Fix for Penetration test _ Session and cookie management

[vid.git] / epsdk-app-onap / src / main / webapp / WEB-INF / web.xml

diff --git a/epsdk-app-onap/src/main/webapp/WEB-INF/web.xml b/epsdk-app-onap/src/main/webapp/WEB-INF/web.xml
index b09fa57..e445bac 100755 (executable)
--- a/epsdk-app-onap/src/main/webapp/WEB-INF/web.xml
+++ b/epsdk-app-onap/src/main/webapp/WEB-INF/web.xml
@@ -1,17 +1,95 @@
 <?xml version="1.0" encoding="UTF-8"?>\r
-<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\r
-         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee" \r
-         xmlns:web="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"\r
-         version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee">\r
-\r
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"\r
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\r
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"\r
+         version="3.1">\r
        <display-name>ecomp-sdk-app-os</display-name>\r
 \r
        <!-- The app can function on a HA cluster -->\r
        <distributable />\r
 \r
        <session-config>\r
-               <session-timeout>7</session-timeout>\r
+               <session-timeout>30</session-timeout>\r
                <tracking-mode>COOKIE</tracking-mode>\r
        </session-config>\r
 \r
+       <filter>\r
+    <filter-name>SecurityXssFilter</filter-name>\r
+    <filter-class>org.onap.portalapp.filter.SecurityXssFilter</filter-class>\r
+   </filter> \r
+    <filter-mapping>\r
+    <filter-name>SecurityXssFilter</filter-name>\r
+    <url-pattern>/*</url-pattern>\r
+  </filter-mapping>\r
+\r
+  <!--\r
+  `vid-webpack-master` servlet and it's servlet mapping below, serves\r
+  Angular's index.html for any requests like the following, letting\r
+  the JavaScript router do its magic:\r
+  * /vid/app/ui/\r
+  * /vid/app/ui/servicePlanning\r
+  * /vid/app/ui/browseSdc\r
+  -->\r
+  <servlet>\r
+    <servlet-name>vid-webpack-master</servlet-name>\r
+    <jsp-file>/app/ui/index.html</jsp-file>\r
+  </servlet>\r
+\r
+  <servlet-mapping>\r
+    <servlet-name>vid-webpack-master</servlet-name>\r
+    <url-pattern>/app/ui/</url-pattern>\r
+  </servlet-mapping>\r
+\r
+  <!--\r
+  All the files under the paths below are served as static files, using\r
+  tomcat's `default` servlet. This overrides the `vid-webpack-master`\r
+  url-pattern.\r
+  The filter `charset-to-utf8-filter` adds "charset=UTF-8" to these files\r
+  content type, as the default content-type is platform-dependant (which\r
+  is not ok for Windows stations).\r
+  -->\r
+  <servlet-mapping>\r
+    <servlet-name>default</servlet-name>\r
+    <url-pattern>/app/ui/*</url-pattern>\r
+  </servlet-mapping>\r
+\r
+  <filter>\r
+    <filter-name>charset-to-utf8-filter</filter-name>\r
+    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>\r
+    <init-param>\r
+      <param-name>encoding</param-name>\r
+      <param-value>UTF-8</param-value>\r
+    </init-param>\r
+    <init-param>\r
+      <param-name>forceEncoding</param-name>\r
+      <param-value>true</param-value>\r
+    </init-param>\r
+  </filter>\r
+\r
+  <filter-mapping>\r
+    <filter-name>charset-to-utf8-filter</filter-name>\r
+    <url-pattern>/app/ui/*</url-pattern>\r
+  </filter-mapping>\r
+      <filter>\r
+    <filter-name>httpHeaderSecurity</filter-name>\r
+    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>\r
+    <async-supported>true</async-supported>\r
+    <init-param>\r
+      <param-name>antiClickJackingEnabled</param-name>\r
+      <param-value>true</param-value>\r
+    </init-param>\r
+    <init-param>\r
+      <param-name>antiClickJackingOption</param-name>\r
+      <param-value>DENY</param-value>\r
+    </init-param>\r
+  </filter>\r
+  <filter-mapping>\r
+    <filter-name>httpHeaderSecurity</filter-name>\r
+    <url-pattern>/*</url-pattern>\r
+  </filter-mapping>\r
+\r
+  <error-page>\r
+    <error-code>404</error-code>\r
+    <location>/vid/epsdk-app-onap/src/main/webapp/WEB-INF/jsp/errorPage.jsp</location>\r
+  </error-page>\r
 </web-app>
\ No newline at end of file