Web Center Configuration

Web Center configuration is divided into three parts:[.indexref]##

  • Web application configuration files.

The files contain settings for integration into Tomcat and for accessing the provisioning database and the request workflow service, as well as the list of Struts configuration files.

  • Context descriptors webCenter-domain.xml and selfService-domain.xml.

  • Deployment descriptor web.xml.

  • High-level configuration files.

The files contain settings expressed in terms of features. The settings are intended to work the same way in future releases even if the underlying implementation is changed.

  • Server-side configuration file webCenter.properties.

  • Client-side configuration file config.js.

  • Low-level user interface configuration files.

The files contain settings expressed in low-level terms based on their current implementation in Struts. Due to possible implementation changes, they are not guaranteed to work the same way in future releases.

This chapter describes the Web application and high-level configuration files. The low-level user interface configuration files are described in chapter "User Interface Configuration".

Context Descriptor Files

Context descriptor files like webCenter-domain.xml and selfService-domain.xml are located in Tomcat’s conf/[enginename]/[hostname] folder.They announce the Web applications to the servlet engine by the declaration of the installation directories and additionally hold the configuration paths for struts-config.xml, tiles-defs.xml, renderers-config.xml, and objects-config.xml.

The context path used to specify a web application in URLs is inferred from the application’s context descriptor file name.

The file comprises the following sections:

  • Context

Context

The Context section has the following parameters:

  • cookies – Whether cookies are to be used for session identifier tracking. Set this parameter to true if you want cookies to be used if the client supports them. Should be enabled for security reasons.

  • crossContext – Whether access to other contexts is required. Set to false since access to other contexts is usually not required.

  • docBase – The application’s document root directory.

  • override – Whether settings in this context override any corresponding settings in either the global or host default contexts.

  • privileged – Whether access to container servlets is required. Set to false since access to container servlets is not required.

  • reloadable – Whether to automatically reload the application on changes to classes in WEB-INF/lib and WEB-INF/classes.

  • useHttpOnly – Whether to set the HttpOnly flag on session cookies to prevent client-side scripts from accessing the session ID. Should be enabled (true) for security reasons.

  • useNaming – Whether to initialize a JNDI context. Set to false since JNDI is usually not used by Web Center applications.

Parameter

The Parameter section contains context parameters in addition to those defined in the deployment descriptor web.xml (see also the section "Deployment Descriptor web.xml"). Context parameters are used in Web Center to set the list of Struts configuration files. These parameters include:

  • override - Whether a context parameter of the same name defined in the Web application deployment descriptor overrides the value specified here (true) or not (false). Default: true.

  • name - Context parameter name.

  • value - Context parameter value.

Manager

The Manager section contains the parameter:

  • pathname - Name of the file in which session state will be preserved across application restarts, if possible.Leave this parameter empty since Web Center applications do not support session persistence.

Deployment Descriptor web.xml

The Web deployment descriptor web.xml in WEB-INF holds all configuration data that is specific to the particular installation.

On the one hand, it contains data required by Web Center to access and collaborate with other DirX Identity components, like the address of the provisioning store, the domain name, bind information, and single-sign-on settings.On the other hand, it contains the definition and configuration of several Web Center components like filters, servlets and listeners.

The deployment descriptor comprises the following sections:

  • Context Parameters

  • Filter Definitions and Mappings

  • Listener Definitions

  • Servlet Definitions and Mappings

  • Session Configuration

  • Welcome File List

  • Error Handlers

  • Security Settings

Context Parameters

Each context parameter has a name and a value. The parameter names are case-sensitive.

Note: Context parameters may be defined as well in the context descriptor file.

Configuration File Names

The configuration file names must be specified relative to the application’s document root folder and with a leading slash. Most file names for the standard Web Center applications are set in the respective context descriptor files.

  • ObjectConfig.Path – A comma-separated list of names of configuration files containing the object definitions for the application.

  • RendererConfig.Path – A comma-separated list of names of configuration files containing the renderer definitions for the application.

  • Struts.DefaultFiles – The names of Struts and Tiles configuration files that are always included if found in one of the folders listed in parameter Struts.Path.

  • Struts.Path – A list of names of configuration folders and files containing the definitions of Struts actions, Struts form beans, Tiles components and Web Center menus. A detailed description is included in the context descriptor files.

Enabling UTF-8

Web Center sets the character set for HTTP requests to UTF-8 by default, while the default character set for HTTP is ISO-8859-1.

  • com.siemens.webMgr.utf8.enabled – Whether to use character set UTF-8 (true) or not (false). Default: true.

Default Language Configuration

Web Center pages are usually presented to a user in a language calculated by the value of the HTTP request header accept-language, provided Web Center supports one of the languages requested in that header. If not, Web Center falls back to the default language which is set in the following Struts context parameter:

  • javax.servlet.jsp.jstl.fmt.fallbackLocale - The default locale. The value is required and must match one of the languages supported by Web Center.

Web Center is shipped with built-in support for English (locale: en) and German (locale: de) but can be customized for other languages.

Directory Access Configuration

The context parameters to access the DirX Identity provisioning store are usually set by the DirX Identity configuration program. You can change the relevant parameters at any time.

  • com.siemens.webMgr.ldap.host - The name or IP address of the directory server for provisioning.

  • com.siemens.webMgr.ldap.ssl – Whether to access the directory server via a secured SSL connection (true) or not (false). Default: false.

  • com.siemens.webMgr.ldap.port - The LDAP port of the directory server. Default: 389.

  • com.siemens.webMgr.ldap.baseDN - The DirX Identity provisioning domain (for example, cn=My-Company).

  • com.siemens.webMgr.ldap.user - The technical user used to bind to the DirX Identity provisioning store (for example, cn=DomainAdmin,cn=My-Company). The technical user must have the appropriate directory access rights to perform all operations on behalf of the users logged in to Web Center. The Web Center users’ access rights are calculated by DirX Identity access policies, not by directory access controls. The technical user’s password must be added to Web Center’s password file with identifier ldap.

  • com.siemens.webMgr.ldap.anyone - The technical user used to calculate the DirX Identity access rights during user self-registrations (for example, cn=ANYONE, cn=My-Company). The technical user must have the appropriate DirX Identity access policies to perform all operations on behalf of the users registering but should not have any further access rights. The technical user’s password must be added to Web Center’s password file with identifier ANYONE.
    The directory operations required for user self-registrations are performed by the technical user defined in the previous section (com.siemens.webMgr.ldap.user). That user must therefore have the appropriate directory access rights.

Request Workflow Configuration

Web Center establishes a SOAP connection to the DirX Identity Java-based Server in order to perform request workflow tasks like creating new objects, displaying the work list or approving privilege assignments. The related configuration parameters are:

  • com.siemens.webMgr.requestworkflow.updateTimeout – The maximum time for which new workflow requests are delayed by workflow engine calculations. Some requests require the workflow engine to recalculate the state of the affected workflow. New requests for the workflow are delayed until the calculation is finished. The update timeout defines the maximum delay time. If the calculation is not finished within the specified period of time, the new request is cancelled. Unit: Milliseconds. Default: 0.

Web Center usually forwards the current user’s login credentials to the Java-based Server in order to authenticate the user to the Java-based Server. If you operate Web Center in single sign-on mode, however, the user’s password is unknown to Web Center, and cannot be used to authenticate the user to the Java-based Server. In this case, Web Center authenticates itself to the server with its private key, and forwards only the name of the current user. The Java-based Server verifies that it has a valid certificate of the presented private key, and if so, accepts the username without further authentication.

Thus, in case of single sign-on, you must generate a private key for Web Center and put a corresponding certificate into the Java-based Server’s truststore (install_path/ids-j-domain-Sn/private/webcenter-truststore). We recommend using the same key and keystore as for SSL with client authentication from Web Center to the Java-based Server: For details, see the section “Establishing Secure Connections with SSL” in the chapter “Managing the Connectivity System” in the DirX Identity Connectivity Administration Guide. The following context parameters give Web Center the location of the keystore and the alias for the private key:

  • com.siemens.webMgr.requestworkflow.keystoreName – The location of the keystore containing the private key of Web Center. If Tomcat and the Java-based Server reside on the same machine, the keystore should be install_path/ids-j-domain-Sn/private/webcenter-keystore-alias. If the servers are not co-located, you must copy the keystore to the machine hosting Tomcat.

  • com.siemens.webMgr.requestworkflow.keyAlias – The alias for the private key in the keystore. Default: WebCenter.

The passwords required to access the keystore and the private key must be added to Web Center’s password file with identifier webcenterKeystore and webcenterKey, respectively.

Client Request Configuration

A Web Center page may contain one or more tabs to download information not displayed by default, like privileges, photos, and certificates on a user summary page. On clicking a tab, the client sends an asynchronous request for the additional information to the server and inserts the response into the current page. If the server fails to respond within a given period of time, the client cancels the request.

  • com.siemens.webMgr.asyncRequest.timeout – Specifies the timeout in seconds for the client to wait for a response. (JSP defined) Default: 30.

Logging Configuration

For development purposes, Web Center provides a logging component printing detailed information about the processed requests to Tomcat’s console or stdout log file, respectively. As of version 8.10, the logging component is used by

  • The Web Center classes and filters.

  • The DirXweb for JSP classes and filters.

  • The Log tag <ctrl:log> and <view:log> used in JSPs.

This means that the log configuration now applies to all these classes, and they write into the same log file.

The logging facility is configured by the following parameters:

  • com.siemens.webMgr.log.level – Specifies the log level:

  • -2 - Use log4j; see the parameter com.siemens.webMgr.log.log4jConfigFile.

  • -1 - OFF: Disables logs.

  • 0 - SEVERE: Prints only severe errors (default).

  • 1 - INFO: Prints additional information.

  • 2 - FINEST: Prints detailed information.

  • com.siemens.webMgr.log.hideValuePattern – Prevents possibly security-compromising variable values stored in request, session or application scope from being logged in clear text. The pattern value is interpreted as a regular expression matching the names of the variables to be hidden. The value “.*Date”, for example, matches any name ending with date or Date. The pattern is applied in addition to the hard-coded pattern “.*Password|dxrChallengeResponse” preventing clear text logging of passwords and challenge-response values. For details on pattern syntax, google for the documentation of Java class java.util.regex.Pattern.

  • com.siemens.webMgr.log.dateFormat – Web Center adds a time stamp to loggings from some low-level components that would otherwise be written without a timestamp. You can specify the time stamp format here. See the documentation of Java class java.text.SimpleDateFormat for details on the syntax.

  • com.siemens.webMgr.log.log4jConfigFile – If you’ve set the log level to "-2" to activate log4j logging, you can configure log4j as usual in a properties file. By default, log4j takes file WEB_INF/classes/log4j.properties. If you run two Web applications from the same application folder, they work with the same log4j configuration and therefore write into the same log files. Since this setup may cause issues (for example, with log4j’s RollingFileAppender), you can define a different configuration file per application. Note that you need to define this parameter in the context descriptor files of your applications since the deployment descriptor web.xml is also shared.

Online Debug Configuration

Web Center supports online debug information and an online LDAP trace. The output is displayed at the bottom of the regular Web Center pages. You can activate the trace by adding a parameter to any Web Center URL (for example, in your browser’s address bar) with the name debug and a combination of one or more of the following characters as the value:

Character Description

a

Print application-scoped attributes

e

Print system environment

r

Print request information, request headers and request-scoped attributes

s

Print session-scoped attributes

t

Print LDAP operation trace

o

Switch debug output off

The URL:

http://yourTomcatServer:yourTomcatPort/webCenter?debug=rs

for example, activates request and session debug output. The current debug option is saved in session-scope and is therefore valid throughout the session or until explicitly overridden by a subsequent request.

  • com.siemens.webMgr.debug.enabled – Enables (true) or disables (false) online debug info. Default: false.

  • com.siemens.webMgr.debug.trace.enabled – Enables (true) or disables (false) the online LDAP trace. If used in multi-user mode, the traces of simultaneous working users are usually mixed up. Default: false.

  • com.siemens.webMgr.debug.trace.keywords – A comma separated list of keywords for the LDAP trace. The supported keywords are ldap and, for a more detailed trace, ldapconnection. Default: ldap.

You should not enable the trace in a productive environment for security reasons. If enabled, every user can send a corresponding URL and see possibly security-compromising information on his or her screen.

When developing a customized application, you must provide a debug output area and check for the debug request parameter to use this facility. The output area for the standard Web Center applications is defined in /WEB-INF/jsp/view/forms/layoutPage.jsp, the debug request parameter is evaluated in /WEB-INF/jsp/controller/utils/checkDebug.jsp which is included from /WEB-INF/jsp/controller/utils/checkSession.jsp.

Session Monitor Configuration

Web Center includes a tool to monitor session and main memory usage. The tool writes a log entry to a file each time a Web Center session is created or destroyed. The logs are written to a number of files in a round-robin fashion.

Here is a sample log entry:

11:03:00 BBC30248DE6EADBC5E08E9A49D8ACDB8 4     - 00:02 [3,4]       [36/12/24]    [36/24]

It includes the following data:

Field Value/Unit/Format

The current time

hh:mm:ss

The session ID

The session number; the first session gets number 1, the next number 2 and so on

An operation code

Session creation

+

Session deletion

-

Session was still open when Tomcat was stopped

o

Total session life time

hh:mm

Number of currently open sessions

The maximum number of open sessions since Tomcat startup

Total memory

Megabytes

Free memory

Megabytes

Used memory

Megabytes

Maximum total memory since Tomcat startup

Megabytes

Maximum used memory since Tomcat startup

Megabytes

The log files can be viewed with any text editor. The related configuration options are:

  • com.siemens.webMgr.sessionMonitor.enabled – Enables (true) or disables (false) the session monitor. Default: false.

  • com.siemens.webMgr.sessionMonitor.fileName – The log file name pattern, for example c:/temp/SessionTrace-%d.txt. The respective file number replaces the placeholder %d at runtime. The directory for the files must exist and must be writable by the Tomcat process. The file name pattern must be different for each deployed application. Default: application_directory/WEB-INF/SessionTrace-%d.txt.

  • com.siemens.webMgr.sessionMonitor.linesPerFile – The number of log entries to write to each file before switching to the next one. Default: 10000.

  • com.siemens.webMgr.sessionMonitor.numFiles – The maximum number of log files. Default: 10.

Single Sign-On Configuration

For the various context parameters related to single sign-on see the chapters on single sign-on in the DirX Identity manuals.

Filter Definitions and Mappings

Filters are Java classes that perform tasks on a request before it is processed by the Struts controller (the MetaActionServlet), or after it has been processed by the controller.

A filter definition defines a filter with its name, the implementing Java class, and initialization parameters.

A filter mapping defines which requests a filter is applied to. Multiple filters may apply to the same request, in which case their execution order is determined by the order of matching filter mappings: from top to bottom before request processing, and in reverse order after request processing.

The following table lists the filters supplied with Web Center and the resources they are applied to. If several filters apply to the same resource, their filter mapping order must be from top to bottom. Before processing a Struts action (*.do), for example, the RequestFilter must run first, the CSRF filter next, then, if applicable, the SSOHeaderFilter, and the SessionFilter last.

The ClickjackingFilter and the MethodsFilter perform some general security checks. They should be invoked for each request before the actual request processing starts.

Filter Mapped Resource URIs

ClickjackingFilter

/*

MethodFilter

/*

RequestFilter

*.do

*.jsp

/saveFile

BinaryRequestFilter

/binaryReader/*

CSRF Filter

*.do

*.jsp

/saveFile

SSOHeaderFilter

*.do

*.jsp

/saveFile

SessionFilter

*.do

*.jsp

AddHeaderFilterForDownloads

/binaryReader/*

AddHeaderFilterForStaticResources

/resources/*

/resource/*

ExtAuthFilter

/login.do

/login.jsp

ClickjackingFilter

The ClickjackingFilter is a DirXweb for JSP filter. It prevents clickjacking against Web Center pages by sending the proper HTTP response header X-Frame-Options that instruct the browser to not allow framing from other domains. For details on clickjacking see https://www.owasp.org/index.php/Clickjacking.

Filter Name

An arbitrary name for the ClickjackingFilter. The name is used in the filter mappings section.

Initialization Parameters

  • X-Frame-Options-Header – The HTTP protocol versions the header should be applied to, and HTTP header name and value. There should be no need to change the parameter.

  • *:X-Frame-Options:SAMEORIGIN – Apply the header to all HTTP versions (*). Header name is X-Frame-Options, value is SAMEORIGIN.

Filter Mappings

The filter should be applied to each request:

  • /* – Any URI.

MethodFilter

The MethodFilter is a DirXweb for JSP filter. It checks the HTTP method of each incoming request. GET and POST requests are always allowed. HEAD, OPTIONS and TRACE requests are optionally allowed. All other requests like PUT and DELETE requests are rejected. The filter also processes OPTIONS and TRACE requests directly instead of forwarding them down the processing chain.

Filter Name

An arbitrary name for the MethodFilter. The name is used in the filter mappings section.

Initialization Parameters

  • AllowedMethods – The optionally allowed method names, separated by commas. Names other than HEAD, OPTIONS and TRACE are ignored. None of the optional methods is allowed by default.

Filter Mappings

The filter should be applied to each request:

  • /* – Any URI.

RequestFilter

The RequestFilter is a DirXweb for JSP filter. In the context of Web Center applications, it is used to synchronize requests for the same session, to properly decode request parameters, and to disable an annoying feature of the JavaServer pages standard tag library (JSTL).

Filter Name

An arbitrary name for the RequestFilter. The name is used in the filter mappings section.

Initialization Parameters

RequestFilter initialization parameters include:

  • ApplicableMethods – A comma-separated list of HTTP methods this filter is applied to. Requests with other HTTP methods are just forwarded to the next handler in the processing chain. Specify ALL to apply the filter to all requests. Default: GET,POST,HEAD.

  • DecodeRequestParameters – Whether the filter should decode request parameters (true) or leave the task to the servlet engine (false). Should be set to false. Default: false.

  • RequestSyncEnabled – Whether to synchronize requests for the same session (true) or not (false). Note that the requests must be synchronized by some method since some session resources are not thread-safe. Simultaneous access to the same session may lead to unpredictable results. Therefore, we strongly recommend setting this parameter to true. Default: true.

  • RequestEncoding – Character encoding of HTTP request parameters. Must be supplied with the character set used by the Web Center application, which is utf-8 for the standard Web Center applications. Deprecated. Use context parameter com.siemens.webMgr.utf8.enabled instead.

  • IgnoreLocale – Whether to prevent the JSTL formatting tags from resetting the character set in the HTTP response header Content-Type according to the client’s preferred language. Note that the tags do not take utf-8 applications into account. For example, if the preferred language is English, the tags change the character set from utf-8 to iso-8859-1. Set this flag to true for Web Center applications using the utf-8 character set. Default: true.

  • URLRewritingEnabled – Whether to allow tracking session IDs via URL rewriting (true) or not (false). URL rewriting is considered a security risk and should be turned off. Default: false.

  • SSLRequired – Whether HTTPS is required to access the application (true) or not (false). If SSL is required, insecure requests are redirected to the URL defined in parameter SSLRedirectURL. If no redirect URL is specified, the request is rejected. Default: false.

  • SSLRedirectURL – The URL to redirect insecure request to if SSL is required. Note that the URL and any parameters of the original request get lost and are not available when processing the redirected request. Default: none.

  • AcceptedCrossOrigins – The origin servers which to accept cross-origin requests from. Separate the servers by commas. Each origin is evaluated as a case-insensitive regular expression (java.util.regex). For example, to accept the origins “https://alpha.gamma.com:8443” and “http://beta.gamma.com:8080” specify https://alpha\.gamma\.com:8443, http://beta\.gamma\.com:8080.

Filter Mappings

In order to let the application server know which requests are to be processed by the filter, the URI of any applicable Web Center request must be mapped to the filter. For the applications provided with Web Center, map the filter to the URIs

  • *.do – Struts actions

  • *.jsp – Java Server Pages

  • /saveFile – The save file servlet

BinaryRequestFilter

The BinaryRequestFilter is identical to the RequestFilter but might be configured in a different way to meet the requirements of the BinaryReader servlet.

Filter Name

An arbitrary name for the BinaryRequestFilter. The name is used in the filter mappings section.

Initialization Parameters

For the parameters see the RequestFilter section above.

Filter Mappings

Map the filter to URI

  • /binaryReader/* – The BinaryReader servlet

SessionFilter

The SessionFilter is a DirXweb for JSP filter. In the context of Web Center applications, it is used to perform some checks on incoming requests; for example, if the session requested by the client is still valid, or, in case of user self-registration, if the requested URI is allowed in that context. The checks are not hard-coded in the filter. Instead, the filter includes a JSP that performs the checks. When developing a customized Web Center application, you may provide your own JSP that performs modified or additional checks according to your requirements.

Filter Name

An arbitrary name for the SessionFilter. The name is used in the filter mappings section.

Initialization Parameters

SessionFilter initialization parameters include:

  • ApplicableMethods – A comma-separated list of HTTP methods this filter is applied to. Requests with other HTTP methods are just forwarded to the next handler in the processing chain. Specify ALL to apply the filter to all requests. Leave the default for Web Center applications. Default: GET,POST,HEAD.

  • IncludePage – The name of the JSP performing the checks. Specify the name relative to the application context. The page for the Web Center default applications is /WEB-INF/jsp/controller/utils/checkSession.jsp. An alternative page with the name checkSessionWithLogging.jsp writes additional logs which might be useful for analyzing login issues; for example, in single sign-on scenarios.

  • RestartPage – The URI to forward the request to in case a check fails. Specify the URI relative to the application context. The restart page of the Web Center default applications is /restart.do.

  • RestartMode – How to forward the request to the restart page. The supported modes are:

  • include – By invoking the Java Servlet API method RequestDispatcher.include (default).

  • forward – By invoking the Java Servlet API method RequestDispatcher.forward.

  • redirect – Via HTTP redirection.

    For Web Center applications, use forward.

Filter Mappings

In order to let the application server know which requests are to be processed by the filter, the URI of any applicable Web Center request must be mapped to the filter. For the applications provided with Web Center, map the filter to the URIs

  • *.do – Struts actions

  • *.jsp – Java Server Pages

AddHeaderFilterForDownloads and AddHeaderFilterForStaticResources

The filters are differently configured instances of the same DirXweb for JSP filter. They are used to specify expiry dates for static resources like Javascript files and images, or for binary attributes like photos and certificates downloaded via the BinaryReader servlet. Expiry dates prevent the browser from unnecessarily checking for updated resources on each request.

Filter Name

An arbitrary name for the filter. The name is used in the filter mappings section.

Initialization Parameters

  • Expires-Header – The expiry date of the downloaded resource. The date must be specified in number of seconds from download time (now), for example:

  • http/1.*:Expires:now+3600 – The resource expires 1 hour after download time.

  • http/1.*:Expires:now+86400 – The resource expires 1 day after download time.

Filter Mappings

Map the AddHeaderFilterForDownloads to URI

  • /binaryReader/* – The BinaryReader servlet

Map the AddHeaderFilterForStaticResources to URI

  • /resources/* – Static Web Center resources

  • /resource/* – Static Web Center resources

CSRF Filter

The CSRF Filter attempts to prevent cross-site request forgery attacks. The filter is configured in file /WEB-INF/config/webCenter.properties.

Filter Name

An arbitrary name for the CSRF Filter. The name is used in the filter mappings section.

Initialization Parameters

None.

Filter Mappings

In order to let the application server know which requests are to be processed by the filter, the URI of any applicable Web Center request must be mapped to the filter. For the applications provided with Web Center, map the filter to the URIs

  • *.do – Struts actions

  • *.jsp – Java Server Pages

  • /saveFile – The save file servlet

SSOHeaderFilter

For details on the SSOHeaderFilter, see the chapters on single sign-on in the DirX Identity User Interfaces Guide.

Listener Definitions

Listeners are Java classes that perform tasks on specific events sent by the application server, like application startup and shutdown or session creation and deletion. The listener section contains just the list of listeners for an application. Web Center needs just one listener.

com.siemens.webMgr.util.ContextListener

The ContextListener initializes a Web Center application on startup and cleans up resources on application shutdown.

Servlet Definitions and Mappings

This section describes the MetaActionServlet definitions and mappings.

MetaActionServlet

The MetaActionServlet is the main instance that controls processing of Web Center requests.

Servlet Name

An arbitrary name for the MetaActionServlet. The name is used in the servlet mappings section below.

Servlet Parameters

  • load-on-startup - Defines when the Web Center application is loaded by the application server:

    • Positive integer or 0 – The servlet is loaded at server startup time.

    • Negative integer – The time the servlet is loaded is up to the server (default).

We recommend that you allow the servlet to be loaded at server startup time.

Servlet Mappings

In order to let the application server know, which Web Center requests are to be processed by the MetaActionServlet, the servlet must be mapped to the respective request URIs. For the applications provided with Web Center, map the servlet to the Struts action extension .do.

BinaryReaderServlet

The BinaryReaderServlet is a DirXweb for JSP servlet that serves values of binary attributes like photos and certificates. The value is returned as binary data to the browser. The servlet can for example be addressed in the href attribute of a link tag, or the src attribute of an img tag.

The sole task of the BinaryReaderServlet itself is to send binary data to the client. The servlet includes a JSP that is responsible for providing the data to the servlet in a scoped variable. The JSP might, for example, load the data from some file or read the value of a binary attribute from the directory. Shifting the details of how the data is obtained to a JSP provides greater flexibility and keeps the servlet simple and generic.

For more details, confer to the DirXweb for JSP documentation.

Servlet Name

An arbitrary name for the BinaryReaderServlet. The name is used in the servlet mappings section.

Servlet Parameters

  • JspPath – The location of the JSP (with name default.jsp) to be included by the servlet, for Web Center usually /WEB-INF/jsp/controller/binary.

Servlet Mappings

Map the BinaryReaderServlet to the URI /binaryReader/*.

SaveFileServlet

The SaveFileServlet serves reports intended to be saved as a file on the client machine. Since reports are HTML, XML, or text files, they are usually directly displayed by the browser. To prevent this, the servlet sets specific HTTP response headers causing the browser to open a dialog box that lets the user open or save the file. The headers include the file type and an appropriate file name proposal.

JSP File

The name of the JSP page implementing the servlet, in this case /WEB-INF/jsp/controller/core/saveFile.jsp.

Servlet Name

An arbitrary name for the SaveFileServlet. The name is used in the servlet mappings section below.

Servlet Parameters

  • path – The location generated reports are temporarily stored by Web Center for being served to the browser, relative to the application’s temporary directory (below Tomcat’s work folder). Usually /reports/Reports_.

  • encoding – The encoding for the HTTP response header Content-Type. Default: utf-8.

Servlet Mappings

Map the SaveFileServlet to the URI /saveFile.

Session Configuration

A session is created each time a user logs in to Web Center. It stores data that must be kept between requests, like the user’s login credentials or entries that the user has selected. If a user does not issue any request for a specified amount of time, the application server can destroy his session. The next time the user accesses Web Center, he is redirected to Web Center’s start page and prompted to re-login.

  • session-config/session-timeout – The number of minutes a session must be idle before the application server can destroy it. Default in Tomcat: 30.

The value must be carefully tuned. The more sessions that exist, the more system resources are consumed, eventually slowing down performance and causing out-of-memory errors. Too short a timeout, on the other hand, will annoy the users.

Another session parameter is used to disable session tracking via URL rewriting for security reasons:

  • session-config/tracking-mode – The way how user sessions are tracked. Should be set to COOKIE.

Welcome File List

If a user launches a Web application via a URL containing only the application’s context path but no action or JSP name, the user is redirected to one of the application’s welcome files.

  • welcome-file-list/welcome-file – The paths of one or more welcome files. Each path must be specified relative to the application’s context path.

The welcome file of the two applications provided with Web Center is index.jsp. The JSP forwards to the login page. Thus, the URL

http://TomcatServer:TomcatPort/webCenter

is resolved to

http://TomcatServer:TomcatPort/webCenter/index.jsp.

Error Handlers

Web Center assigns specific error handlers to some HTTP status codes or Java exception. This prevents Tomcat from sending its own error pages to the client. Tomcat’s error pages are usually disruptive, display very generic information and are sometimes considered to pose a security risk. Web Center, on the other hand, tries to react upon errors in a non-disruptive way and display error information in the user’s language.

Each error handler definition comprises the error code or exception that triggers the handler, and the URI of the handler. A handler may be a Struts action, a JSP page or an HTML page.

Security Settings

Security settings are used in some cases of single sign-on, like Windows single sign-on via the SPNEGO protocol. For details, see the chapters on single sign-on in the DirX Identity Installation Guide and the DirX Identity User Interfaces Guide.

Specific Configuration Parameters for Web Center for Password Management

The web.xml file contains some commented context parameters of external authentication that can be overridden if necessary.

  • com.siemens.webMgr.auth.varName holds the name of variable that keeps the authentication data. Typically, does not need to be changed.

  • com.siemens.webMgr.auth.mode holds the selected authentication mode. See “Authentication Modes” below.

  • com.siemens.webMgr.auth.userFilter user filter that is resolved. The %LOGIN_ATTR is resolved to the login attribute name. The %USER_ID is replaced by the value entered in the login field. Default attribute (defined in loginForm) is cn.

  • com.siemens.webMgr.auth.masterTsAttr holds the name of user attribute on loginForm that contains the selected master TS. By default, the attribute is not persistent. Change the name in the web.xml file and in the loginForm configuration (located in WEB-INF/configPwd/identity/forms-config.xml) to a different LDAP attribute name that should hold the persistent value at the user. Do not forget to correctly define property description in User.xml for the new attribute based on the property description of default attribute $pwdMasterTs.

  • com.siemens.webMgr.auth.addChallengesPage defines the forward name to be used after entering missing challenges/responses within login sequence. Configure this forward in the "/login" struts action.

In case of internal authentication, the parameters varName and userLoginAttr of ExtAuthFilter are not used.

The context parameters related to external authentication are the following:

<context-param>
            <param-name>com.siemens.webMgr.auth.varName</param-name>
            <param-value>com.siemens.webMgr.authUserInfo</param-value>
      </context-param>
      <context-param>
            <param-name>com.siemens.webMgr.auth.userFilter</param-name>
            <param-value>(&amp;(objectclass=dxrUser)(%LOGIN_ATTR=%USER_ID))</param-value>
      </context-param>

Uncomment the external authentication filter with the name ExtAuthFilter.

Uncomment also the section External Authentication mappings.

<filter-mapping>
            <filter-name>ExtAuthFilter</filter-name>
            <url-pattern>/login.do</url-pattern>
      </filter-mapping>
      <filter-mapping>
            <filter-name>ExtAuthFilter</filter-name>
            <url-pattern>/login.jsp</url-pattern>
      </filter-mapping>

The Password.properties File

The file password.properties contains a number of passwords.They are stored in Java properties format (name=value).

If you enter a password in clear text, the server reads it during the next start-up, encrypts it and writes it back to the file.From now on the password information is no longer readable.If you are in doubt that the right password is set or if you need to set a new password, simply replace the encrypted value with the clear text value.At the next startup, Web Center encrypts the password again.

Web Center evaluates the following names:

  • ldap - The password for the technical user; typically the domain admin.

  • ANYONE - The password of the anonymous user (typically: *cn=ANYONE, cn=*domain) is needed for user self-registrations.

  • webcenterKeystore - The password of the keystore containing Web Center’s private key.The private key is required for connecting to the request workflow service in case of single sign-on only.

  • webcenterKey - The password of Web Center’s private key; defaults to the keystore password.The private key is required for connecting to the request workflow service in case of single sign-on only.

  • pin - The PIN for the current private key for decryption of attributes.The PIN is required for displaying privileged account passwords in case encryption mode is enabled.

  • previousPin - The PIN for the previous private key for decryption of attributes.This allows smooth transition during key exchange / upgrade.Web Center is able to handle both old encrypted values (encrypted with the previous key) and new encrypted values (encrypted with the current key).

High-Level Configuration Files

This section describes high-level configuration files associated with Web Center.

Server-side Configuration Files

This section describes the server-side configuration files associated with Web Center.

The webCenter.properties File

The Java properties file defines a set of parameters controlling the behavior of Web Center components.

The parameters are listed in the form name = value. Any spaces around name or value are ignored. As with any Java properties file, the file accepts only characters from the character set ISO 8859-1. For characters outside Latin-1, use their Unicode escape sequence (\uxxxx), as well as for spaces (\u0020).

The file is located in folder WEB-INF/config. Do not change the file since it is overwritten during update installations.

For customizations, create a new file webCenterCustom.properties in the WEB-INF/config folder, copy the properties you want to customize to the new file and change their values there. Settings in webCenterCustom.properties take precedence over those in webCenter.properties.

The files are evaluated on the server side; updates to the files require a restart of Tomcat to become effective.

The configuration parameters are made available to the Web Center application in an application-scoped variable named webCenter. Therefore, they can be used in JSP files or struts-config.xml files with expressions like ${webCenter.resourceFolder} and ${webCenter[‘dn.delim’]}.

Certification Campaigns

The certification campaigns configuration file has the following parameters:

  • campaigns.sizeLimit – The size limit for listing a user’s campaigns. Default: 100.

  • campaignSubjects.sizeLimit – The size limit for listing a user’s campaigns. Default: 100.

  • campaignNumberOfSubjects.sizeLimit – The size limit for reading the number of subjects of a campaign. The number is displayed in a user’s certification campaign list. Default: 1000.

Configuration File Names

The configuration file names must be specified relative to the application’s document root folder and with a leading slash.

  • config.converters – The name of the properties file containing additional data type converter definitions for the Apache library commons-beanutils.jar (Usually /WEB-INF/config/converters.properties).

  • config.defaultRenderers – The name of the properties file containing the default renderer definitions assigned to commonly used data types, editors and properties (Usually /WEB-INF/config/defaultRenderer.properties).

  • config.messages – The names of message localization files, separated by commas. Each file contains a mapping of some low-level error messages to message keys which is a last resort to localize internal messages and display them with a more user-friendly text. (Usually /WEB-INF/config/messages.properties).

  • customScriptsAndStyles – The name of a custom JSP to include custom Javascript and CSS files. The custom JSP is automatically included by Web Center pages.

  • passwordFile – The name of the file containing the directory access password of the technical users, as well as any passwords for key- and truststore access. Specify the filename relative to the Web Center application directory. (Default /WEB-INF/password.properties).

Confirmation Message Display

Web Center no longer displays messages that confirm the successful completion of an operation. With the following switch, you can re-enable the display.

  • showMessageOnSuccess – Whether to display messages that confirm successful completion of an operation (false), or not (true). Default: false.

The parameter affects messages that are labeled as success messages via the success flag of the setMessage tag.

CSRF Filter

Settings for the cross-site request forgery (CSRF) filter.

  • csrf.enabled – Whether the filter is enabled (true) or not (false). Default: true.

  • csrf.allowPostForEntryPoints – Whether entry points are restricted to HTTP GET requests (false) or also evaluated for POST requests (true). Default: false.

  • csrf.tokenName – The HTTP parameter name of the random tokens. Default: WT.

  • csrf.tokenLength – The length (number of bytes) of the random tokens generated by the class java.security.SecureRandom. Note that the tokens in the HTTP parameters have double the length due to encoding. Default: 20.

  • csrf.tokenScope – Whether to change tokens per request (request) or per session (session). Default: request.

  • csrf.maxRedirectURLs – The maximum size of the list of expected URLs of HTTP redirect requests from one Struts action to another one. Default: 5.

  • csrf.entryPoints – The comma separated list of entry points to be exempted from the token match. The list of entry points required for all Web Center applications includes:

    /login.do,/index.jsp,/error.do,/logout.do

    Add only safe actions to the list; in particular, no actions that make any modifications in the database.

Development Mode

Web Center runs either in productive mode or development mode.

  • developmentMode – Switches on development mode (true) or productive mode (false). Default: false.

In development mode:

  • Code snippets are reloaded on each access. Changes to a snippet become effective immediately without having to restart Tomcat.

  • Web Center error pages may display more detailed error information like stack traces.

  • In addition to this, you can have Web Center reload message files on each request:

  • developmentMode.resetBundles – Reload message files text.properties, text_en.properties and the like on each request (true) or just once on application start (false). Default: false.

    In productive mode:

  • Code snippets are loaded once on first access, cached in memory and served from the cache on each subsequent access.

  • Web Center error pages do not display detailed error information like stack traces.

  • The message files are loaded once. Changes to the files require an application reload to take into effect.

    For performance and security reasons, you should not enable the development mode in a productive system.

Digital Signing

Support for digital signing of client requests via the CAPICOM API has been abandoned by Microsoft as of operating system Windows 7. The new alternative solution is based on a Java applet.

  • useSigningApplet – Sign requests via a Java applet (true) or via Microsoft CAPICOM (false). Default: false.

Distinguished Name Representation

This set of parameters defines how distinguished names are represented in export formats of Web Center tables. For details see the chapter on DN representation in the Web Center Customization Guide.

  • dn.delim – The delimiter between adjacent nodes. Default: “, “ (a comma, followed by a space).

  • dn.excludeTopNodes – The number of top nodes to be excluded from the representation. Default: 1.

  • dn.oldStyle – Whether to use the traditional DN representation; if true all other configuration parameters are ignored. Default: false.

  • dn.prefix – A prefix for the representation. Default: ““ (the empty string).

  • dn.reversed – Whether to list the nodes in reversed order (from top to bottom). Default: false.

  • dn.types – Whether to display name part types. Default: false.

File Upload

File upload is used to upload the content of binary attributes like photos and certificates to the server.

  • binaryData.maxContentLength – The maximum HTTP content length for upload request (number of bytes). This is mainly the total size of the files to upload, plus some bytes to transfer the file names and the like. Default: 100000.

  • binaryData.contentTypes – For each binary attribute, the list of accepted HTTP content types. Default: none.

    The syntax is

    attributeName=contentTypeList+attributeName=contentTypeList+..

    Each contentTypeList is a comma-separated list of content types.

Footer Display

The parameters define which parts of the footer to display on each page:

  • footer – Whether to display the footer section at all (true) or not (false). If not, none of the sections below are visible. Default: true.

  • footerRuler – Whether to display the horizontal ruler above the footer (true) or not (false). Default: true.

  • footerLeft – Whether to display the left part of the footer (true) or not (false). The left part usually shows the product version. Default: true.

  • footerCenter – Whether to display the center part of the footer (true) or not (false). The center part usually shows the copyright. Default: true.

  • footerRight – Whether to display the right part of the footer (true) or not (false). The right part usually shows the product suite. Default: true.

See the DirX Identity Web Center Customization Guide for samples.

Form Display

Summary and edit forms are displayed with a frame and a toolbar, which can be globally enabled or disabled.

  • formReadOnlyTabIndex – The tab index for read-only form fields.

    • 0 – Include read-only fields in the tab order; default.

    • -1 – Exclude read-only fields from the tab order.

  • formShowFrames – Whether to display list frames (true) or not (false). Default: true.

  • formShowToolbars – Whether to display list toolbars (true) or not (false). Default: true.

  • formShowToolbarBorders – Whether to display a border around each tool (true) or not (false). Default: false.

  • formShowToolbarLabels – Whether to display labels alongside the tool icons (true) or not (false). Default: false.

  • formShowToolLabelPrefix – Whether to display generic ARIA label prefixes for tools (default), toolbar specific prefixes (true) or no prefix at all (false). Default: default.

Group Member Listings

When the group member list is requested, the members are fetched in chunks from the database instead of reading them one by one. This method improves performance significantly. Configuration parameters for listing group members are:

  • groupMembers.sizeLimit – The maximum number of members to display. Default: 10000.

  • groupMembers.accountChunkSize – The chunk size for reading account members. Default: 1000.

  • groupMembers.userChunkSize – The chunk size for reading user members. Default: 250.

Header Display

These parameters define which parts of the header to display on each page.

  • headerTop – Whether to display the top part of the header (true) or not (false). Default: true.

    The top part displays a background picture and includes

    • The key visual.

    • The company logo or name.

    • The product name.

    • The welcome text.

    • The options.

    • Links to logout or to cancel a registration.

    All parts are optional.

  • headerKeyVisual – Whether to display the key visual (true) or not (false). Default: true.

  • headerCompanyLogo – Whether to display the company logo (true) or not (false). Default: false.

  • headerCompanyName – Whether to display the company name (true) or not (false). The name is not visible if the company logo is displayed. Default: true.

  • headerProductName – Whether to display the bottom row of the header (true) or not (false). The bottom row usually shows the application’s menu. Default: true.

  • headerWelcome – Whether to display the welcome text (true) or not (false). Default: true.

  • headerOptions – Whether to display the options (true) or not (false). If not, neither the language chooser nor the font size chooser is visible. Default: true.

  • headerOptionsLanguage – Whether to display the language chooser (true) or not (false). Default: true.

  • headerOptionsFontSize – Whether to display the font size chooser (true) or not (false). Default: true.

  • headerLinks – Whether to display the link section (true) or not (false). The section displays links to logout or to cancel a registration. Default: true.

  • headerLogoutLink – Whether to display the logout link in the bread crumb navigation (true) or not (false). Default: false.

  • headerBottom – Whether to display the bottom of the header (true) or not (false). The bottom usually shows only a background picture. Default: true.

See the DirX Identity Web Center Customization Guide for samples.

Home Page

The home page comprises a configurable set of plug-in pages which may display property pages or entry lists. For some preconfigured lists, you can define the maximum number of entries to be displayed.

  • homeMaxNumberOfAccounts – The maximum number of accounts to be displayed in the account list. Default: 5.

  • homeMaxNumberOfCampaigns – The maximum number of certification campaigns to be displayed in the campaign list. Default: 5.

  • homeMaxNumberOfGroups – The maximum number of groups to be displayed in the group list. Default: 5.

  • homeMaxNumberOfPermissions – The maximum number of permissions to be displayed in the permission list. Default: 5.

  • homeMaxNumberOfRoles – The maximum number of roles to be displayed in the role list. Default: 5.

  • homeMaxNumberOfTasks – The maximum number of tasks to be displayed in the task list. Default: 5.

Input Validation

The input validation filter checks the parameters of each incoming HTTP request. If it encounters a parameter value that contains a JSP expression, it rejects the request.

  • inputValidation.excludedParameters – The comma-separated list of the names of parameters to be excluded from validation. The default list is password,oldPassword,retypedPassword,newPassword.

  • inputValidation.validateRequestParameters – Whether input validation is enabled (true) or disabled (false). Default: true.

List Configuration

Whenever you go to a Web Center page that displays a list with a search panel, the list may be automatically pre-filled by searching for entries that match the default search criteria or the ones from the previous search. Alternatively, the list may be initially empty and only filled after you’ve clicked the search button.

  • initialSearch – Defines the default list behavior. If false, the lists will be initially empty. Default: false.

Note that you can override the default behavior per Struts action displaying a list by setting a request-scoped attribute with the name initialSearch to true or false.

The search panel above an item list may offer searching for attributes with DN syntax, like user manager or a role owner. The searches are configured in a separate configuration file, but can be globally enabled or disabled here.

  • searchForDNAttributes – Whether searches for DN syntax attributes are enabled (true) or disabled (false). Default: true.

Many lists are displayed with a frame, a toolbar and a control to select the page size. Frames and toolbars can be globally enabled or disabled. Also, the page size selector items can be defined.

  • listShowFrames – Whether to display list frames (true) or not (false). Default: true.

  • listShowToolbars – Whether to display list toolbars (true) or not (false). Default: true.

  • listShowToolbarBorders – Whether to display a border around each tool (true) or not (false). Default: false.

  • listShowToolbarLabels – Whether to display labels alongside the tool icons (true) or not (false). Default: false.

  • listPageSizeItems.<name> – The page size selector items, a Javascript array. Each array item is either a Javascript number (a page size), or the string “all” (display all items on a single page). Each selector has a name which is referenced in the tile definitions of the item lists. The standard Web Center applications use the name “default”:

    listPageSizeItems.default = [25,50,100,'all']

  • listShowToolLabelPrefix – Whether to display generic ARIA label prefixes for tools (default), toolbar specific prefixes (true) or no prefix at all (false). Default: default.

Login Configuration

You can customize the login procedures of Web Center via the following parameters:

  • loginChangeSessionId – To prevent session fixation attacks, Web Center changes the session ID after successful logins. This switch serves to enable (true) or disable (false) the feature. Default: true.

  • preventLoginViaGet – This switch serves to reject (true) or process (false) attempts to login with username and password via HTTP GET requests. Default: true.

Login Cookie Configuration

The login cookie might be considered to reveal security compromising information under some circumstances. The following parameters let you customize the content and behavior of the cookie.

  • loginCookie.enabled – Whether to enable (true) or disable (false) the login cookie. Default: true.

  • loginCookie.includeAttributes – Whether the cookie should include the values of the user identification fields entered into the login form (true) or not (false). Default: true.

  • loginCookie.maxAge – The maximum lifetime for the login cookie (in seconds). Specify 0 to have the browser discard the cookie immediately. If left unspecified the cookie is discarded when the browser is closed. Default: 2592000 (30 days).

  • loginCookie.secure – Whether to send the cookie over secure HTTPS connections only (true) or over any connection whether secure or insecure (false). Default: false.

Login Form Configuration

Some parameters let you customize the login page and form.

  • loginForm.autoComplete – Whether to enable (no value) or disable (off) the browser’s autocompletion feature for the user identification fields in the login form. The parameter applies to each form field with renderer secureText. The autocompletion feature should be disabled for security reasons. Default: off.

  • loginForm.minChars – The minimum number of characters (besides wildcards and spaces) to be entered as login name. If set to 0, the users are required to enter their exact login names. Default: 0.

  • loginForm.showRegister – Whether to show (true) or to hide (false) the self-registration section on the login page. Default: false.

You can also customize the search for the DirX Identity user matching the identification data entered into the login form:

  • loginForm.searchBase – The search base; the default value is taken from context parameter com.siemens.webMgr.ldap.baseDN in file web.xml which is usually the DXI domain.

  • loginForm.searchFilter – The search filter; the default filter is "(objectClass=dxrUser)". The filter will be extended at runtime by the identification data entered into the login form, for example "(&(objectClass=dxrUser)(cn=taspatch nik))".

Login via Challenge/Response Configuration

You can customize login to Web Center via challenge/response with the following parameters:

  • challengeResponses.duplicateResponsesAllowed – Whether users can specify identical responses for different authentication questions (true) or not (false). Default: false.

  • challengeResponses.minimumResponseLength – The minimum response length. Default: 1.

  • challengeResponses.trimOnAnswering – Whether leading and trailing spaces are removed from responses when answering authentication questions (true) or not (false). Default: true.

  • challengeResponses.trimOnEditing – Whether leading and trailing spaces are removed from questions and responses when defining authentication questions (true) or not (false). Default: true.

  • editableChallenges – Whether users can define their own authentication questions (true) or just select from the list of predefined questions (false). Default: true.

  • loginMinChallenges – The minimum number of questions a user is required to answer correctly if he forgets his password. Users with an insufficient number of registered challenges cannot login this way. Default: 2.

  • minEnteredChallenges – The minimum number of authentication questions that a user is required to enter when he registers. The default is 6.

Menu Configuration

The standard Web Center layout page can display the menu horizontally in the page header, or vertically on the left side of the content area.

  • menuVertical – Defines whether to display a vertical (true) or horizontal (false) menu. Default: false.

  • menu.argumentMarker – The string that marks arguments in menu item labels. The marker is removed for empty arguments. Default: “:\u0020”.

  • menu.showInactiveItems – Whether to show inactive menu (true) items or not (false). Default: true.

  • menu.showLabelPrefix – Whether to display ARIA label prefixes for menus (true) or not (false). Default: true.

Navigation History

  • navigationHistory.maxItems – The maximum number of navigation history items. Default: 15.

Password Management

This section comprises configuration parameters which apply to Web Center for Password Management only. For details consult the relevant use case document.

  • passwordManagement.login.syncUserPassword – Defines whether the user password is synchronized (true) after login or not (false). Default: true.

  • passwordManagement.login.maxNumCheckStatus – The maximum number of times the status of a password synchronization is checked before giving up. Default: 10.

Password Management Mode

The password management mode defines how Web Center processes password modifications requested by a user or administrator.

  • passwordMode – The following modes are available:

    • directory – Passwords are immediately stored in the directory standard attribute userPassword but not in the DirX Identity attribute dxmPassword. This mode cannot be used for password synchronization to target systems (it is only possible to synchronize the passwords if the target system uses the same hash format as the DirX Identity directory). Password policies are ignored.

    • classic – Passwords are immediately stored in the directory standard attribute userPassword and the DirX Identity attribute dxmPassword. Additionally, a message is sent to trigger synchronization to target systems.

      If the directory or the messaging server is not present for some time this might result in inconsistencies. Thus we recommend using the "identity" mode. Password policies are ignored.

    • identity (default) – Passwords are not stored in DirX Identity store directly. Instead, Web Center sends a message to the event manager that performs this task later on.

The password mode may affect the visibility of menu items in Web Center’s navigation bar.
Popup Window Scripts

For security reasons, the list of script files to be included in popup window pages is no longer directly taken from an HTTP request parameter but defined on the server instead. The HTTP request specifies only the script list identifier.

  • scriptList.tree – The scripts to be included in tree windows.

  • scriptList.roleParams – The scripts to be included in role parameter windows.

Privilege Assignments

Available Privileges Filter

Assigning privileges to business objects is not subject to approval. This means that users always inherit privilege assignments via business objects without approval. Therefore, Web Center by default allows assigning only those privileges to business objects that are not subject to approval when directly assigned to users. This is achieved via the additional filter (dxrNeedsApproval=false) that applies whenever Web Center searches for privileges assignable to business objects.

  • assignPrivilegesToBO.additionalFilter – An additional filter to be applied when searching for privileges assignable to business objects.

Request Reason

On assigning or withdrawing privileges, the requestor can enter a reason. The reason is then displayed later on to potential approvers. You can enable or disable the reason field for specific types of assignment pages.

  • requestReason.addUsers.enabled – Display the reason field when adding one or more users to a privilege (true).

  • requestReason.removeUsers.enabled – Display the reason field when removing one or more users from a privilege (true).

  • requestReason.assignPrivilegesToBO.enabled – Display the reason field when assigning privileges to or withdrawing privileges from a business object (true).

  • requestReason.assignPrivilegesToPrivilege.enabled – Display the reason field when assigning privileges to or withdrawing privileges from a role or permission (true).

  • requestReason.assignPrivilegesToUser.enabled – Display the reason field when assigning privileges to or withdrawing privileges from a user (true).

Search Panel Configuration

Some default search panel settings. The settings may be overwritten per search panel in tiles-defs.xml files.

  • searchFilterConjunctions – The conjunctions available in search panels:

  • and;or – Both conjunctions are selectable; default conjunction is “and”.

  • or;and – Both conjunctions are selectable; default conjunction is “or”.

  • and – The only filter conjunction is “and”.

  • or – The only filter conjunction is “or”.

    Default: and;or.

  • searchFilterCriteriaCount – The number of search filter rows. If the number of rows is 0, a single row is displayed initially, and rows may be added or deleted via respective buttons. If the number is greater than 0, exactly that number of rows is displayed while adding and deleting rows is disabled. Default: 0.

  • searchFilterOperands – The operands to be selectable in the operands combo box. The operands vary with the filter attribute. The supported operands are beginsWith, contains, endsWith, equals, greaterOrEqual, lessOrEqual, and isPresent, and their negated counterparts, like not.contains. Each operand may be followed by the key of its label, and the applicable attribute types, like date, time, number, bool, list, text, noSubs, sublink and all. Default: beginsWith;contains;endsWith;equals::all; greaterOrEqual::date,time,number;lessOrEqual::date,time,number;isPresent::all.

Similar configuration parameters apply to search panels on assignment pages.

  • searchFilterCriteriaCountForAssignments – The number of search filter rows. Default: 1.

  • searchFilterConjunctionsForAssignments – The conjunctions available in search panels. Default: and;or.

  • searchFilterOperandsForAssignments – The operands to be selectable in the operands combo box. Default: beginsWith;contains;endsWith;equals::list;isPresent::list.

Scheduled Change Management

Scheduled change management lets you perform operations that become effective only on some future date. Web Center displays a control to set the due date alongside page submit buttons. You can enable or disable the control per operation type.

  • dueDate.enabled – A general switch to enable (true) or disable (false) the due date control. If disabled, the control is never displayed. If enabled, the display depends on the operation specific switches. Default: true.

  • dueDate.assign.enabled – Enables (true) or disables (false) the due date control for assignment forms. Default: true.

  • dueDate.create.enabled – Enables (true) or disables (false) the due date control for create forms. Default: true.

  • dueDate.createOrModify.enabled – Enables (true) or disables (false) the due date control for form that may perform both modify and create operations. Default: true.

  • dueDate.delete.enabled – Enables (true) or disables (false) the due date control for delete forms. Default: true.

  • dueDate.modify.enabled – Enables (true) or disables (false) the due date control for modify forms. Default: true.

Note that the due date operation type of a form is defined by the label key of the due date control in the respective form-bean configuration or, for delete operations, in the respective menu configuration.

Single Sign-On

When a user logs in to Web Center with name and password, Web Center checks the user’s password status attributes (reset flag, expiry date) and takes appropriate actions in case the password must be reset or is about to expire.

In case of single sign-on, the checks are disabled by default. Use this parameter to activate the checks for SSO authentications.

  • ssoCheckPwdStatus – Whether to check password status (true) or not (false) in case of single sign-on. Default: false.

A single sign-on request fails if the provided single sign-on user data cannot be mapped to a user in the DirX Identity user database. In that case, Web Center falls back to the standard login page with username and password. Alternatively, you can instruct Web Center to reject the request altogether.

  • ssoFallbackToLoginPage – Whether to display the standard login page (true) or to reject the request (false). Default: true.

A single sign-on component may propagate the user language to Web Center via an HTTP request parameter.

  • languageParameterName – The name of the HTTP request parameter.

Size Limits

The general size limit for searching the affected users of a privilege.

  • listPrivilegeUsers.sizelimit – The size limit. Default: 500.

The size limit for searching the affected users of a privilege when generating reports. This limit applies only if the general size limit is 0.

  • report.sizelimit – The size limit. Default: 1000.

The size limit for searching roles while searching the affected users of a role.

  • roles.sizelimit The size limit. Default: 500.

The size limit for listing children of an entry in a tree view.

  • listChildren.sizelimit – The size limit. The default value is the general LDAP search size limit configured at the domain.

SoD Violations

Web Center can display SoD violations reported by an external SoD provider. The list of providers is extendable.

  • externalSODViolationProviders – A comma-separated list of SoD providers. For each provider, the list must contain the Java class required to access the provider; note that the class must implement a specific Java interface.

Static Resources

This section comprises some parameters to customize static resources like icons and logos. The file and folder names must be specified relative to the application’s document root folder (no leading slash).

  • resourceFavicon – The application’s favorite icon. Browsers display the icon in their address bar or along with bookmarks to the application. Windows displays the icon along with links from the file system to the application. Usually: ./resources/images/logos/DirXIdentity.ico.

  • resourceFolder – The resource folder name. The folder depends on the DirX identity build version in order to get new resources automatically loaded to the clients after upgrades. Usually ./resources/<build>.

  • resourceLogo – The file name of the company logo. Usually: ./resources/images/logos/logo.png.

Another set of parameters specifies the file encodings of language specific HTML text snippets in the folder WEB-INF/resources/languages/language. By default, Web Center reads these files with the default Java file encoding.

  • resources.html.fileEncoding.language – The file encoding of the HTML text snippets for language language, for example

  • resources.html.fileEncoding.de = ISO-8859-1

  • resources.html.fileEncoding.en = ISO-8859-1

  • resources.html.fileEncoding.ja = UTF-8

Struts

The Struts Validator Plug-In is disabled by default for security reasons.

  • struts.validator.enabled – Whether the validator is enabled (true) or not (false). Default: false.

Style Sheets

The Web Center style sheets are delivered in 3 variants with different font sizes.

  • availableStyles – The comma separated list of all available styles (small,medium,large).

  • defaultStyle – Selects the default style sheet variant (small, medium, or large).

A user may select a different style sheet, which is then stored in the login cookie that is permanently stored in the browser until the cookie expires. The cookie overrides the default style on subsequent requests.

Utility Bar

The parameters define which components to display in the utility bar on each page.

  • utilityBar – Whether to display the utility bar (true) or not (false). If not, no utility is visible. Default: true.

  • utilityNavigationHistory – Whether to display the navigation history in the utility bar (true) or not (false). Default: true.

  • utilityQuickSearch – Whether to display the quicksearch utility (true) or not (false). Default: true.

  • utilityAdvancedSearch – Whether to display the advanced search link (true) or not (false). Default: true.

Workflows and Task List

A global DirX Identity flag lets you specify whether approvers can change data on approval pages. To implement this feature, Web Center must be able to distinguish approval activities from other ones:

  • tasks.approvalActivityTypes – The comma separated list of approval activity types. Usually: approveCreate,approveModification,approveAssignment.

The next group of parameters controls how a user’s task list works:

  • tasks.sizeLimit – The maximum number of entries to be displayed in a task list. Minimum: 1. Default: 100.

  • tasksAutoOpenNext – Whether to go back to the task list when the user has completed a task (false), or whether to automatically open the next task (if any) (true). Default: false.

  • tasksAutoOpenSingle – If a user opens his task list and the list contains just a single task, open the task (true) or display the task list (false). Note that when the task is opened automatically the user is not able to perform list context menu operations (like change participant) on the task. Default: false.

  • tasksShowOkMessageOnCompletion – Whether to display a message on sucessful task completion (true) or not (false). Default: false.

Another parameter defines whether the content of an approval activity which is part of a self-registration workflow is always editable even when the read-only flag at the approval activity is set:

  • tasks.selfRegistration.approvalContent.alwaysEditable – The content is always editable (true) or is editable only if the read-only flag isn’t set (false). Default: false.

Web Center takes the labels for the attributes of an enterAttributes or approveCreate activity by default from file text.properties, while labels configured in the activity definition are ignored. To change the default behaviour use the flag

  • tasks.useLabelsFromDefinition – Whether to use the labels from the activity definition (true) or not (false). Default: false.

The next parameter affects the display of workflow lists:

  • workflowListPeriod – Display successfully finished or failed workflows only if their end dates do not date back more than the number of days specified here. Default: 14.

  • workflowListSizeLimit – The client-side size limit for a workflow list; specify 0 for unlimited. Default: 250.

The next parameter affects the display of workflow details pages:

  • workflow.details.showCancelledActivities – Whether to show cancelled activities in the list of finished activities (true) or not (false). Default: false.

The following parameters serve to exclude workflow definitions from create object workflow definition lists.

  • workflows.create.objectType.exclude – Exclude items matching the conditions.

  • workflows.create.objectType.include – Exclude items not matching the conditions.

Each condition defines a regular expression to be matched by the name, description,approve or path of workflow definitions: name:expression, description:expression or path:expression. Conditions are separated by semicolons.

When assigning privileges to a user or to another privilege or when assigning a privilege to a list of users, Web Center generates a correlation ID and stores it in the context of all approval workflows triggered by the assignments. The correlation ID can then be used to identify approval workflows which originated from the same action in Web Center:

  • workflowCorrelationIdName – The name of the workflow context attribute for the correlation ID. The default name is correlationId. The name none disables correlation IDs.

The webCenter-FileUpload.properties File

A set of parameters that control how Web Center’s file upload feature operates. For details, see the related Use Case document.

The paths.properties File

The file paths.properties contains a couple of action and JSP lists. The lists were defined in checkSession.jsp in previous versions but have been moved to a separate configuration file for easier adaptation.

For customizations, create a new file pathsCustom.properties in the WEB-INF/config folder, copy the properties you want to customize to the new file and change their values there. Settings in pathsCustom.properties take precedence over those in webCenter.properties

cancel

Actions and JSPs cancelling an operation. Used to avoid annoying “Your session is invalid” messages.

challengeResponse

Actions and JSPs allowed while trying to login via challenge/response.

forcePasswordChange

Actions and JSPs allowed while user is forced to change is password.

initial

Initial actions and JSPs not presuming a valid session.

selfRegistration

Actions and JSPs allowed during user self-registration.

Client-side Configuration File config.js

The file defines a Javascript object with parameters to control the behavior of some user interface components. The object is composed of sub objects which comprise sets of related configuration parameters.

The file is located in folder resources/<build>/config.

The file is evaluated in Javascript code running in browsers; updates to the file require a browser refresh to take into effect.

Access to the configuration parameters in Javascript files is provided by the method config.get, that is config.get(”dn.delim”).

Distinguished Names

The sub object with name dn controls how distinguished names are represented in the user interface. For details, see the chapter on DN representation in the DirX Identity Web Center Customization Guide.

Parameters

  • delim – The delimiter between adjacent nodes. Default: “, “ (a comma, followed by a space).

  • excludeTopNodes – The number of top nodes to be excluded from the representation. Default: 1.

  • oldStyle – Whether to use the traditional DN representation; if true all other configuration parameters are ignored. Default: false.

  • prefix – A prefix for the representation. Default: ““ (the empty string).

  • reversed – Whether to list the nodes in reversed order (from top to bottom). Default: false.

  • types – Whether to display namepart types. Default: false.

  • shortFom.ellipsis – An appendix to the representation indicating an abbreviated form. Default: “ …​“ (a space, followed by three dots).

  • shortFom.includeNodes – The nodes to be included in the representation. Default: “[0,1]“.

Forms

The sub object with name forms defines some form behavior.

Parameters

  • blockInvalid – Whether to block submission of a form if mandatory form fields are still empty or invalid input has been entered into some form field. Default: true.

  • oneTime – Whether to block additional submissions on first form submission. Default: true.

  • tabIndexForScrolling – Whether multiline read-only fields (like text areas) are included in the tab order if their content is not completely visible. Default: true.

  • validate – Whether to activate client-side form input validation. Default: true.

InvalidInput

The sub object with name invalidInput sets a property of the message that is displayed on detection of invalid input fields:

Parameters

  • maxFields – The maximum number of input fields for which a detailed error message is displayed. This is to prevent the error message window height to exceed the screen height in which case the window would not be properly operable. Default: 5.

RoleParams

The sub object with name roleParams defines some properties of role parameter windows.

Parameters

  • height

  • base – The base role parameter window height, that is the height without all the parameters (in pixel). Default: 40.

  • mv – The additional height for each multi-valued parameter of type other than hierarchical DN. Default: 90.

  • mv1 – The additional height for each multi-valued parameter of type hierarchical DN. Default: 144.

  • sv – The additional height for each single-valued role parameter. Default: 90.

  • ffMin – The minimum window height (in pixel). Note that Firefox doesn’t display too small a window nicely. The parameter is ignored in Internet Explorer. Default: 0.

  • width – The tree window width (in pixel). Default: 820.

  • props – The role parameter window features, like scrollbars and resizable. See the Javascript function Window.open for details. Default: "scrollbars=1".

Tables

The sub object with name table defines some table features.

Parameters

  • alwaysShowInfo – Whether to show the number of entries found as well as first and last entry index of the currently displayed page even if a table consists of a single page only. Default: false.

  • defPageSize – The default page size for paged tables. The default size is usually overridden by per-table settings in a tiles-defs.xml or forms-config.xml. Default: 15.

  • maxPageSize – The maximum page size for paged tables. Overrides per-table sizes that exceed the maximum size. Default: 1000.

Trees

The sub object with name tree defines some tree window features.

Parameters

  • height – The tree window height (in pixel). Default: 400.

  • width – The tree window width (in pixel). Default: 600.

  • props – The tree window features, like scrollbars and resizable. See the Javascript function Window.open for details. Default: "scrollbars=1".

Asynchronous Requests

On most events, Web Center sends a synchronous HTTP request to the server, which leads to an update of the entire page. For some events, however, Web Center can be alternatively configured to send asynchronous requests that update the content area only.

The sub object with name async defines some settings for these asynchronous requests.

Async

  • displayMessage – Whether to display a message in case a request to update the content area was blocked (true) or not (false). Default: false.

  • enabledForSelect – Whether to send asynchronous (true) or synchronous (false) requests on clicking on an entry in a list. Default: false.

  • enabledForMenu – Whether to send asynchronous (true) or synchronous (false) requests on selection of functions in the main menu. Default: false.

  • exclusive – Whether simultaneous requests to update the content area are blocked (true) or admitted (false). Default: false.

  • maxSyncScriptsTime – Scripts included in renderer code snippets are loaded asynchronously if the snippet code itself is loaded via an asynchronous request. You can define the maximum time (milliseconds) to wait for the script to be loaded. Default: 60000.

Asynchronous Requests: Visualizing Ongoing Requests

The sub object with the name loading defines some parameters of asynchronous request loading. While waiting for the response to an asynchronous request Web Center displays a small animated image in the top left corner of the browser page in order to visualize the ongoing request to the user. The animated image consists of a sequence of sub images that are displayed in round-robin fashion at a fixed rate.

Parameters

  • enabled – Enables or disabled the animation. Default: true.

  • interval – The time (in milliseconds) after which a sub image is replaced by the next one. Default: 500.

  • numImages – The number of sub images; don’t change unless you provide a customized animation. Default: 8.

Context Menu

The sub object with name ctxMenu defines context menu settings.

Parameters

  • restrictSelection – A function in the context menu of an entry list may be applicable to a subset of all entries only (for example Task list / Approve). In that case, a button displayed along with the function name in the context menu let’s you restrict the current entry selection to the entries the function is applicable to. Use this flag to enable (true) or disable (false) this feature, i.e. to turn on or off button visibility. Default: true.

  • selectAll – A function in the context menu of an entry list may be applicable to a subset of all entries only (for example Task list / Approve). In that case, a button displayed along with the function name in the context menu let’s you select all entries the function is applicable to while deselecting all other items. Use this flag to enable (true) or disable (false) this feature, i.e. to turn on or off button visibility. Default: true.

  • selectRow – Right-clicking an entry in a list opens the context menu. This flag let’s you specify whether the entry gets also selected (true) or not (false). Default: false.

  • timeout – If a user selects the context menu button on a table for which no context menu is defined, Web Center displays a respective hint in a small message box. The box closes automatically after the time (in milliseconds) specified here. Default: 3000.

Key Handling

The sub object with name keys defines a key handling feature.

Parameters

disableBackSpace – Browsers use the backspace key as a shortcut for the back button, which redisplays to the previously displayed page. This may confuse or annoy users when hitting the key inadvertently while filling out a form. Therefore, Web Center disables the backspace key on form fields when appropriate. Use this parameter to enable or disable the feature. Default: true.

Window Features

The sub object with name target defines features of windows opened by Web Center.

Parameters

help – Defines features of the help window. See the relevant chapter in the Web Center Customization Guide for details.

  • key – The key for opening the help window or bringing the help window to the front.

  • props – The list of window features.