close

Filter

loading table of contents...

Deployment Manual / Version 2412.0

Table Of Contents

3.1.1 General CAE Properties

cae.cookie.force-http-only
Type Boolean
Default true
Description

Whether or not to force the 'HttpOnly' attribute on all cookies.

cae.cookie.force-secure
Type Boolean
Default true
Description

Whether or not to force the 'Secure' attribute on all cookies.

cae.cookie.same-site
Type String
Description

The value of the cookie's 'SameSite' attribute. Valid values are the ones as defined by the spec. In addition, the value 'Unset' can be used to indicate that the attribute should not be set.

cae.cors.allow-credentials-for-url-pattern
Type Map<String,Boolean>
Description

Map of whether user credentials are supported, based on URL patterns.

Example:

 cae.cors.allow-credentials-for-url-pattern[{path\:.*}]=true 

See Javadoc for more information on CORS configuration for the CAE.

cae.cors.allowed-headers-for-url-pattern
Type Map<String,List<String>>
Description

Map of headers that a pre-flight request can list as allowed for use during an actual request, based on URL patterns.

A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified or Pragma.

Example:

 cae.cors.allowed-headers-for-url-pattern[{path\:.*}]=x-requested-with,x-csrf-token 

See Javadoc for more information on CORS configuration for the CAE.

cae.cors.allowed-methods-for-url-pattern
Type Map<String,List<String>>
Description

Map of HTTP methods to allow, based on URL patterns.

Example:

 cae.cors.allowed-methods-for-url-pattern[{path\:.*}]=GET,POST,PUT 

See Javadoc for more information on CORS configuration for the CAE.

cae.cors.allowed-origins-for-url-pattern
Type Map<String,List<String>>
Description

Map of origins to allow, based on URL patterns.

Example:

 cae.cors.allowed-origins-for-url-pattern[{path\:.*}]=https://domain1.com,https://domain2.com 

In the preview CAE, this property may e.g. be configured with the Studio host in order to allow AJAX requests from the Studio to the CAE.

See Javadoc for more information on CORS configuration for the CAE.

cae.cors.exposed-headers-for-url-pattern
Type Map<String,List<String>>
Description

Map of response headers other than simple headers (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified or Pragma) that an actual response might have and can be exposed, based on URL patterns.

Example:

 cae.cors.exposed-headers-for-url-pattern[{path\:.*}]=x-requested-with,x-csrf-token 

See Javadoc for more information on CORS configuration for the CAE.

cae.cors.max-age-for-url-pattern
Type Map<String,Duration>
Description

Map of how long, as a duration, the response from a pre-flight request can be cached by clients, based on URL patterns.

Example:

 cae.cors.max-age-for-url-pattern[{path\:.*}]=3m 

See Javadoc for more information on CORS configuration for the CAE.

cae.csrf.ignore-paths
Type List<String>
Description

Ant Paths to ignore for CSRF prevention.

cae.hashing.secret
Type String
Description

A Secret which is used for url parameter hashing. Needs to be at least 32 characters long. If not configured a secret will be generated and exposed via warn log on application startup. If multiple CAEs are used, ensure to set the secret instead of trusting a generated one.

cae.http-firewall.allow-semicolon
Type Boolean
Default false
Description

Determines if semicolon is allowed in the URL (i.e. matrix variables).

cae.http-firewall.allow-url-encoded-double-slash
Type Boolean
Default false
Description

Determines if a double slash (//) that is URL encoded (%2F%2F) should be allowed in the path or not.

cae.http-firewall.allow-url-encoded-percent
Type Boolean
Default false
Description

Determines if a percent (%) that is URL encoded (%25) should be allowed in the path or not.

cae.http-firewall.allow-url-encoded-period
Type Boolean
Default false
Description

Determines if a period (.) that is URL encoded (%2E) should be allowed in the path or not.

cae.http-firewall.allow-url-encoded-slash
Type Boolean
Default false
Description

Determines if a slash (/) that is URL encoded (%2F) should be allowed in the path or not.

cae.http-headers.csp.directives
Type String
Default default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
Description

The CSP directives to be set. Defaults to "self". Set to empty to omit the CSP header.
For CAE-Preview use the following CSP directives and adapt the STUDIO-FQDN.
"default-src 'self'; script-src 'self' STUDIO-FQDN 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors STUDIO-FQDN;"

cae.http-headers.csp.report-only
Type Boolean
Default false
Description

Flag to control if the content security policy is to be reported only.

cae.http-headers.frame-options
Type com.​coremedia.​cae.​security.​CaeHttpHeadersConfigurationProperties$FrameOptions
Default disable
Description

Configure the X-Frame-Options header.

cae.http-headers.xss
Type com.​coremedia.​cae.​security.​CaeHttpHeadersConfigurationProperties$XSS
Default disabled
Description

Configure the X-XSS-Protection header.

cae.link-transformer.include-params-appender.uri-paths
Type List<String>
Default /dynamic/
Description

uriPaths the IncludeParamsAppendingLinkTransformer should be applied to.

cae.link-transformer.serializer-classes
Type List<Class<?>>
Description

A list of fully qualified class names for which a com.fasterxml.jackson.databind.JsonSerializer should be registered for view parameter conversion. Every class which is configured here, should have a proper com.coremedia.id.IdScheme implementation being registered at the com.coremedia.id.IdProvider bean.

cae.preview.metadata-enabled
Type Boolean
Default false
Description

Whether to disable metadata rendering. Disabled by default.

cae.preview.pbe.include-jquery
Type Boolean
Default false
Description

Configures if jquery should be included when rendering the preview related scripts.

cae.preview.pbe.studio-url-whitelist
Type List<String>
Description

Configures a list of valid Studio URLs. The Studio Preview integration does only work for listed Studio instances. If left blank, any Studio instance is considered valid.

cae.set-unknown-mime-type
Type Boolean
Default false
Description

This property controls if an instance of com.coremedia.blueprint.cae.filter.UnknownMimetypeCharacterEncodingFilter is registered to fix unknown encoding errors in Webshere versions up to and including 8.5.5010.20160721_0036. The UnknownMimetypeCharacterEncoding filter will be used when cae.set-unknown-mime-type is set to true. The default is suitable when using Tomcat or Websphere starting from 8.5.5011.20161206_1434.

Deprecation

This property has been deprecated and will be removed in a future version.

cae.single-node
Type Boolean
Default false
Description

This property is used in com.coremedia.blueprint.cae.handlers.HandlerBase#doCreateModelWithView to control if a possibly outdated resource is served or if a redirect is sent. The redirect is only a valid response when cae.single-node is set to true.

cae.view.cycle-check
Type Boolean
Default true
Description

Check for cyclic inclusions. You should not disable the check, unless for some good reason, e.g.:

  • You use a custom ViewDispatcher, whose getView method is not determined only by its arguments.

  • Your View#render implementation invokes ViewUtils#render with the same bean + viewName, but with an other (delegate) View.

cae.view.debug-enabled
Type Boolean
Default false
Description

If set to true, html comments will be written to the rendered pages around included fragments. This is a development feature. With these comments you can easily see which JSP, bean and view was used to render a fragment.

cae.view.errorhandler.enabled
Type Boolean
Default true
Description

Enables/disables the view exception handler.

cae.view.errorhandler.output
Type Boolean
Default false
Description

If handler is enabled and set to true, exceptions will be displayed in the current page.

cae.view.filter-lookup-by-predicate
Type Boolean
Default false
Description

By convention, templates are written for bean interfaces, but views may be named after any type. If set to true, viewlookup will only be done for views named after interfaces, not classes, with configurable excludes and includes. This option is turned off by default.

cae.view.max-depth
Type Integer
Default 200
Description

Maximum depth of inclusions.

cae.viewdispatcher.cache.enabled
Type Boolean
Default true
Description

Defines if the caching of view lookups is enabled. Disabling might be useful when developing templates. Shouldn't be disabled when in production mode!

cae.viewdispatcher.expose-spring-macro-helpers
Type Boolean
Default true
Description

Set whether to expose a RequestContext for use by Spring's macro library, under the name "springMacroRequestContext". Default is "true".

Currently needed for Spring's Velocity and FreeMarker default macros. Note that this is not required for templates that use HTML forms unless you wish to take advantage of the Spring helper macros.

cae.viewdispatcher.fallback-to-default-view
Type Boolean
Default true
Description

Fallback to default view if requested view name raises view exception.

Table 3.1. Configuration Properties with Prefix cae


Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.