mirror of https://github.com/jenkinsci/jenkins.git
280 lines
9.6 KiB
XML
280 lines
9.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
The MIT License
|
|
|
|
Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi, Tom Huybrechts, id:digerata, Yahoo! Inc.
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
in the Software without restriction, including without limitation the rights
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
The above copyright notice and this permission notice shall be included in
|
|
all copies or substantial portions of the Software.
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
THE SOFTWARE.
|
|
-->
|
|
|
|
<web-fragment xmlns="http://xmlns.jcp.org/xml/ns/javaee"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-fragment_3_1.xsd"
|
|
version="3.1">
|
|
<name>jenkins</name>
|
|
|
|
<servlet>
|
|
<servlet-name>Stapler</servlet-name>
|
|
<servlet-class>org.kohsuke.stapler.Stapler</servlet-class>
|
|
<init-param>
|
|
<param-name>default-encodings</param-name>
|
|
<param-value>text/html=UTF-8</param-value>
|
|
</init-param>
|
|
<init-param>
|
|
<param-name>diagnosticThreadName</param-name>
|
|
<param-value>false</param-value>
|
|
</init-param>
|
|
<async-supported>true</async-supported>
|
|
</servlet>
|
|
|
|
<servlet-mapping>
|
|
<servlet-name>Stapler</servlet-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</servlet-mapping>
|
|
|
|
<filter>
|
|
<filter-name>suspicious-request-filter</filter-name>
|
|
<filter-class>jenkins.security.SuspiciousRequestFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
<filter>
|
|
<filter-name>diagnostic-name-filter</filter-name>
|
|
<filter-class>org.kohsuke.stapler.DiagnosticThreadNameFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
<filter>
|
|
<filter-name>encoding-filter</filter-name>
|
|
<filter-class>hudson.util.CharacterEncodingFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
<filter>
|
|
<filter-name>uncaught-exception-filter</filter-name>
|
|
<filter-class>org.kohsuke.stapler.UncaughtExceptionFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
<filter>
|
|
<filter-name>authentication-filter</filter-name>
|
|
<filter-class>hudson.security.HudsonFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
<filter>
|
|
<filter-name>csrf-filter</filter-name>
|
|
<filter-class>hudson.security.csrf.CrumbFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
<filter>
|
|
<filter-name>error-attribute-filter</filter-name>
|
|
<filter-class>jenkins.ErrorAttributeFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
<filter>
|
|
<filter-name>plugins-filter</filter-name>
|
|
<filter-class>hudson.util.PluginServletFilter</filter-class>
|
|
<async-supported>true</async-supported>
|
|
</filter>
|
|
|
|
<!--
|
|
The Headers filter allows us to override headers sent by the container
|
|
that may be in conflict with what we want. For example, Tomcat will set
|
|
Cache-Control: no-cache for any files behind the security-constraint
|
|
below. So if Hudson is on a public server, and you want to only allow
|
|
authorized users to access it, you may want to pay attention to this.
|
|
|
|
See: http://www.nabble.com/No-browser-caching-with-Hudson- -tf4601857.html
|
|
|
|
<filter>
|
|
<filter-name>change-headers-filter</filter-name>
|
|
<filter-class>hudson.ResponseHeaderFilter</filter-class>
|
|
<!- The value listed here is for 24 hours. Increase or decrease as you see
|
|
fit. Value is in seconds. Make sure to keep the public option ->
|
|
<init-param>
|
|
<param-name>Cache-Control</param-name>
|
|
<param-value>max-age=86400, public</param-value>
|
|
</init-param>
|
|
<!- It turns out that Tomcat just doesn't want to let
|
|
go of its cache option. If you override Cache-Control,
|
|
it starts to send Pragma: no-cache as a backup.
|
|
->
|
|
<init-param>
|
|
<param-name>Pragma</param-name>
|
|
<param-value>public</param-value>
|
|
</init-param>
|
|
</filter>
|
|
<filter-mapping>
|
|
<filter-name>change-headers-filter</filter-name>
|
|
<url-pattern>*.css</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>change-headers-filter</filter-name>
|
|
<url-pattern>*.gif</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>change-headers-filter</filter-name>
|
|
<url-pattern>*.js</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>change-headers-filter</filter-name>
|
|
<url-pattern>*.png</url-pattern>
|
|
</filter-mapping>
|
|
-->
|
|
|
|
<filter-mapping>
|
|
<filter-name>suspicious-request-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>diagnostic-name-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>encoding-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>uncaught-exception-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>authentication-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>csrf-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>error-attribute-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
<filter-mapping>
|
|
<filter-name>plugins-filter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
|
|
<listener>
|
|
<!-- Must be before WebAppMain in order to initialize the context before the first use of this class. -->
|
|
<listener-class>jenkins.util.SystemProperties$Listener</listener-class>
|
|
</listener>
|
|
<listener>
|
|
<listener-class>hudson.WebAppMain</listener-class>
|
|
</listener>
|
|
<listener>
|
|
<listener-class>jenkins.JenkinsHttpSessionListener</listener-class>
|
|
</listener>
|
|
|
|
<!--
|
|
JENKINS-1235 suggests containers interpret '*' as "all roles defined in web.xml"
|
|
as opposed to "all roles defined in the security realm", so we need to list some
|
|
common names in the hope that users will have at least one of those roles.
|
|
-->
|
|
<security-role>
|
|
<role-name>admin</role-name>
|
|
</security-role>
|
|
<security-role>
|
|
<role-name>user</role-name>
|
|
</security-role>
|
|
<security-role>
|
|
<role-name>hudson</role-name>
|
|
</security-role>
|
|
|
|
<security-constraint>
|
|
<web-resource-collection>
|
|
<web-resource-name>Hudson</web-resource-name>
|
|
<url-pattern>/loginEntry</url-pattern>
|
|
<!--http-method>GET</http-method-->
|
|
</web-resource-collection>
|
|
<auth-constraint>
|
|
<role-name>**</role-name>
|
|
</auth-constraint>
|
|
</security-constraint>
|
|
|
|
<!-- Disable TRACE method with security constraint (copied from jetty/webdefaults.xml) -->
|
|
<security-constraint>
|
|
<web-resource-collection>
|
|
<web-resource-name>Disable TRACE</web-resource-name>
|
|
<url-pattern>/*</url-pattern>
|
|
<http-method>TRACE</http-method>
|
|
</web-resource-collection>
|
|
<auth-constraint />
|
|
</security-constraint>
|
|
|
|
<security-constraint>
|
|
<web-resource-collection>
|
|
<web-resource-name>other</web-resource-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</web-resource-collection>
|
|
<!-- no security constraint -->
|
|
</security-constraint>
|
|
|
|
<login-config>
|
|
<auth-method>FORM</auth-method>
|
|
<form-login-config>
|
|
<form-login-page>/login</form-login-page>
|
|
<form-error-page>/loginError</form-error-page>
|
|
</form-login-config>
|
|
</login-config>
|
|
|
|
<!-- configure additional extension-content-type mappings -->
|
|
<mime-mapping>
|
|
<extension>xml</extension>
|
|
<mime-type>application/xml</mime-type>
|
|
</mime-mapping>
|
|
<!--mime-mapping> commenting out until this works out of the box with JOnAS. See http://www.nabble.com/Error-with-mime-type%2D-%27application-xslt%2Bxml%27-when-deploying-hudson-1.316-in-jonas-td24740489.html
|
|
<extension>xsl</extension>
|
|
<mime-type>application/xslt+xml</mime-type>
|
|
</mime-mapping-->
|
|
<mime-mapping>
|
|
<extension>log</extension>
|
|
<mime-type>text/plain</mime-type>
|
|
</mime-mapping>
|
|
<mime-mapping>
|
|
<extension>war</extension>
|
|
<mime-type>application/octet-stream</mime-type>
|
|
</mime-mapping>
|
|
<mime-mapping>
|
|
<extension>ear</extension>
|
|
<mime-type>application/octet-stream</mime-type>
|
|
</mime-mapping>
|
|
<mime-mapping>
|
|
<extension>rar</extension>
|
|
<mime-type>application/octet-stream</mime-type>
|
|
</mime-mapping>
|
|
<mime-mapping>
|
|
<extension>webm</extension>
|
|
<mime-type>video/webm</mime-type>
|
|
</mime-mapping>
|
|
|
|
<error-page>
|
|
<exception-type>java.lang.Throwable</exception-type>
|
|
<location>/oops</location>
|
|
</error-page>
|
|
<error-page>
|
|
<error-code>404</error-code>
|
|
<location>/404</location>
|
|
</error-page>
|
|
|
|
<session-config>
|
|
<cookie-config>
|
|
<!-- See https://www.owasp.org/index.php/HttpOnly for the discussion of this topic in OWASP -->
|
|
<http-only>true</http-only>
|
|
</cookie-config>
|
|
<!-- Tracking mode is managed by WebAppMain.FORCE_SESSION_TRACKING_BY_COOKIE_PROP -->
|
|
</session-config>
|
|
</web-fragment>
|