
136    <!-- only user from admin realm can access any URL pattern -->
137    <security-constraint>
138        <web-resource-collection>
139            <web-resource-name>protected</web-resource-name>
140            <url-pattern>/*</url-pattern>
141        </web-resource-collection>
142        <auth-constraint>
143            <role-name>admin</role-name>
144        </auth-constraint>
145    </security-constraint>
146
147
148    <!-- resources like images, css, etc. there is no executable code, and everyone should be able to do a GET , this is for presenting the login page. -->
149    <security-constraint>
150        <web-resource-collection>
151            <web-resource-name>public</web-resource-name>
152            <url-pattern>/theme/com/*</url-pattern>
153            <url-pattern>/theme/org/*</url-pattern>
154            <url-pattern>/resource/*</url-pattern>
155            <url-pattern>/theme/META-INF/*</url-pattern>
156            <http-method>GET</http-method>
157        </web-resource-collection>
158    </security-constraint>
159
160    <!-- The following constraint is added to avoid the WARNING or INFO msg for uncovered http method.  This will not allow *anyone*  to do any method
161         except GET on these resources. -->
162    <security-constraint>
163        <web-resource-collection>
164            <web-resource-name>public</web-resource-name>
165            <url-pattern>/theme/com/*</url-pattern>
166            <url-pattern>/theme/org/*</url-pattern>
167            <url-pattern>/resource/*</url-pattern>
168            <url-pattern>/theme/META-INF/*</url-pattern>
169            <http-method-omission>GET</http-method-omission>
170        </web-resource-collection>
171        <auth-constraint/>
172    </security-constraint>
173
174
175
176    <login-config>
177        <auth-method>FORM</auth-method>
178        <realm-name>admin-realm</realm-name>
179        <form-login-config>
180            <form-login-page>/login.jsf</form-login-page>
181            <form-error-page>/loginError.jsf</form-error-page>
182        </form-login-config>
183    </login-config>
184    <security-role>
185        <role-name>admin</role-name>
186    </security-role>
187</web-app>
188