| 1 | <!-- For deployment-time modifications ensure that you are editing greenstone3.xml.in, found in resources/tomcat. -->
|
|---|
| 2 | <!-- set allowLinking to true if you want to use symlinks to files or directories outside the docBase directory -->
|
|---|
| 3 | <!-- set reloadable to false for a production version. if true, automatically reloads the webapp if it detects changes in classes or lib directories -->
|
|---|
| 4 | <!-- see http://tomcat.apache.org/tomcat-8.5-doc/config/context.html for more Context attributes -->
|
|---|
| 5 |
|
|---|
| 6 | <Context
|
|---|
| 7 | docBase="@gsdl3webwritablehome@"
|
|---|
| 8 | aliases="/interfaces=@gsdl3webhome@/interfaces,/sites=@gsdl3webhome@/sites"
|
|---|
| 9 | debug="1" reloadable="true"
|
|---|
| 10 | privileged="true"
|
|---|
| 11 | allowLinking="@allowlinking@"
|
|---|
| 12 | xmlBlockExternal="false">
|
|---|
| 13 |
|
|---|
| 14 | <!-- if greenstone is to be run in an iframe, need to use the -->
|
|---|
| 15 | <!-- sameSiteCookies=none version of the CookieProcessor -->
|
|---|
| 16 | <!--<CookieProcessor sameSiteCookies="none" partitioned="true"/>-->
|
|---|
| 17 | <CookieProcessor sameSiteCookies="strict"/>
|
|---|
| 18 |
|
|---|
| 19 | <!-- increase the cacheMaxSize if you get errors like the following in packages/tomcat/logs/catalina.out-->
|
|---|
| 20 | <!-- org.apache.catalina.webresources.Cache.getResource Unable to add the resource at [... class name ...] to the cache for web application [/greenstone3] because there was insufficient free space available after evicting expired cache entries - consider increasing the maximum size of the cache -->
|
|---|
| 21 | <Resources allowLinking="@allowlinking@" cacheMaxSize="51200"/>
|
|---|
| 22 |
|
|---|
| 23 | <!--
|
|---|
| 24 | For embedded derby db:
|
|---|
| 25 | driverName="org.apache.derby.jdbc.EmbeddedDriver"
|
|---|
| 26 | connectionURL="jdbc:derby:@gsdl3webhome@/etc/usersDB"
|
|---|
| 27 | -->
|
|---|
| 28 | <!--
|
|---|
| 29 | JNDI resources require the validationQuery parameter if you are using validations (which we are).
|
|---|
| 30 | A list of values for this parameter, depending on your database driver, can be found here:
|
|---|
| 31 | https://stackoverflow.com/questions/10684244/dbcp-validationquery-for-different-databases
|
|---|
| 32 | For more info about why you need the parameter value, see here:
|
|---|
| 33 | https://stackoverflow.com/a/41232124
|
|---|
| 34 |
|
|---|
| 35 | Because the derby networked server is now launched with the
|
|---|
| 36 | derby.system.home JAVA_OPT property set to the folder containing
|
|---|
| 37 | usersDB, we don't need url set to the full GS3 path to the usersDB.
|
|---|
| 38 | -->
|
|---|
| 39 | <Resource
|
|---|
| 40 | name="jdbc/realmDB"
|
|---|
| 41 | auth="Container"
|
|---|
| 42 | type="javax.sql.DataSource"
|
|---|
| 43 | maxActive="10"
|
|---|
| 44 | maxIdle="4"
|
|---|
| 45 | maxWaitMillis="10000"
|
|---|
| 46 | validationQuery="values 1"
|
|---|
| 47 | driverClassName="org.apache.derby.jdbc.ClientDriver"
|
|---|
| 48 | url="jdbc:derby://@derbyserver@:@derbyserverport@/usersDB" />
|
|---|
| 49 |
|
|---|
| 50 | <Realm className="org.apache.catalina.realm.LockOutRealm">
|
|---|
| 51 | <Realm
|
|---|
| 52 | className="org.greenstone.gsdl3.GoogleSigninJDBCRealm"
|
|---|
| 53 | userTable="USERS" userNameCol="USERNAME" userCredCol="PASSWORD"
|
|---|
| 54 | userRoleTable="ROLES" roleNameCol="ROLE"
|
|---|
| 55 | userEmailCol="email"
|
|---|
| 56 | googlesigninClientId="@googlesigninclientid@"
|
|---|
| 57 | localDataSource="true"
|
|---|
| 58 | dataSourceName="jdbc/realmDB" />
|
|---|
| 59 | </Realm>
|
|---|
| 60 |
|
|---|
| 61 | <!-- Session Manager. Default values are used. See
|
|---|
| 62 | packages/tomcat/webapps/docs/config/manager.html for more info.
|
|---|
| 63 | Pathname may be absolute, or relative to greenstone3 context work
|
|---|
| 64 | directory: packages/tomcat/work/Catalina/localhost/greenstone3.
|
|---|
| 65 | Set pathname="" to disable storing session info between restarts.
|
|---|
| 66 | To manually clear session info, stop Tomcat and delete the session
|
|---|
| 67 | file. -->
|
|---|
| 68 | <Manager pathname="SESSIONS.ser" />
|
|---|
| 69 |
|
|---|
| 70 | <!-- Allow all machines or just this machine: 127.0.0.1 (IPv4) and 0:0:0:0:0:0:0:1 (IPv6, needed on windows)
|
|---|
| 71 | https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html -->
|
|---|
| 72 | <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="@allowedIPs@"/>
|
|---|
| 73 |
|
|---|
| 74 | <!-- Allows us to include the file:
|
|---|
| 75 | <GSDL3SRCHOME>/web/WEB-INF/rewrite.config
|
|---|
| 76 | Currently used (by default) to monitor for GS3 DL calls that use:
|
|---|
| 77 | &href=... and rl=0 ...
|
|---|
| 78 | and rewrite them so they are forbidden by the server.
|
|---|
| 79 | This is because malicious users can use this form of CGI URL supported by Greenstone3
|
|---|
| 80 | to mount an Open Redirect attack -->
|
|---|
| 81 | <Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/>
|
|---|
| 82 |
|
|---|
| 83 | </Context>
|
|---|
