source: main/trunk/ibisph-view/src/main/webapp/WEB-INF/config/spring/common.xml @ 22165

Last change on this file since 22165 was 22165, checked in by GarthBraithwaite_STG, 5 months ago

view - css: more margin bottom std, width control. Updated common.xml cookie notes. xsd tweaks for QM. DataViz?.xslt split out leaflet js includes to be more modular. Changed DialogWindow?.xslt div to html5 dialog. Few more div to sections. QM builder added links to the page options.

File size: 32.9 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2
3<!--
4        IBIS-PH View System's common Spring properties. This Spring application
5        context file contains properties are commonly used by more than one module/
6        packages within the system.  These common properties include core base
7        XML/XSLT paths and other resources used by the apps controllers.
8
9        PROPERTY USAGE NOTES:
10        <property name="someName"><null/></property>
11        <property name="someName" value="${some_system_property_name}"/>
12        <value type="xyz.abc">  Beans can't have a type.
13
14        If property starts with all CAPS - something like XMLPath which has a setter
15        like setXMLPath then the property needs to be name="XMLPath" (the bean naming
16        more than one first letters capped rule) otherwise it's lowercase then mixed
17        case like normal properties.
18
19        Use the "parent" attribute for child objects that are of the same type.  This basically
20        does a clone on an object so that the existing parent object's objects are copied
21        to the child - thus providing a populated base class that all child objects can
22        be implicitly populated without explicitly setting the properties.
23
24        PATH CONVENTION:
25        All paths shall have a trailing "/".  Sub paths should never have a leading "/"
26        but will always have the trailing "/".  Base paths can have a leading "/" as
27        this represents the root of the file system.
28-->
29
30<beans default-lazy-init="false" default-autowire="no"
31        xmlns="http://www.springframework.org/schema/beans"
32        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
33        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"
34>
35        <!--  C O N T E X T S   A N D   P A T H S -->
36        <!-- NOTE: Spring 3.0 provides a default servlet context bean that can be
37                used to access ServletContext properties via EL: #{servletContext.servletContextName}.
38        -->
39        <bean id="commonContentBasePath" class="org.ibisph.model.StringHolder">
40                <description>
41                        Base "Content" file path that points to the root of all content.
42                        This root area includes docs, pdfs, xml, json etc.  This value can
43                        be in to form of a complete URL or relative to the webapp's context.
44                        To be used this value is made into an explicit URL via the
45                        commonContentBasePathURL bean which is the basis for all content
46                        requests.
47                </description>
48                <constructor-arg value=""/>
49        </bean>
50        <bean id="commonContentBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
51                <description>
52                        Full/explicit base "Content" file path.  The commonContentBasePath
53                        string value, if not a URL, is processed based on the webapp's
54                        context path which is returned as a URL which is one of the accepted
55                        values the XML/XSLT translation is able to process.
56                </description>
57                <property name="targetObject" ref="commonContextAndPathService"/>
58                <property name="targetMethod" value="getPathURL"/>
59                <property name="arguments"><list><value>#{commonContentBasePath.string}</value></list></property>
60        </bean>
61        <bean id="commonXMLBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
62                <property name="targetObject" ref="commonContextAndPathService"/>
63                <property name="targetMethod" value="getPathURL"/>
64                <property name="arguments"><list><value>#{commonContentBasePath.string}xml/</value></list></property>
65        </bean>
66        <bean id="commonRestrictedXMLBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
67                <property name="targetObject" ref="commonContextAndPathService"/>
68                <property name="targetMethod" value="getPathURL"/>
69                <property name="arguments"><list><value>#{commonContentBasePath.string}WEB-INF/xml/</value></list></property>
70        </bean>
71        <bean id="commonXSLTBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
72                <property name="targetObject" ref="commonContextAndPathService"/>
73                <property name="targetMethod" value="getPathURL"/>
74                <property name="arguments"><list><value>xslt/</value></list></property>
75        </bean>
76
77        <bean id="commonWebAppBaseRequestPath" class="org.ibisph.model.StringHolder">
78                <description>
79                        Base application request URL path injected into the
80                        commonWebAppBasePathModelMap.  This value is a prefix URL used by
81                        the XSLT code to build full, explicit app and content request paths.
82
83                        The path value is optional.  It is only required in those instances 
84                        when the default internal servlet's request URL is not sufficient to
85                        get HTTP requests to the webapp (i.e. when the webapp is behind a
86                        proxy etc.).  When specified the value MUST be the complete root URL
87                        prefix value consisting of the protocol, server name/address
88                        (with port if applicable), and the outside application context path. 
89                        If the value is blank (default) then the webapp's servet and context
90                        path is used (via commonWebAppBasePathModelMap). 
91                </description>
92                <constructor-arg value="''"/>
93        </bean>
94
95
96        <!-- F I L E   S E R V I C E S -->
97        <bean id="commonContextAndPathService" class="org.ibisph.web.ContextAndPathService"/>
98
99        <bean id="commonXMLFilePathModelService" class="org.ibisph.model.URLPathGetModelService">
100                <description>
101                        This is the main component of the primary model for most view app
102                        requests.  Most view app requests are XML/XSLT transformations.
103                        The XML/XSLT transformation process can be a parsed XML document, a
104                        complete XML string, or a URI string that is a complete file path and
105                        name that points to an XML file.  For most requests, the primary XML
106                        file is specified as part of the request URL.  Each specific model
107                        map is coded/configured to determine a specific XML file.  This
108                        service is constructed with a base file path URL.  The model map uses
109                        this service to concat its base path with the model map's more
110                        specific filename to build the complete XML file path and name to be
111                        used in the transformation. 
112                </description>
113                <property name="basePath" ref="commonXMLBasePathURL"/>
114        </bean>
115        <bean id="commonVerifiedXMLFilePathModelService" class="org.ibisph.model.VerifiedURLPathGetModelService">
116                <property name="basePath" ref="commonXMLBasePathURL"/>
117        </bean>
118        <bean id="commonXSLTFilePathModelService" class="org.ibisph.model.VerifiedURLPathGetModelService">
119                <property name="basePath" ref="commonXSLTBasePathURL"/>
120        </bean>
121
122        <bean id="commonDocumentDAOService" class="org.ibisph.xml.service.FileStoredDocumentDAO">
123                <description>
124                        Provides a local disk based document get, save, delete service. 
125                        This service also implements GetModelService so get(filename) works
126                        and can be used in place of the commonXMLFilePathModelService
127                        defined above when an actual XML document is wanted. 
128
129                        SPEED NOTE: This results in an "DOM4j DOCUMENT".  As such it *MIGHT* 
130                        be best to only use this for the a model when the XML needs to be
131                        traversed etc.  Speed appears to be slower compared to having the
132                        XSLT access a file via the "document()" call.
133                </description>
134                <property name="basePath"     ref="commonXMLBasePathURL"/>
135                <property name="escapeTextWhenSaving" value="true"/>
136                <property name="dateFormat"   ref="commonDateFormat"/>
137                <property name="outputFormat" ref="commonXMLOutputFormat"/>
138        </bean>
139        <bean id="commonRestrictedDocumentDAOService" class="org.ibisph.xml.service.FileStoredDocumentDAO">
140                <description>
141                        Provides "restricted" disk based document get, save, delete service. 
142                        This is mainly used for the user profile XML files.
143                </description>
144                <property name="basePath"     ref="commonRestrictedXMLBasePathURL"/>
145                <property name="escapeTextWhenSaving" value="true"/>
146                <property name="dateFormat"   ref="commonDateFormat"/>
147                <property name="outputFormat" ref="commonXMLOutputFormat"/>
148        </bean>
149
150
151        <!--  L O C A L S,  D A T E,  F O R M A T S  -->
152        <bean id="commonLocale" class="java.util.Locale">
153                <constructor-arg value="en"/>
154                <constructor-arg value="US"/>
155        </bean>
156
157        <!-- Date Format Patterns:
158                To specify the time format use a time pattern string. In this pattern, all
159                ASCII letters are reserved as pattern letters, which are defined as the following:
160               
161                 Symbol   Meaning                 Presentation        Example
162                 ======   =====================   =================   ===================
163                 G        era designator          (Text)              AD
164                 y        year                    (Number)            1996
165                 M        month in year           (Text & Number)     July & 07
166                 d        day in month            (Number)            10
167                 h        hour in am/pm (1~12)    (Number)            12
168                 H        hour in day (0~23)      (Number)            0
169                 m        minute in hour          (Number)            30
170                 s        second in minute        (Number)            55
171                 S        millisecond             (Number)            978
172                 E        day in week             (Text)              Tuesday
173                 D        day in year             (Number)            189
174                 F        day of week in month    (Number)            2 (2nd Wed in July)
175                 w        week in year            (Number)            27
176                 W        week in month           (Number)            2
177                 a        am/pm marker            (Text)              PM
178                 k        hour in day (1~24)      (Number)            24
179                 K        hour in am/pm (0~11)    (Number)            0
180                 z        time zone               (Text)              Pacific Standard Time
181                 '        escape for text         (Delimiter)
182                 ''       single quote            (Literal)           '
183               
184                Examples Using the US Locale:
185               
186                Format Pattern                    Result
187                ==============================    ======================================
188                "yyyy.MM.dd G 'at' hh:mm:ss z"    1996.07.10 AD at 15:08:56 PDT
189                "EEE, MMM d, ''yy"                Wed, July 10, '96
190                "h:mm a"                          12:08 PM
191                "hh 'o''clock' a, zzzz"           12 o'clock PM, Pacific Daylight Time
192                "K:mm a, z"                       0:00 PM, PST
193                "yyyyy.MMMMM.dd GGG hh:mm aaa"    1996.July.10 AD 12:08 PM
194               
195                "dd.MM.yy"                        09.04.98
196                "H:mm"                            18:15
197                "H:mm:ss:SSS"                     18:15:55:624
198                "K:mm a,z"                        6:15 PM,PDT
199
200                Serial Number: yyyy-MM-dd-HH-mm-ss-SS
201        -->
202        <bean id="commonDateFormat" class="java.text.SimpleDateFormat">
203                <constructor-arg value="EEE, d MMM yyyy HH:mm:ss z"/>
204                <constructor-arg type="java.util.Locale" ref="commonLocale"/>
205        </bean>
206        <bean id="commonBackupFileDateSerialNumberDateFormat" class="java.text.SimpleDateFormat">
207                <constructor-arg value="yyyy-MM-dd-HH-mm-ss-SS"/>
208                <constructor-arg type="java.util.Locale" ref="commonLocale"/>
209        </bean>
210
211
212        <!--  M O D E L   M A P   R E S O U R C E S -->
213        <bean id="commonCurrentUserService" class="org.ibisph.user.service.CurrentUser"/>
214
215        <bean id="commonXMLModelMapKey" class="org.ibisph.model.StringHolder">
216                <constructor-arg value="XML"/>
217        </bean>
218
219        <bean id="commonSimpleBlankXMLModelMap" class="org.ibisph.modelmap.SimpleGetModelMap">
220                <description>
221                        Provides an XML model map for those XSLT/XML transformations where
222                        an XML documnt/file does not exist - like the user/* pages.
223                </description>
224                <property name="modelMapKey" value="#{commonXMLModelMapKey.string}"/>
225                <property name="model"><value><![CDATA[<?xml version="1.0" encoding="UTF-8"?><BLANK/>]]></value></property>
226        </bean>
227
228        <bean id="commonXMLServiceModelMapProperties" abstract="true">
229                <description>
230                        Core XML model map properties used by IP, Query, CP and other beans.
231                </description>
232                <property name="modelMapKey" value="#{commonXMLModelMapKey.string}"/>
233                <property name="getModelService" ref="commonXMLFilePathModelService"/>
234        </bean>
235
236
237        <!-- S T A T I C / C A C H E D   X M L   M O D E L   M A P S -->
238        <!-- The ModelFromFilePathAndNameService has an option to cache and clear
239                the cache XML docs.  As of 11/1/2018 the caching is not set.  At some
240                future point this caching can be set to true.  This should only be done
241                once a data admin publish request is implemented that clears the cached
242                XML doc object e.g. reloads it. 
243
244                Currently, because there is not a reload the cache when published mechanism,
245                this implmentation is not efficienet.  Previous versions used the XLST
246                file/document.  It is now coded to use java to load the doc for each req
247                simply so that the future configurations and XSLT does not have to be
248                reworked.
249        -->
250        <bean id="commonAncillaryValuesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
251                <description>Document version of the published AncillaryValues XML.</description>
252                <property name="modelMapKey"     value="AncillaryValues"/>
253                <property name="getModelService" ref="commonDocumentDAOService"/>
254                <property name="filePathAndName" value="ancillary_values.xml"/>
255        </bean>
256        <bean id="commonDataSourcesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
257                <description>Document version of the published DataSources XML.</description>
258                <property name="modelMapKey"     value="DataSources"/>
259                <property name="getModelService" ref="commonDocumentDAOService"/>
260                <property name="filePathAndName" value="data_sources.xml"/>
261        </bean>
262        <bean id="commonDimensionsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
263                <description>Document version of the published Dimensions XML.</description>
264                <property name="modelMapKey"     value="Dimensions"/>
265                <property name="getModelService" ref="commonDocumentDAOService"/>
266                <property name="filePathAndName" value="dimensions.xml"/>
267        </bean>
268        <bean id="commonMeasuresModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
269                <description>Document version of the published Measures XML.</description>
270                <property name="modelMapKey"     value="Measures"/>
271                <property name="getModelService" ref="commonDocumentDAOService"/>
272                <property name="filePathAndName" value="measures.xml"/>
273        </bean>
274        <bean id="commonValueTypesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
275                <description>Document version of the published ValueTypes XML.</description>
276                <property name="modelMapKey"     value="ValueTypes"/>
277                <property name="getModelService" ref="commonDocumentDAOService"/>
278                <property name="filePathAndName" value="value_types.xml"/>
279        </bean>
280        <bean id="commonValueAttributesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
281                <description>Document version of the published ValueAttributes XML.</description>
282                <property name="modelMapKey"     value="ValueAttributes"/>
283                <property name="getModelService" ref="commonDocumentDAOService"/>
284                <property name="filePathAndName" value="value_attributes.xml"/>
285        </bean>
286        <bean id="commonChartsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
287                <description>Document version of the published Charts XML.</description>
288                <property name="modelMapKey"     value="Charts"/>
289                <property name="getModelService" ref="commonDocumentDAOService"/>
290                <property name="filePathAndName" value="charts.xml"/>
291        </bean>
292        <bean id="commonMapsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
293                <description>Document version of the published Maps XML.</description>
294                <property name="modelMapKey"     value="Maps"/>
295                <property name="getModelService" ref="commonDocumentDAOService"/>
296                <property name="filePathAndName" value="maps.xml"/>
297        </bean>
298        <bean id="commonOrgUnitsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
299                <description>
300                        Injects the XML doc.  This helps with speed as the doc
301                        is only read/parsed once.  Con of this approach is that
302                        bean needs an event listener to reload when published.
303                </description>
304                <property name="modelMapKey"     value="OrgUnits"/>
305                <property name="getModelService" ref="commonDocumentDAOService"/>
306                <property name="filePathAndName" value="org_units.xml"/>
307        </bean>
308
309
310        <!-- P A T H   A N D   R E Q U E S T   M O D E L   M A P S -->
311        <bean id="commonContentBasePathModelMap" class="org.ibisph.modelmap.SimpleGetModelMap">
312                <description>
313                        Used by Java code to access remote XML files (like query modules)
314                        and is passed into the XSLT enviro to dynamically access the 2ndardy
315                        XML files (like community profile reports that loop a set of IPs)
316                        as well as leaflet map and kendo json files.  This value is injected
317                        into the common alternate model maps with a handle defined in /Page.xslt.
318                </description>
319                <property name="modelMapKey" value="ContentBasePath"/>
320                <property name="model"       ref="commonContentBasePathURL"/>
321        </bean>
322
323        <bean id="commonWebAppBasePathModelMap" class="org.ibisph.web.modelmap.WebAppBaseRequestPathFromHTTPRequest">
324                <description>
325                        Complete remote/external webapp HTTP request base path prefix used
326                        to access internet content and webapp requests (e.g. prefix used
327                        for all requests from a user's browswer).  This model map is injected
328                        into all XSLT type page requests so that the code can build the
329                        explicit, fully qualified request paths for content and links.
330
331                        If the webappBaseRequestPath is blank then the value is built based
332                        on the first HTTP request's URL and optional injected properties.
333                        The reason for building based on the first HTTP request is so that
334                        a real path is captured for use. 
335
336                        Why Needed ?:  IBIS is a build once deploy many webapp.  The  webapp
337                        can be deployed into different enviros - local dev, stand alone server,
338                        or behind the recommended reverse proxy.  Request paths can't simply
339                        be root relative because app can be deployed into a multiuse app
340                        server enviro.  If generic, hard coded context is used (ibisph-view)
341                        then all deployments would need "that" mapping.  The implemented
342                        solution for all non relative requests is to use a variable requset
343                        prefix value.  This is more complex because all page request URLs
344                        must be prefixed with the value to reliably work. 
345
346                        Issue: If not specified i.e. blank and built from first HTTP request
347                        and the first request is NOT the wanted value then is set wrong. 
348                        An example of this being a problem is in a local dev environment where
349                        a developer also want to access the app from another PC for testing.
350                        The first request is made from the localhost which results in a path
351                        "http://localhost/ibisph-view/".  When the request is made from the
352                        2nd PC the page content will return but all links to other pages
353                        and resources (like css and graphic files) will not work.  The solution
354                        for this is to always access the webapp on the dev PC with the IP
355                        or the PC's DNS name.
356                </description>
357                <property name="modelMapKey" value="WebAppBaseRequestPath"/>
358                <property name="webappBaseRequestPath" value="#{commonWebAppBaseRequestPath.string}"/>
359        </bean>
360
361        <bean id="commonHTTPRequestParametersModelMap" class="org.ibisph.web.modelmap.HTTPRequestParameters">
362                <description>
363                        Provides a simple mechanism to pass URL req params to the XSLT
364                        code.  Note that this does NOT differentiate between GET and
365                        POST so might have to remove this in some special cases - like
366                        not needed for the query module builder post etc.
367                </description>
368                <property name="modelMapKey" value="HTTPRequestParameters"/>
369        </bean>
370        <bean id="commonHTTPRequestPathSegmentsModelMap" class="org.ibisph.web.modelmap.PathSegmentsFromHTTPRequest">
371                <description>
372                        Provides the path segments to the view.  This is needed
373                        for context menu file name and the request path bread
374                        crumbs.
375                </description>
376                <property name="modelMapKey" value="PathSegments"/>
377        </bean>
378        <bean id="commonModifiedDateModelMap" class="org.ibisph.modelmap.AddModelDateModelToModelMap">
379                <property name="sourceModelModelMapKey"   value="#{commonXMLModelMapKey.string}"/>
380                <property name="formattedDateModelMapKey" value="XMLModifedDate"/>
381                <property name="dateFormat"               ref="commonDateFormat"/>
382                <property name="sourceModelDateXPathList">
383                        <list>
384                                <value>LAST_MODIFIED</value>
385                                <value>MODIFIED_DATE</value>
386                        </list>
387                </property>
388        </bean>
389
390        <bean id="commonUserProfileModelMap" class="org.ibisph.user.modelmap.CurrentUserDocument">
391                <property name="modelMapKey"        value="UserProfile"/>
392                <property name="currentUserService" ref="commonCurrentUserService"/>
393        </bean>
394
395
396        <!-- C O N T R O L L E R   R E S O U R C E S -->
397        <bean id="commonNoCacheHTTPResponseHeaders" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
398                <description>
399                        no cache type headers
400                </description>
401                <property name="properties">
402                        <props>
403                                <prop key="Pragma">no-cache</prop>
404                                <prop key="Expires">Fri, 12 Dec 1980 23:23:23 GMT</prop>
405                                <prop key="Cache-Control">no-cache, private, s-maxage=0, max-age=0, must-revalidate, proxy-revalidate, no-store</prop>
406                                <prop key="Cache-Control">post-check=0, pre-check=0</prop>
407                        </props>
408                </property>
409        </bean>
410        <bean id="commonHTTPResponseHeaders" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
411                <description>
412                        common security headers.  See:
413                        https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
414
415                        Note: ajax json requests are typically blocked by most browsers (CORS).
416                        e.g. file:, http:, https:, ftp: are not accepted if outside current
417                        domain when making a XMLHttpRequest. 
418                        see:
419                                http://www.html5rocks.com/en/tutorials/cors/
420                                https://learn.jquery.com/ajax/working-with-jsonp/
421                        Can also set header name="Access-Control-Allow-Origin" value="*"
422                </description>
423                <property name="properties">
424                        <props>
425                                <prop key="Access-Control-Allow-Origin">*</prop>
426
427                                <prop key="X-XSS-Protection">1</prop>
428                                <prop key="X-Content-Type-Options">nosniff</prop>
429                                <prop key="X-Frame-Options">DENY</prop>
430                                <prop key="Strict-Transport-Security">max-age=31536000</prop>
431
432                                <!-- General adding cookie with policies example:
433                                <prop key="Set-Cookie">first_party_var=abc; SameSite=Strict; HttpOnly; Secure</prop>
434
435                                        TODO: Remove these notes are some point before going prod.
436                                -->
437
438                                <!-- Cookie Notes:
439                                        - Cookies are sent both ways for every request/response. 
440                                                3rd party cookies are typically used for tracking.  These
441                                                are implemented by a backend server when a resource is
442                                                requested.  That server creates "id" type cookies and
443                                                adds other http request info like the site, requesting
444                                                ip, DTS, and other cookies etc.  For other sites that ref
445                                                the tracking server's resource this mechanism allows the
446                                                server to determine patterns etc. 
447                                        - Fingerprinting can be similar to 3rd party cookie tracking
448                                                except there won't be any cookies involved (unless script
449                                                is being used).  Fingerprinting with script also has
450                                                some interesting use cases like creating a canvas hash
451                                                to pretty specifically identify.  The above http request
452                                                data is also said to be fairly specific.
453                                        - 3rd party cookies are not going to be supported past 2021.
454                                                Browsers, when configured, will likely not allow non
455                                                first domain cookies to be transmitted upon sub page
456                                                resource requests.
457                                        - IBIS does not include any outside refs to resources where
458                                                a 3rd party cookie could be attached at the server for
459                                                tracking purposes - so DNA.  However, including external
460                                                visualizations or other page code (iframe or ajax content)
461                                                *might/could* result in resource requests to servers that
462                                                have tracking cookies. 
463                                        - Script.  Other than XSS (injected script or page spoofing
464                                                etc) it is assumed any included script is safe.  Script
465                                                from any source/domain can do whatever it wants - access
466                                                cookies (associated with that request), page data,
467                                                browser and system info, and send any of that data to
468                                                any server etc.
469                                        - Google Analytics is done with script so no third party
470                                                stuff going on here.  GA does store the _gid and _ga
471                                                cookies but all of the work is done by including their
472                                                js to do tracking.
473                                        - Client storage for js should be done with local storage. 
474
475                                        If wanting to force cookie management the samesite is best
476                                        implemented with a filter so specific page requests can be
477                                        associated with the approp value.   Can also implement via
478                                        the Spring Session package.
479                                        see: https://stackoverflow.com/questions/42998367/same-site-flag-for-session-cookie-in-spring-security
480                                        see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
481                                       
482                                        - Secure = must be using https.  Localhost requests can be
483                                        http or https if set (likely implemented this way for dev/test).
484                                        - HttpOnly - can't access cookie value via js.
485                                -->
486                        </props>
487                </property>
488        </bean> 
489
490        <bean id="commonModelMapListController" abstract="true" class="org.ibisph.web.springmvc.ModelMapListProcessingController">
491                <description>
492                        Provides base of all HTML page type controllers.  Defines the
493                        ModelMapListProcessingController class, the ADDITIONAL modelmaps
494                        that most pages use, and the HTTPResponseHeaders (typically setup
495                        to handle XSS security).
496                </description>
497                <property name="additionalModelMapList">
498                        <list>
499                                <ref bean="commonContentBasePathModelMap"/>
500                                <ref bean="commonWebAppBasePathModelMap"/>
501                                <ref bean="commonHTTPRequestPathSegmentsModelMap"/>
502                                <ref bean="commonHTTPRequestParametersModelMap"/>
503                                <ref bean="commonUserProfileModelMap"/>
504                                <ref bean="commonModifiedDateModelMap"/>
505                        </list>
506                </property>
507                <property name="HTTPResponseHeaders" ref="commonHTTPResponseHeaders"/>
508        </bean>
509
510
511
512        <!--  X M L   R E S O U R C E S  -->
513        <bean id="commonXMLEncodingScheme" class="org.ibisph.model.StringHolder">
514                <description>
515                        XML encoding scheme used when creating an XML file and Request character
516                        encoding.  Both of these should work: "UTF-8", "ISO-8859-1", however, UTF-8
517                        had some problems with some data.  ISO-8859-1 is an 8 bit subset of the 16
518                        bit unicode UTF-8 character set and is used for western english characters.
519                </description>
520                <constructor-arg value="ISO-8859-1"/>
521        </bean>
522
523        <bean id="commonXMLOutputFormat" class="org.dom4j.io.OutputFormat">
524                <property name="encoding"   value="#{commonXMLEncodingScheme.string}"/>
525                <property name="indentSize" value="1"/>     <!-- count of indents -->
526                <property name="indent"     value="&#09;"/> <!-- tab value: &#09; = horizontal tab or spaces etc -->
527                <property name="newlines"   value="true"/>  <!-- if true puts next element on new line -->
528                <property name="padText"    value="false"/> <!-- if true just adds extra blank line inbetween... -->
529                <property name="trimText"   value="true"/>  <!-- strips white space.  Do NOT set to true for IPs as embedded CRs will be lost -->
530        </bean>
531
532
533        <!--  X S L T   T R A N S F O R M A T I O N   R E S O U R C E S  -->
534        <!-- The main function is to set the XSLT transformation factory to be used.
535                This mechanism allows for a pluggable XSLT engine to be explicitly used.
536                This can be set as a system property but doing so can impact other apps
537                that are installed on the same app server which require/rely on other
538                versions of an XSLT processor (typically XALAN).  If the factory is not
539                explicitly set then the app server's/JVM's default XSLT engine will be
540                used (via JAXP - typically XALAN which will NOT work for IBIS as of 2008). 
541
542                NOTES:
543                - This factory must be XSLT v2.0 (at this point Saxon is the best
544                solution - XALAN 2.x will NOT work for IBIS as it is v1.x). 
545
546                - Removed the IBIS transformer factory type classes in late 2008 as they
547                were not needed.  If XALAN ever goes to 2.0 and adopters want to use then
548                those objects can be resurrected or new XALAN objects can be created as
549                needed.
550
551                PRODUCTION: It is highly recommended to use the caching Saxon XSLT engine:
552                <bean id="commonXSLTTransformerFactory" class="org.ibisph.xslt.CachedSaxonTransformerFactory"/>
553
554                XSLT DEVELOPMENT: Use the normal, thread safe non caching Saxon XSLT
555                Transformation Factory.  This avoids having to restart the app or touch
556                the core XSLT file.
557                <bean id="commonXSLTTransformerFactory" class="net.sf.saxon.TransformerFactoryImpl"/>
558        -->
559        <bean id="commonXSLTTransformerFactory" class="org.ibisph.xslt.CachedSaxonTransformerFactory"/>
560        <bean id="commonXSLTTransformation" class="org.ibisph.xslt.Transformation">
561                <constructor-arg ref="commonXSLTTransformerFactory"/>
562        </bean>
563        <bean id="commonXSLTTransformationView" class="org.ibisph.xml.springmvc.XSLTXMLTransformationView">
564                <description>
565                        Core transformation view that almost all views use/extend from.
566                </description>
567                <constructor-arg ref="commonXSLTTransformation"/>
568                <property name="XMLModelMapKey"     value="#{commonXMLModelMapKey.string}"/>
569                <property name="XSLTURLModelMapKey" value="XSLT"/>
570                <property name="XSLTURLGetModelService" ref="commonXSLTFilePathModelService"/> 
571        </bean>
572
573
574        <bean id="commonXSSStringValidator" class="org.ibisph.util.ExclusionRegexFindStringValidator">
575                <description>
576                        Series of regex that attempts to detect XSS - injected javascript.   
577                        For IBIS the main issue is that you could embed some script into a
578                        saved query and a user could then share that saved query def with
579                        another user.  When that user opens the saved query it could execute
580                        some script that could do a few things.  However, this is quickly
581                        found as the victim can report it and the admin can see exactly
582                        which user is the offender and take action. 
583
584                        This validator will catch very basic XSS and is provided mostly for
585                        IT departments to feel better about things.  To do this right the
586                        text MUST be processed as HTML and parsed to being valid etc.
587                </description>
588                <property name="regEx">
589                        <list>
590                                <value>javascript:|&lt;\s*script.*?\s*&gt;</value>
591                        </list>
592                </property>
593        </bean>
594
595        <bean id="commonXMLStringCleaner" class="org.ibisph.util.ReplacementStringCleaner">
596                <description>
597                        Cleans/replaces characters used when creating/saving XML.  Stubbed
598                        out for now...
599                </description>
600                <property name="replacementCharsMap">
601                        <map>
602                                <entry key="‘" value="'"/>
603                                <entry key="’" value="'"/>
604                        </map>
605                </property> 
606        </bean>
607
608
609        <!--  E X C E P T I O N   R E S O L V E R  -->
610
611        <!-- Exception Resolvers are typically a list of exceptions with associated
612                views to be used to display an error for a given type of exception. 
613                Note that the resolver is ONLY used for exceptions thrown/uncaught
614                within controller objects e.g. objects controlled by the Request Dispatcher
615                servlet/container.  For "view" related errors a HandlerInterceptor
616                is needed see:
617               
618                http://stackoverflow.com/questions/196495/how-to-configure-spring-handlerexceptionresolver-to-handle-nullpointerexception-t)
619               
620                Other types of errors that happen outside of the servlet (like filter
621                errors) are also not able to be handled.  Many of these errors that occur
622                within the IBIS applications are view related and due to the fact that
623                the web.xml error handling can be used to handle ALL types of errors,
624                there's not much value in an ErrorResolver.  As if 2010, all errors
625                simply go through to the container which will then use the web.xml
626                which uses a centralized error jsp to handle all errors.  The error
627                page logs the error and returns an error page to the user.  The two
628                major down sides to this centralized JSP approach is that 1) the error
629                JSP has to be bullet proof, and 2) the error handling is limited to
630                what can be done within a JSP.  The pro to this approach is that it
631                is all centralized and handled consistently.
632        -->
633
634        <!-- Below is a basic ExceptionResolver that many Spring MVC apps implement.
635                Specific exceptions are handled by the simple exception to view resolver
636                This resolver needs to be used first and MUST not be configured to do the
637                general error handling as the next resolver will not be called.  Note that
638                this can be setup to handle everything but it's was easier to understand
639                and control doing this way.
640
641        <bean id="commonSpecificExceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
642                <property name="order" value="1"/>
643                <property name="defaultStatusCode" value="700"/>
644                <property name="defaultErrorView" value="/WEB-INF/jsp/error/detail.jsp"/>
645                <property name="exceptionAttribute" value="Exception"/>
646                <property name="mappedHandlers">
647                        <set><value>java.lang.Throwable</value><ref local="commonDefault.ExceptionHandler"/></set>
648                </property>
649                <property name="exceptionMappings">
650                        <props>
651                                <prop key="org.ibisph.web.springmvc.controller.query.NullModuleException">Query.NullModuleDocument.View</prop>
652                                <prop key="java.lang.Exception ">Query.NullModuleDocument.View</prop>
653                        </props>
654                </property>
655        </bean>
656
657        For many years a simple logging type ExceptionResolver was used.  The code
658        below is left in case the logging exception handler is wanted by an adopter.
659
660        <bean id="commonDefaultExceptionHandler" class="org.ibisph.web.springmvc.LoggingControllerExceptionHandler">
661                <property name="order" value="1"/>
662        </bean>
663        -->
664</beans>
Note: See TracBrowser for help on using the repository browser.