Deployment Manual / Version 2406.1
Table Of Contents
cae.cookie.force-http-only
| |
Type |
Boolean
|
Default | true |
Description |
Whether or not to force the 'HttpOnly' attribute on all cookies. |
cae.cookie.force-secure
| |
Type |
Boolean
|
Default | true |
Description |
Whether or not to force the 'Secure' attribute on all cookies. |
cae.cookie.same-site
| |
Type |
String
|
Description |
The value of the cookie's 'SameSite' attribute. Valid values are the ones as defined by the spec. In addition, the value 'Unset' can be used to indicate that the attribute should not be set. |
cae.cors.allow-credentials-for-url-pattern
| |
Type |
Map<String,Boolean>
|
Description |
Map of whether user credentials are supported, based on URL patterns. Example: cae.cors.allow-credentials-for-url-pattern[{path\:.*}]=true See Javadoc for more information on CORS configuration for the CAE. |
cae.cors.allowed-headers-for-url-pattern
| |
Type |
Map<String,List<String>>
|
Description |
Map of headers that a pre-flight request can list as allowed for use during an actual request, based on URL patterns. A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified or Pragma. Example: cae.cors.allowed-headers-for-url-pattern[{path\:.*}]=x-requested-with,x-csrf-token See Javadoc for more information on CORS configuration for the CAE. |
cae.cors.allowed-methods-for-url-pattern
| |
Type |
Map<String,List<String>>
|
Description |
Map of HTTP methods to allow, based on URL patterns. Example: cae.cors.allowed-methods-for-url-pattern[{path\:.*}]=GET,POST,PUT See Javadoc for more information on CORS configuration for the CAE. |
cae.cors.allowed-origins-for-url-pattern
| |
Type |
Map<String,List<String>>
|
Description |
Map of origins to allow, based on URL patterns. Example: cae.cors.allowed-origins-for-url-pattern[{path\:.*}]=https://domain1.com,https://domain2.com In the preview CAE, this property may e.g. be configured with the Studio host in order to allow AJAX requests from the Studio to the CAE. See Javadoc for more information on CORS configuration for the CAE. |
cae.cors.exposed-headers-for-url-pattern
| |
Type |
Map<String,List<String>>
|
Description |
Map of response headers other than simple headers (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified or Pragma) that an actual response might have and can be exposed, based on URL patterns. Example: cae.cors.exposed-headers-for-url-pattern[{path\:.*}]=x-requested-with,x-csrf-token See Javadoc for more information on CORS configuration for the CAE. |
cae.cors.max-age-for-url-pattern
| |
Type |
Map<String,Duration>
|
Description |
Map of how long, as a duration, the response from a pre-flight request can be cached by clients, based on URL patterns. Example: cae.cors.max-age-for-url-pattern[{path\:.*}]=3m See Javadoc for more information on CORS configuration for the CAE. |
cae.csrf.ignore-paths
| |
Type |
List<String>
|
Description |
Ant Paths to ignore for CSRF prevention. |
cae.hashing.secret
| |
Type |
String
|
Description |
A Secret which is used for url parameter hashing. Needs to be at least 32 characters long. If not configured a secret will be generated and exposed via warn log on application startup. If multiple CAEs are used, ensure to set the secret instead of trusting a generated one. |
cae.http-firewall.allow-semicolon
| |
Type |
Boolean
|
Default | false |
Description |
Determines if semicolon is allowed in the URL (i.e. matrix variables). |
cae.http-firewall.allow-url-encoded-double-slash
| |
Type |
Boolean
|
Default | false |
Description |
Determines if a double slash (//) that is URL encoded (%2F%2F) should be allowed in the path or not. |
cae.http-firewall.allow-url-encoded-percent
| |
Type |
Boolean
|
Default | false |
Description |
Determines if a percent (%) that is URL encoded (%25) should be allowed in the path or not. |
cae.http-firewall.allow-url-encoded-period
| |
Type |
Boolean
|
Default | false |
Description |
Determines if a period (.) that is URL encoded (%2E) should be allowed in the path or not. |
cae.http-firewall.allow-url-encoded-slash
| |
Type |
Boolean
|
Default | false |
Description |
Determines if a slash (/) that is URL encoded (%2F) should be allowed in the path or not. |
cae.http-headers.csp.directives
| |
Type |
String
|
Default | default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; |
Description |
The CSP directives to be set. Defaults to "self". Set to empty to omit the CSP header. |
cae.http-headers.csp.report-only
| |
Type |
Boolean
|
Default | false |
Description |
Flag to control if the content security policy is to be reported only. |
cae.http-headers.frame-options
| |
Type |
com.coremedia.cae.security.CaeHttpHeadersConfigurationProperties$FrameOptions
|
Default | disable |
Description |
Configure the X-Frame-Options header. |
cae.http-headers.xss
| |
Type |
com.coremedia.cae.security.CaeHttpHeadersConfigurationProperties$XSS
|
Default | disabled |
Description |
Configure the X-XSS-Protection header. |
cae.link-transformer.include-params-appender.uri-paths
| |
Type |
List<String>
|
Default | /dynamic/ |
Description |
uriPaths the IncludeParamsAppendingLinkTransformer should be applied to. |
cae.link-transformer.serializer-classes
| |
Type |
List<Class<?>>
|
Description |
A list of fully qualified class names for which a com.fasterxml.jackson.databind.JsonSerializer should be registered for view parameter conversion. Every class which is configured here, should have a proper com.coremedia.id.IdScheme implementation being registered at the com.coremedia.id.IdProvider bean. |
cae.preview.metadata-enabled
| |
Type |
Boolean
|
Default | false |
Description |
Whether to disable metadata rendering. Disabled by default. |
cae.preview.pbe.include-jquery
| |
Type |
Boolean
|
Default | false |
Description |
Configures if jquery should be included when rendering the preview related scripts. |
cae.preview.pbe.studio-url-whitelist
| |
Type |
List<String>
|
Description |
Configures a list of valid Studio URLs. The Studio Preview integration does only work for listed Studio instances. If left blank, any Studio instance is considered valid. |
cae.set-unknown-mime-type
| |
Type |
Boolean
|
Default | false |
Description |
This property controls if an instance of com.coremedia.blueprint.cae.filter.UnknownMimetypeCharacterEncodingFilter is registered to fix unknown encoding errors in Webshere versions up to and including 8.5.5010.20160721_0036. The UnknownMimetypeCharacterEncoding filter will be used when cae.set-unknown-mime-type is set to true. The default is suitable when using Tomcat or Websphere starting from 8.5.5011.20161206_1434. |
cae.single-node
| |
Type |
Boolean
|
Default | false |
Description |
This property is used in com.coremedia.blueprint.cae.handlers.HandlerBase#doCreateModelWithView to control if a possibly outdated resource is served or if a redirect is sent. The redirect is only a valid response when cae.single-node is set to true. |
cae.view.cycle-check
| |
Type |
Boolean
|
Default | true |
Description |
Check for cyclic inclusions. You should not disable the check, unless for some good reason, e.g.:
|
cae.view.debug-enabled
| |
Type |
Boolean
|
Default | false |
Description |
If set to true, html comments will be written to the rendered pages around included fragments. This is a development feature. With these comments you can easily see which JSP, bean and view was used to render a fragment. |
cae.view.errorhandler.enabled
| |
Type |
Boolean
|
Default | true |
Description |
Enables/disables the view exception handler. |
cae.view.errorhandler.output
| |
Type |
Boolean
|
Default | false |
Description |
If handler is enabled and set to true, exceptions will be displayed in the current page. |
cae.view.filter-lookup-by-predicate
| |
Type |
Boolean
|
Default | false |
Description |
By convention, templates are written for bean interfaces, but views may be named after any type. If set to true, viewlookup will only be done for views named after interfaces, not classes, with configurable excludes and includes. This option is turned off by default. |
cae.view.max-depth
| |
Type |
Integer
|
Default | 200 |
Description |
Maximum depth of inclusions. |
cae.viewdispatcher.cache.enabled
| |
Type |
Boolean
|
Default | true |
Description |
Defines if the caching of view lookups is enabled. Disabling might be useful when developing templates. Shouldn't be disabled when in production mode! |
cae.viewdispatcher.expose-spring-macro-helpers
| |
Type |
Boolean
|
Default | true |
Description |
Set whether to expose a RequestContext for use by Spring's macro library, under the name "springMacroRequestContext". Default is "true". Currently needed for Spring's Velocity and FreeMarker default macros. Note that this is not required for templates that use HTML forms unless you wish to take advantage of the Spring helper macros. |
cae.viewdispatcher.fallback-to-default-view
| |
Type |
Boolean
|
Default | true |
Description |
Fallback to default view if requested view name raises view exception. |
Table 3.1. Configuration Properties with Prefix cae