source: main/trunk/ibisph-view/src/main/webapp/WEB-INF/config/spring/common.xml @ 22683

Last change on this file since 22683 was 22683, checked in by GarthBraithwaite_STG, 2 months ago

view - Implemented normal content path and published path with updated comments. Removed report requests as not currently implemented in v3 with no signs of ever being. css tweaks.

File size: 36.9 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2
3<!--
4        IBIS-PH View System's common Spring properties. This Spring application
5        context file contains properties are commonly used by more than one module/
6        packages within the system.  These common properties include core base
7        XML/XSLT paths and other resources used by the apps controllers.
8
9        PROPERTY USAGE NOTES:
10        <property name="someName"><null/></property>
11        <property name="someName" value="${some_system_property_name}"/>
12        <value type="xyz.abc">  Beans can't have a type.
13
14        If property starts with all CAPS - something like XMLPath which has a setter
15        like setXMLPath then the property needs to be name="XMLPath" (the bean naming
16        more than one first letters capped rule) otherwise it's lowercase then mixed
17        case like normal properties.
18
19        Use the "parent" attribute for child objects that are of the same type.  This basically
20        does a clone on an object so that the existing parent object's objects are copied
21        to the child - thus providing a populated base class that all child objects can
22        be implicitly populated without explicitly setting the properties.
23
24        PATH CONVENTION:
25        All paths shall have a trailing "/".  Sub paths should never have a leading "/"
26        but will always have the trailing "/".  Base paths can have a leading "/" as
27        this represents the root of the file system.
28-->
29
30<beans default-lazy-init="false" default-autowire="no"
31        xmlns="http://www.springframework.org/schema/beans"
32        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
33        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"
34>
35        <!--  C O N T E X T S   A N D   P A T H S -->
36        <!-- NOTE: Spring 3.0 provides a default servlet context bean that can be
37                used to access ServletContext properties via EL:
38                #{servletContext.servletContextName}.
39        -->
40        <bean id="commonContentBasePath" class="org.ibisph.model.StringHolder">
41                <description>
42                        Base "Content" file path that points to the root of all static content.
43                        This root area includes docs, pdfs, xml, json etc.  This value can
44                        be in to form of a complete URL or relative to the webapp's context.
45                        This string is the value that is passed into the commonContentBasePathURL.
46                </description>
47                <constructor-arg value=""/>
48        </bean>
49        <bean id="commonContentBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
50                <description>
51                        Full/explicit base "Content" file path.  The commonContentBasePath
52                        string value, if not a URL, is processed based on the webapp's
53                        context path which is returned as a URL which is one of the accepted
54                        values the XML/XSLT translation is able to process.  This path is
55                        the root of all static content - json, images, pdf, XML etc.
56                </description>
57                <property name="targetObject" ref="commonContextAndPathService"/>
58                <property name="targetMethod" value="getPathURL"/>
59                <property name="arguments"><list><value>#{commonContentBasePath.string}</value></list></property>
60        </bean>
61        <bean id="commonContentXMLBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
62                <property name="targetObject" ref="commonContextAndPathService"/>
63                <property name="targetMethod" value="getPathURL"/>
64                <property name="arguments"><list><value>#{commonContentBasePath.string}xml/</value></list></property>
65        </bean>
66        <bean id="commonRestrictedXMLBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
67                <property name="targetObject" ref="commonContextAndPathService"/>
68                <property name="targetMethod" value="getPathURL"/>
69                <property name="arguments"><list><value>#{commonContentBasePath.string}WEB-INF/xml/</value></list></property>
70        </bean>
71
72        <bean id="commonXSLTBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
73                <property name="targetObject" ref="commonContextAndPathService"/>
74                <property name="targetMethod" value="getPathURL"/>
75                <property name="arguments"><list><value>xslt/</value></list></property>
76        </bean>
77
78
79        <bean id="commonPublishedXMLBasePath" class="org.ibisph.model.StringHolder">
80                <description>
81                        Base "Published XML" file path that points to the root of all admin
82                        app published XML.  This includes indicator profiles and validation
83                        xmls.  This value can be in to form of a complete URL or relative to
84                        the webapp's context.  This is a simple string value is used by the
85                        commonPublishedXMLBasePathURL bean which is the actual base used.
86                </description>
87                <constructor-arg value="#{commonContentBasePathURL}xml/"/>
88        </bean>
89        <bean id="commonPublishedXMLBasePathURL" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
90                <description>
91                        Full/explicit base "Published XML" file path.  The commonPublishedXMLBasePath
92                        string value, if not a URL, is processed based on the webapp's
93                        context path which is returned as a URL which is one of the accepted
94                        values the XML/XSLT translation is able to process.
95                </description>
96                <property name="targetObject" ref="commonContextAndPathService"/>
97                <property name="targetMethod" value="getPathURL"/>
98                <property name="arguments"><list><value>#{commonPublishedXMLBasePath.string}</value></list></property>
99        </bean>
100
101
102        <bean id="commonWebAppBaseRequestPath" class="org.ibisph.model.StringHolder">
103                <description>
104                        Base application request URL path injected into the
105                        commonWebAppBasePathModelMap.  This value is a prefix URL used by
106                        the XSLT code to build full, explicit app and content request paths.
107
108                        The path value is optional.  It is only required in those instances 
109                        when the default internal servlet's request URL is not sufficient to
110                        get HTTP requests to the webapp (i.e. when the webapp is behind a
111                        proxy etc.).  When specified the value MUST be the complete root URL
112                        prefix value consisting of the protocol, server name/address
113                        (with port if applicable), and the outside application context path. 
114                        If the value is blank (default) then the webapp's servet and context
115                        path is used (via commonWebAppBasePathModelMap). 
116                </description>
117                <constructor-arg value="''"/>
118        </bean>
119
120
121        <!-- F I L E   S E R V I C E S -->
122        <bean id="commonContextAndPathService" class="org.ibisph.web.ContextAndPathService"/>
123
124        <bean id="commonXMLFilePathModelService" class="org.ibisph.model.URLPathGetModelService">
125                <description>
126                        This is the main component of the primary model for most view app
127                        requests.  Most view app requests are XML/XSLT transformations.
128                        The XML/XSLT transformation process can be a parsed XML document, a
129                        complete XML string, or a URI string that is a complete file path and
130                        name that points to an XML file.  For most requests, the primary XML
131                        file is specified as part of the request URL.  Each specific model
132                        map is coded/configured to determine a specific XML file.  This
133                        service is constructed with a base file path URL.  The model map uses
134                        this service to concat its base path with the model map's more
135                        specific filename to build the complete XML file path and name to be
136                        used in the transformation. 
137                </description>
138                <property name="basePath" ref="commonContentXMLBasePathURL"/>
139        </bean>
140        <bean id="commonVerifiedXMLFilePathModelService" class="org.ibisph.model.VerifiedURLPathGetModelService">
141                <property name="basePath" ref="commonContentXMLBasePathURL"/>
142        </bean>
143        <bean id="commonXSLTFilePathModelService" class="org.ibisph.model.VerifiedURLPathGetModelService">
144                <property name="basePath" ref="commonXSLTBasePathURL"/>
145        </bean>
146
147
148        <bean id="commonPublishedDocumentDAOService" class="org.ibisph.xml.service.FileStoredDocumentDAO">
149                <description>
150                        Provides a file based document get, save, delete service. 
151                        This service also implements GetModelService so get(filename) works
152                        and can be used in place of the commonXMLFilePathModelService
153                        defined above when an actual XML document is wanted. 
154
155                        SPEED NOTE: This results in an "DOM4j DOCUMENT".  As such it *MIGHT* 
156                        be best to only use this for the a model when the XML needs to be
157                        traversed etc.  Speed appears to be slower compared to having the
158                        XSLT access a file via the "document()" call.
159                </description>
160                <property name="basePath"     ref="commonPublishedXMLBasePathURL"/>
161                <property name="escapeTextWhenSaving" value="true"/>
162                <property name="dateFormat"   ref="commonDateFormat"/>
163                <property name="outputFormat" ref="commonXMLOutputFormat"/>
164        </bean>
165        <bean id="commonContentDocumentDAOService" class="org.ibisph.xml.service.FileStoredDocumentDAO">
166                <description>
167                        Provides a local disk based document get, save, delete service. 
168                        This service also implements GetModelService so get(filename) works
169                        and can be used in place of the commonXMLFilePathModelService
170                        defined above when an actual XML document is wanted. 
171
172                        SPEED NOTE: This results in an "DOM4j DOCUMENT".  As such it *MIGHT* 
173                        be best to only use this for the a model when the XML needs to be
174                        traversed etc.  Speed appears to be slower compared to having the
175                        XSLT access a file via the "document()" call.
176                </description>
177                <property name="basePath"     ref="commonContentXMLBasePathURL"/>
178                <property name="escapeTextWhenSaving" value="true"/>
179                <property name="dateFormat"   ref="commonDateFormat"/>
180                <property name="outputFormat" ref="commonXMLOutputFormat"/>
181        </bean>
182        <bean id="commonRestrictedDocumentDAOService" class="org.ibisph.xml.service.FileStoredDocumentDAO">
183                <description>
184                        Provides "restricted" disk based document get, save, delete service. 
185                        This is mainly used for the user profile XML files.
186                </description>
187                <property name="basePath"     ref="commonRestrictedXMLBasePathURL"/>
188                <property name="escapeTextWhenSaving" value="true"/>
189                <property name="dateFormat"   ref="commonDateFormat"/>
190                <property name="outputFormat" ref="commonXMLOutputFormat"/>
191        </bean>
192
193
194        <!--  L O C A L S,  D A T E,  F O R M A T S  -->
195        <bean id="commonLocale" class="java.util.Locale">
196                <constructor-arg value="en"/>
197                <constructor-arg value="US"/>
198        </bean>
199
200        <!-- Date Format Patterns:
201                To specify the time format use a time pattern string. In this pattern, all
202                ASCII letters are reserved as pattern letters, which are defined as the following:
203               
204                 Symbol   Meaning                 Presentation        Example
205                 ======   =====================   =================   ===================
206                 G        era designator          (Text)              AD
207                 y        year                    (Number)            1996
208                 M        month in year           (Text & Number)     July & 07
209                 d        day in month            (Number)            10
210                 h        hour in am/pm (1~12)    (Number)            12
211                 H        hour in day (0~23)      (Number)            0
212                 m        minute in hour          (Number)            30
213                 s        second in minute        (Number)            55
214                 S        millisecond             (Number)            978
215                 E        day in week             (Text)              Tuesday
216                 D        day in year             (Number)            189
217                 F        day of week in month    (Number)            2 (2nd Wed in July)
218                 w        week in year            (Number)            27
219                 W        week in month           (Number)            2
220                 a        am/pm marker            (Text)              PM
221                 k        hour in day (1~24)      (Number)            24
222                 K        hour in am/pm (0~11)    (Number)            0
223                 z        time zone               (Text)              Pacific Standard Time
224                 '        escape for text         (Delimiter)
225                 ''       single quote            (Literal)           '
226               
227                Examples Using the US Locale:
228               
229                Format Pattern                    Result
230                ==============================    ======================================
231                "yyyy.MM.dd G 'at' hh:mm:ss z"    1996.07.10 AD at 15:08:56 PDT
232                "EEE, MMM d, ''yy"                Wed, July 10, '96
233                "h:mm a"                          12:08 PM
234                "hh 'o''clock' a, zzzz"           12 o'clock PM, Pacific Daylight Time
235                "K:mm a, z"                       0:00 PM, PST
236                "yyyyy.MMMMM.dd GGG hh:mm aaa"    1996.July.10 AD 12:08 PM
237               
238                "dd.MM.yy"                        09.04.98
239                "H:mm"                            18:15
240                "H:mm:ss:SSS"                     18:15:55:624
241                "K:mm a,z"                        6:15 PM,PDT
242
243                Serial Number: yyyy-MM-dd-HH-mm-ss-SS
244        -->
245        <bean id="commonDateFormat" class="java.text.SimpleDateFormat">
246                <constructor-arg value="EEE, d MMM yyyy HH:mm:ss z"/>
247                <constructor-arg type="java.util.Locale" ref="commonLocale"/>
248        </bean>
249        <bean id="commonBackupFileDateSerialNumberDateFormat" class="java.text.SimpleDateFormat">
250                <constructor-arg value="yyyy-MM-dd-HH-mm-ss-SS"/>
251                <constructor-arg type="java.util.Locale" ref="commonLocale"/>
252        </bean>
253
254
255        <!--  M O D E L   M A P   R E S O U R C E S -->
256        <bean id="commonCurrentUserService" class="org.ibisph.user.service.CurrentUser"/>
257
258        <bean id="commonXMLModelMapKey" class="org.ibisph.model.StringHolder">
259                <constructor-arg value="XML"/>
260        </bean>
261
262        <bean id="commonSimpleBlankXMLModelMap" class="org.ibisph.modelmap.SimpleGetModelMap">
263                <description>
264                        Provides an XML model map for those XSLT/XML transformations where
265                        an XML documnt/file does not exist - like the user/* pages.
266                </description>
267                <property name="modelMapKey" value="#{commonXMLModelMapKey.string}"/>
268                <property name="model"><value><![CDATA[<?xml version="1.0" encoding="UTF-8"?><BLANK/>]]></value></property>
269        </bean>
270
271        <bean id="commonXMLServiceModelMapProperties" abstract="true">
272                <description>
273                        Core XML model map properties used by IP, Query, CP and other beans.
274                </description>
275                <property name="modelMapKey" value="#{commonXMLModelMapKey.string}"/>
276                <property name="getModelService" ref="commonXMLFilePathModelService"/>
277        </bean>
278
279
280        <!-- S T A T I C / C A C H E D   X M L   M O D E L   M A P S -->
281        <!-- The ModelFromFilePathAndNameService has an option to cache and clear
282                the cache XML docs.  As of 11/1/2018 the caching is not set.  At some
283                future point this caching can be set to true.  This should only be done
284                once a data admin publish request is implemented that clears the cached
285                XML doc object e.g. reloads it. 
286
287                Currently, because there is not a reload the cache when published mechanism,
288                this implmentation is not efficienet.  Previous versions used the XLST
289                file/document.  It is now coded to use java to load the doc for each req
290                simply so that the future configurations and XSLT does not have to be
291                reworked.
292        -->
293        <bean id="commonAncillaryValuesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
294                <description>Document version of the published AncillaryValues XML.</description>
295                <property name="modelMapKey"     value="AncillaryValues"/>
296                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
297                <property name="filePathAndName" value="ancillary_values.xml"/>
298        </bean>
299        <bean id="commonDataSourcesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
300                <description>Document version of the published DataSources XML.</description>
301                <property name="modelMapKey"     value="DataSources"/>
302                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
303                <property name="filePathAndName" value="data_sources.xml"/>
304        </bean>
305        <bean id="commonDimensionsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
306                <description>Document version of the published Dimensions XML.</description>
307                <property name="modelMapKey"     value="Dimensions"/>
308                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
309                <property name="filePathAndName" value="dimensions.xml"/>
310        </bean>
311        <bean id="commonMeasuresModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
312                <description>Document version of the published Measures XML.</description>
313                <property name="modelMapKey"     value="Measures"/>
314                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
315                <property name="filePathAndName" value="measures.xml"/>
316        </bean>
317        <bean id="commonValueTypesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
318                <description>Document version of the published ValueTypes XML.</description>
319                <property name="modelMapKey"     value="ValueTypes"/>
320                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
321                <property name="filePathAndName" value="value_types.xml"/>
322        </bean>
323        <bean id="commonValueAttributesModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
324                <description>Document version of the published ValueAttributes XML.</description>
325                <property name="modelMapKey"     value="ValueAttributes"/>
326                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
327                <property name="filePathAndName" value="value_attributes.xml"/>
328        </bean>
329        <bean id="commonChartsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
330                <description>Document version of the published Charts XML.</description>
331                <property name="modelMapKey"     value="Charts"/>
332                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
333                <property name="filePathAndName" value="charts.xml"/>
334        </bean>
335        <bean id="commonMapsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
336                <description>Document version of the published Maps XML.</description>
337                <property name="modelMapKey"     value="Maps"/>
338                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
339                <property name="filePathAndName" value="maps.xml"/>
340        </bean>
341        <bean id="commonOrgUnitsModelMap" class="org.ibisph.modelmap.ModelFromFilePathAndNameService">
342                <description>
343                        Injects the XML doc.  This helps with speed as the doc
344                        is only read/parsed once.  Con of this approach is that
345                        bean needs an event listener to reload when published.
346                </description>
347                <property name="modelMapKey"     value="OrgUnits"/>
348                <property name="getModelService" ref="commonPublishedDocumentDAOService"/>
349                <property name="filePathAndName" value="org_units.xml"/>
350        </bean>
351
352
353        <!-- P A T H   A N D   R E Q U E S T   M O D E L   M A P S -->
354        <bean id="commonContentBasePathModelMap" class="org.ibisph.modelmap.SimpleGetModelMap">
355                <description>
356                        Used by Java code to access remote XML files (like query modules)
357                        and is passed into the XSLT enviro to dynamically access the 2ndardy
358                        XML files (like community profile reports that loop a set of IPs)
359                        as well as leaflet map and kendo json files.  This value is injected
360                        into the common alternate model maps with a handle defined in /Page.xslt.
361                </description>
362                <property name="modelMapKey" value="ContentBasePath"/>
363                <property name="model"       ref="commonContentBasePathURL"/>
364        </bean>
365
366        <bean id="commonWebAppBasePathModelMap" class="org.ibisph.web.modelmap.WebAppBaseRequestPathFromHTTPRequest">
367                <description>
368                        Complete remote/external webapp HTTP request base path prefix used
369                        to access internet content and webapp requests (e.g. prefix used
370                        for all requests from a user's browswer).  This model map is injected
371                        into all XSLT type page requests so that the code can build the
372                        explicit, fully qualified request paths for content and links.
373
374                        If the webappBaseRequestPath is blank then the value is built based
375                        on the first HTTP request's URL and optional injected properties.
376                        The reason for building based on the first HTTP request is so that
377                        a real path is captured for use. 
378
379                        Why Needed ?:  IBIS is a build once deploy many webapp.  The  webapp
380                        can be deployed into different enviros - local dev, stand alone server,
381                        or behind the recommended reverse proxy.  Request paths can't simply
382                        be root relative because app can be deployed into a multiuse app
383                        server enviro.  If generic, hard coded context is used (ibisph-view)
384                        then all deployments would need "that" mapping.  The implemented
385                        solution for all non relative requests is to use a variable requset
386                        prefix value.  This is more complex because all page request URLs
387                        must be prefixed with the value to reliably work. 
388
389                        Issue: If not specified i.e. blank and built from first HTTP request
390                        and the first request is NOT the wanted value then is set wrong. 
391                        An example of this being a problem is in a local dev environment where
392                        a developer also want to access the app from another PC for testing.
393                        The first request is made from the localhost which results in a path
394                        "http://localhost/ibisph-view/".  When the request is made from the
395                        2nd PC the page content will return but all links to other pages
396                        and resources (like css and graphic files) will not work.  The solution
397                        for this is to always access the webapp on the dev PC with the IP
398                        or the PC's DNS name.
399                </description>
400                <property name="modelMapKey" value="WebAppBaseRequestPath"/>
401                <property name="webappBaseRequestPath" value="#{commonWebAppBaseRequestPath.string}"/>
402        </bean>
403
404        <bean id="commonHTTPRequestParametersModelMap" class="org.ibisph.web.modelmap.HTTPRequestParameters">
405                <description>
406                        Provides a simple mechanism to pass URL req params to the XSLT
407                        code.  Note that this does NOT differentiate between GET and
408                        POST so might have to remove this in some special cases - like
409                        not needed for the query module builder post etc.
410                </description>
411                <property name="modelMapKey" value="HTTPRequestParameters"/>
412        </bean>
413        <bean id="commonHTTPRequestPathSegmentsModelMap" class="org.ibisph.web.modelmap.PathSegmentsFromHTTPRequest">
414                <description>
415                        Provides the path segments to the view.  This is needed
416                        for context menu file name and the request path bread
417                        crumbs.
418                </description>
419                <property name="modelMapKey" value="PathSegments"/>
420        </bean>
421        <bean id="commonModifiedDateModelMap" class="org.ibisph.modelmap.AddModelDateModelToModelMap">
422                <property name="sourceModelModelMapKey"   value="#{commonXMLModelMapKey.string}"/>
423                <property name="formattedDateModelMapKey" value="XMLModifedDate"/>
424                <property name="dateFormat"               ref="commonDateFormat"/>
425                <property name="sourceModelDateXPathList">
426                        <list>
427                                <value>PUBLISHED_DATE</value>
428                                <value>MODIFIED_DATE</value>
429                                <value>LAST_MODIFIED</value>
430                                <value>DATA_AS_OF_DATE</value>
431                        </list>
432                </property>
433        </bean>
434
435        <bean id="commonUserProfileModelMap" class="org.ibisph.user.modelmap.CurrentUserDocument">
436                <property name="modelMapKey"        value="UserProfile"/>
437                <property name="currentUserService" ref="commonCurrentUserService"/>
438        </bean>
439
440
441        <!-- C O N T R O L L E R   R E S O U R C E S -->
442        <bean id="commonNoCacheHTTPResponseHeaders" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
443                <description>
444                        no cache type headers
445                </description>
446                <property name="properties">
447                        <props>
448                                <prop key="Pragma">no-cache</prop>
449                                <prop key="Expires">Fri, 12 Dec 1980 23:23:23 GMT</prop>
450                                <prop key="Cache-Control">no-cache, private, s-maxage=0, max-age=0, must-revalidate, proxy-revalidate, no-store</prop>
451                                <prop key="Cache-Control">post-check=0, pre-check=0</prop>
452                        </props>
453                </property>
454        </bean>
455        <bean id="commonHTTPResponseHeaders" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
456                <description>
457                        Common, standard headers that are included in a page request response. 
458                        Currently these are mostly security headers for CORS and XSS. 
459
460                        Same Origin Policies (SOP):
461                        Modern broswers implement SOP which by default requires any ajax
462                        type request to be to the SO.  Same origin is defined as a tuple
463                        (protocol, server, port).  Note that SOP does not control accessing
464                        outside img, script, css, iframe, object type resource requests.
465
466                        Cross-origin resource sharing (CORS):
467                        Server specified, browser implemented resource restriction mechanism
468                        to set control of the SOP for ajax type requests.
469
470                        IBIS Considerations:
471                        To allow other outside sites the ability to allow AJAX access to IBIS
472                        data and visulations CORS is used to open this up to the world.  As
473                        long as secure requests are properly configured to use the app's
474                        spring security (which is user session based (token)) an outside app
475                        can not fake or forge itself
476
477                        web.xml handles setting the http-only flag for the session id cookie.
478                </description>
479                <property name="properties">
480                        <props>
481                                <!--
482                                        MOST browsers are SOP (same origin policy) e.g. resources MUST
483                                        come from the same request tuple (protocol, server name, port).
484                                       
485                                        CORS header: * = allow page to access anything.  Otherwise
486                                        is specified as a specific value the resources address must
487                                        contain.  Best practice is trifecta domain (protocol, server,
488                                        port) but supposedly can be any text value that causes a match.
489                                        There can only be one value specified.  If needing multiples
490                                        then have to implement dynamic headers Having
491                                       
492                                                                  Access-Control-Allow-Origin
493                        header specifies what resources the page is allowed to access.  The
494                        browser is responsible to check and control any resource loaded (e.g.
495                        fonts, AJAX requests).  To be safe, the default now is for Web browsers to not
496                        permit a web page to access resources who origin differ than that of
497                        the current page.  Ie ajax json/XMLHttpRequest requests are typically
498                        blocked if outside current domain.  See:
499                                http://www.html5rocks.com/en/tutorials/cors/
500                                https://learn.jquery.com/ajax/working-with-jsonp/
501                        Can also set header name="Access-Control-Allow-Origin" value="*"
502
503                                -->
504                                <prop key="Access-Control-Allow-Origin">*</prop>
505
506                                <prop key="X-XSS-Protection">1</prop>
507                                <prop key="X-Content-Type-Options">nosniff</prop>
508                                <prop key="X-Frame-Options">DENY</prop>
509                                <prop key="Strict-Transport-Security">max-age=31536000</prop>
510
511                                <!-- General adding cookie with policies example:
512                                <prop key="Set-Cookie">first_party_var=abc; SameSite=Strict; HttpOnly; Secure</prop>
513
514                                        TODO: Remove these notes are some point before going prod.
515                                -->
516
517                                <!-- Cookie Notes:
518                                        - Cookies are sent both ways for every request/response. 
519                                                3rd party cookies are typically used for tracking.  These
520                                                are implemented by a backend server when a resource is
521                                                requested.  That server creates "id" type cookies and
522                                                adds other http request info like the site, requesting
523                                                ip, DTS, and other cookies etc.  For other sites that ref
524                                                the tracking server's resource this mechanism allows the
525                                                server to determine patterns etc. 
526                                        - Fingerprinting can be similar to 3rd party cookie tracking
527                                                except there won't be any cookies involved (unless script
528                                                is being used).  Fingerprinting with script also has
529                                                some interesting use cases like creating a canvas hash
530                                                to pretty specifically identify.  The above http request
531                                                data is also said to be fairly specific.
532                                        - 3rd party cookies are not going to be supported past 2021.
533                                                Browsers, when configured, will likely not allow non
534                                                first domain cookies to be transmitted upon sub page
535                                                resource requests.
536                                        - IBIS does not include any outside refs to resources where
537                                                a 3rd party cookie could be attached at the server for
538                                                tracking purposes - so DNA.  However, including external
539                                                visualizations or other page code (iframe or ajax content)
540                                                *might/could* result in resource requests to servers that
541                                                have tracking cookies. 
542                                        - Script.  Other than XSS (injected script or page spoofing
543                                                etc) it is assumed any included script is safe.  Script
544                                                from any source/domain can do whatever it wants - access
545                                                cookies (associated with that request), page data,
546                                                browser and system info, and send any of that data to
547                                                any server etc.
548                                        - Google Analytics is done with script that a website
549                                                intentionally embeds.  GA does store the _gid and _ga
550                                                cookies but all of the work is done by embedding their
551                                                js to do tracking.
552                                        - Client storage for js should be done with local storage. 
553
554                                        If wanting to force cookie management the samesite is best
555                                        implemented with a filter so specific page requests can be
556                                        associated with the approp value.   Can also implement via
557                                        the Spring Session package.
558                                        see: https://stackoverflow.com/questions/42998367/same-site-flag-for-session-cookie-in-spring-security
559                                        see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
560                                       
561                                        - Secure = must be using https.  Localhost requests can be
562                                        http or https if set (likely implemented this way for dev/test).
563                                        - HttpOnly - can't access cookie value via js.
564                                -->
565                        </props>
566                </property>
567        </bean> 
568
569        <bean id="commonModelMapListController" abstract="true" class="org.ibisph.web.springmvc.ModelMapListProcessingController">
570                <description>
571                        Provides base of all HTML page type controllers.  Defines the
572                        ModelMapListProcessingController class, the ADDITIONAL modelmaps
573                        that most pages use, and the HTTPResponseHeaders (typically setup
574                        to handle XSS security).
575                </description>
576                <property name="additionalModelMapList">
577                        <list>
578                                <ref bean="commonContentBasePathModelMap"/>
579                                <ref bean="commonWebAppBasePathModelMap"/>
580                                <ref bean="commonHTTPRequestPathSegmentsModelMap"/>
581                                <ref bean="commonHTTPRequestParametersModelMap"/>
582                                <ref bean="commonUserProfileModelMap"/>
583                                <ref bean="commonModifiedDateModelMap"/>
584                        </list>
585                </property>
586                <property name="HTTPResponseHeaders" ref="commonHTTPResponseHeaders"/>
587        </bean>
588
589
590
591        <!--  X M L   R E S O U R C E S  -->
592        <bean id="commonXMLEncodingScheme" class="org.ibisph.model.StringHolder">
593                <description>
594                        XML encoding scheme used when creating an XML file and Request character
595                        encoding.  Both of these should work: "UTF-8", "ISO-8859-1", however, UTF-8
596                        had some problems with some data.  ISO-8859-1 is an 8 bit subset of the 16
597                        bit unicode UTF-8 character set and is used for western english characters.
598                </description>
599                <constructor-arg value="ISO-8859-1"/>
600        </bean>
601
602        <bean id="commonXMLOutputFormat" class="org.dom4j.io.OutputFormat">
603                <property name="encoding"   value="#{commonXMLEncodingScheme.string}"/>
604                <property name="indentSize" value="1"/>     <!-- count of indents -->
605                <property name="indent"     value="&#09;"/> <!-- tab value: &#09; = horizontal tab or spaces etc -->
606                <property name="newlines"   value="true"/>  <!-- if true puts next element on new line -->
607                <property name="padText"    value="false"/> <!-- if true just adds extra blank line inbetween... -->
608                <property name="trimText"   value="true"/>  <!-- strips white space.  Do NOT set to true for IPs as embedded CRs will be lost -->
609        </bean>
610
611
612        <!--  X S L T   T R A N S F O R M A T I O N   R E S O U R C E S  -->
613        <!-- The main function is to set the XSLT transformation factory to be used.
614                This mechanism allows for a pluggable XSLT engine to be explicitly used.
615                This can be set as a system property but doing so can impact other apps
616                that are installed on the same app server which require/rely on other
617                versions of an XSLT processor (typically XALAN).  If the factory is not
618                explicitly set then the app server's/JVM's default XSLT engine will be
619                used (via JAXP - typically XALAN which will NOT work for IBIS as of 2008). 
620
621                NOTES:
622                - This factory must be XSLT v2.0 (at this point Saxon is the best
623                solution - XALAN 2.x will NOT work for IBIS as it is v1.x). 
624
625                - Removed the IBIS transformer factory type classes in late 2008 as they
626                were not needed.  If XALAN ever goes to 2.0 and adopters want to use then
627                those objects can be resurrected or new XALAN objects can be created as
628                needed.
629
630                PRODUCTION: It is highly recommended to use the caching Saxon XSLT engine:
631                <bean id="commonXSLTTransformerFactory" class="org.ibisph.xslt.CachedSaxonTransformerFactory"/>
632
633                XSLT DEVELOPMENT: Use the normal, thread safe non caching Saxon XSLT
634                Transformation Factory.  This avoids having to restart the app or touch
635                the core XSLT file.
636                <bean id="commonXSLTTransformerFactory" class="net.sf.saxon.TransformerFactoryImpl"/>
637        -->
638        <bean id="commonXSLTTransformerFactory" class="org.ibisph.xslt.CachedSaxonTransformerFactory"/>
639        <bean id="commonXSLTTransformation" class="org.ibisph.xslt.Transformation">
640                <constructor-arg ref="commonXSLTTransformerFactory"/>
641        </bean>
642        <bean id="commonXSLTTransformationView" class="org.ibisph.xml.springmvc.XSLTXMLTransformationView">
643                <description>
644                        Core transformation view that almost all views use/extend from.
645                </description>
646                <constructor-arg ref="commonXSLTTransformation"/>
647                <property name="XMLModelMapKey"     value="#{commonXMLModelMapKey.string}"/>
648                <property name="XSLTURLModelMapKey" value="XSLT"/>
649                <property name="XSLTURLGetModelService" ref="commonXSLTFilePathModelService"/> 
650        </bean>
651
652
653        <bean id="commonXSSStringValidator" class="org.ibisph.util.ExclusionRegexFindStringValidator">
654                <description>
655                        Series of regex that attempts to detect XSS - injected javascript.   
656                        For IBIS the main issue is that you could embed some script into a
657                        saved query and a user could then share that saved query def with
658                        another user.  When that user opens the saved query it could execute
659                        some script that could do a few things.  However, this is quickly
660                        found as the victim can report it and the admin can see exactly
661                        which user is the offender and take action. 
662
663                        This validator will catch very basic XSS and is provided mostly for
664                        IT departments to feel better about things.  To do this right the
665                        text MUST be processed as HTML and parsed to being valid etc.
666                </description>
667                <property name="regEx">
668                        <list>
669                                <value>javascript:|&lt;\s*script.*?\s*&gt;</value>
670                        </list>
671                </property>
672        </bean>
673
674        <bean id="commonXMLStringCleaner" class="org.ibisph.util.ReplacementStringCleaner">
675                <description>
676                        Cleans/replaces characters used when creating/saving XML.  Stubbed
677                        out for now...
678                </description>
679                <property name="replacementCharsMap">
680                        <map>
681                                <entry key="‘" value="'"/>
682                                <entry key="’" value="'"/>
683                        </map>
684                </property> 
685        </bean>
686
687
688        <!--  E X C E P T I O N   R E S O L V E R  -->
689
690        <!-- Exception Resolvers are typically a list of exceptions with associated
691                views to be used to display an error for a given type of exception. 
692                Note that the resolver is ONLY used for exceptions thrown/uncaught
693                within controller objects e.g. objects controlled by the Request Dispatcher
694                servlet/container.  For "view" related errors a HandlerInterceptor
695                is needed see:
696               
697                http://stackoverflow.com/questions/196495/how-to-configure-spring-handlerexceptionresolver-to-handle-nullpointerexception-t)
698               
699                Other types of errors that happen outside of the servlet (like filter
700                errors) are also not able to be handled.  Many of these errors that occur
701                within the IBIS applications are view related and due to the fact that
702                the web.xml error handling can be used to handle ALL types of errors,
703                there's not much value in an ErrorResolver.  As if 2010, all errors
704                simply go through to the container which will then use the web.xml
705                which uses a centralized error jsp to handle all errors.  The error
706                page logs the error and returns an error page to the user.  The two
707                major down sides to this centralized JSP approach is that 1) the error
708                JSP has to be bullet proof, and 2) the error handling is limited to
709                what can be done within a JSP.  The pro to this approach is that it
710                is all centralized and handled consistently.
711        -->
712
713        <!-- Below is a basic ExceptionResolver that many Spring MVC apps implement.
714                Specific exceptions are handled by the simple exception to view resolver
715                This resolver needs to be used first and MUST not be configured to do the
716                general error handling as the next resolver will not be called.  Note that
717                this can be setup to handle everything but it's was easier to understand
718                and control doing this way.
719
720        <bean id="commonSpecificExceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
721                <property name="order" value="1"/>
722                <property name="defaultStatusCode" value="700"/>
723                <property name="defaultErrorView" value="/WEB-INF/jsp/error/detail.jsp"/>
724                <property name="exceptionAttribute" value="Exception"/>
725                <property name="mappedHandlers">
726                        <set><value>java.lang.Throwable</value><ref local="commonDefault.ExceptionHandler"/></set>
727                </property>
728                <property name="exceptionMappings">
729                        <props>
730                                <prop key="org.ibisph.web.springmvc.controller.query.NullModuleException">Query.NullModuleDocument.View</prop>
731                                <prop key="java.lang.Exception ">Query.NullModuleDocument.View</prop>
732                        </props>
733                </property>
734        </bean>
735
736        For many years a simple logging type ExceptionResolver was used.  The code
737        below is left in case the logging exception handler is wanted by an adopter.
738
739        <bean id="commonDefaultExceptionHandler" class="org.ibisph.web.springmvc.LoggingControllerExceptionHandler">
740                <property name="order" value="1"/>
741        </bean>
742        -->
743</beans>
Note: See TracBrowser for help on using the repository browser.