Bug 510598: Update web.xml and servlet.xml
diff --git a/org.eclipse.gemini.web.tomcat/src/main/resources/META-INF/tomcat/default-server.xml b/org.eclipse.gemini.web.tomcat/src/main/resources/META-INF/tomcat/default-server.xml
index c20dfe5..dc49e00 100644
--- a/org.eclipse.gemini.web.tomcat/src/main/resources/META-INF/tomcat/default-server.xml
+++ b/org.eclipse.gemini.web.tomcat/src/main/resources/META-INF/tomcat/default-server.xml
@@ -1,4 +1,4 @@
-<?xml version='1.0' encoding='utf-8'?>
+<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
@@ -48,10 +48,10 @@
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
- Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+ Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
- Define a non-SSL HTTP/1.1 Connector on port 8080
+ Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
@@ -63,15 +63,40 @@
connectionTimeout="20000"
redirectPort="8443" />
-->
- <!-- Define a SSL HTTP/1.1 Connector on port 8443
- This connector uses the NIO implementation that requires the JSSE
- style configuration. When using the APR/native implementation, the
- OpenSSL style configuration is required as described in the APR/native
- documentation -->
+ <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
+ This connector uses the NIO implementation. The default
+ SSLImplementation will depend on the presence of the APR/native
+ library and the useOpenSSL attribute of the
+ AprLifecycleListener.
+ Either JSSE or OpenSSL style configuration may be used regardless of
+ the SSLImplementation selected. JSSE style configuration is used below.
+ -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
- maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS" />
+ maxThreads="150" SSLEnabled="true">
+ <SSLHostConfig>
+ <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+ -->
+ <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+ This connector uses the APR/native implementation which always uses
+ OpenSSL for TLS.
+ Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+ configuration is used below.
+ -->
+ <!--
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+ maxThreads="150" SSLEnabled="true" >
+ <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+ <SSLHostConfig>
+ <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+ certificateFile="conf/localhost-rsa-cert.pem"
+ certificateChainFile="conf/localhost-rsa-chain.pem"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
diff --git a/org.eclipse.gemini.web.tomcat/src/main/resources/conf/web.xml b/org.eclipse.gemini.web.tomcat/src/main/resources/conf/web.xml
index 9361fa6..af94d91 100755
--- a/org.eclipse.gemini.web.tomcat/src/main/resources/conf/web.xml
+++ b/org.eclipse.gemini.web.tomcat/src/main/resources/conf/web.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
+<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
@@ -42,7 +42,8 @@
<!-- parameters (default values are in square brackets): -->
<!-- -->
<!-- debug Debugging detail level for messages logged -->
- <!-- by this servlet. [0] -->
+ <!-- by this servlet. Useful values are 0, 1, and -->
+ <!-- 11 where higher values mean more detail. [0] -->
<!-- -->
<!-- fileEncoding Encoding to be used to read static resources -->
<!-- [platform default] -->
@@ -162,6 +163,8 @@
<!-- engineOptionsClass Allows specifying the Options class used to -->
<!-- configure Jasper. If not present, the default -->
<!-- EmbeddedServletOptions will be used. -->
+ <!-- This option is ignored when running under a -->
+ <!-- SecurityManager. -->
<!-- -->
<!-- errorOnUseBeanInvalidClassAttribute -->
<!-- Should Jasper issue an error when the value of -->
@@ -223,6 +226,8 @@
<!-- scratchdir What scratch directory should we use when -->
<!-- compiling JSP pages? [default work directory -->
<!-- for the current web application] -->
+ <!-- This option is ignored when running under a -->
+ <!-- SecurityManager. -->
<!-- -->
<!-- suppressSmap Should the generation of SMAP info for JSR45 -->
<!-- debugging be suppressed? [false] -->
@@ -232,6 +237,16 @@
<!-- -->
<!-- xpoweredBy Determines whether X-Powered-By response -->
<!-- header is added by generated servlet. [false] -->
+ <!-- -->
+ <!-- strictQuoteEscaping When scriptlet expressions are used for -->
+ <!-- attribute values, should the rules in JSP.1.6 -->
+ <!-- for the escaping of quote characters be -->
+ <!-- strictly applied? [true] -->
+ <!-- -->
+ <!-- quoteAttributeEL When EL is used in an attribute value on a -->
+ <!-- JSP page should the rules for quoting of -->
+ <!-- attributes described in JSP.1.6 be applied to -->
+ <!-- the expression? [true] -->
<servlet>
<servlet-name>jsp</servlet-name>
@@ -320,12 +335,18 @@
<!-- If not set, then webAppRootDir is used. -->
<!-- Recommended value: WEB-INF/cgi -->
<!-- -->
- <!-- debug Debugging detail level for messages logged -->
- <!-- by this servlet. [0] -->
- <!-- -->
<!-- executable Name of the executable used to run the -->
<!-- script. [perl] -->
<!-- -->
+ <!-- envHttpHeaders A regular expression used to select the HTTP -->
+ <!-- headers passed to the CGI process as -->
+ <!-- environment variables. Note that headers are -->
+ <!-- converted to upper case before matching and -->
+ <!-- that the entire header name must match the -->
+ <!-- pattern. -->
+ <!-- [ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST| -->
+ <!-- IF-[-0-9A-Z]*|REFERER|USER-AGENT] -->
+ <!-- -->
<!-- parameterEncoding Name of parameter encoding to be used with -->
<!-- CGI servlet. -->
<!-- [System.getProperty("file.encoding","UTF-8")] -->
@@ -342,14 +363,10 @@
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
- <param-name>debug</param-name>
- <param-value>0</param-value>
- </init-param>
- <init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi</param-value>
</init-param>
- <load-on-startup>5</load-on-startup>
+ <load-on-startup>5</load-on-startup>
</servlet>
-->
@@ -395,6 +412,46 @@
<!-- ================== Built In Filter Definitions ===================== -->
+ <!-- A filter that sets various security related HTTP Response headers. -->
+ <!-- This filter supports the following initialization parameters -->
+ <!-- (default values are in square brackets): -->
+ <!-- -->
+ <!-- hstsEnabled Should the HTTP Strict Transport Security -->
+ <!-- (HSTS) header be added to the response? See -->
+ <!-- RFC 6797 for more information on HSTS. [true] -->
+ <!-- -->
+ <!-- hstsMaxAgeSeconds The max age value that should be used in the -->
+ <!-- HSTS header. Negative values will be treated -->
+ <!-- as zero. [0] -->
+ <!-- -->
+ <!-- hstsIncludeSubDomains -->
+ <!-- Should the includeSubDomains parameter be -->
+ <!-- included in the HSTS header. -->
+ <!-- -->
+ <!-- antiClickJackingEnabled -->
+ <!-- Should the anti click-jacking header -->
+ <!-- X-Frame-Options be added to every response? -->
+ <!-- [true] -->
+ <!-- -->
+ <!-- antiClickJackingOption -->
+ <!-- What value should be used for the header. Must -->
+ <!-- be one of DENY, SAMEORIGIN, ALLOW-FROM -->
+ <!-- (case-insensitive). [DENY] -->
+ <!-- -->
+ <!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be -->
+ <!-- allowed? [] -->
+ <!-- -->
+ <!-- blockContentTypeSniffingEnabled -->
+ <!-- Should the header that blocks content type -->
+ <!-- sniffing be added to every response? [true] -->
+<!--
+ <filter>
+ <filter-name>httpHeaderSecurity</filter-name>
+ <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+ <async-supported>true</async-supported>
+ </filter>
+-->
+
<!-- A filter that sets character encoding that is used to decode -->
<!-- parameters in a POST request -->
<!--
@@ -483,6 +540,15 @@
<!-- ==================== Built In Filter Mappings ====================== -->
+ <!-- The mapping for the HTTP header security Filter -->
+<!--
+ <filter-mapping>
+ <filter-name>httpHeaderSecurity</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ </filter-mapping>
+-->
+
<!-- The mapping for the Set Character Encoding Filter -->
<!--
<filter-mapping>
