Copyright (c) 2009, 2020 Oracle and/or its affiliates. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v. 2.0, which is available at http://www.eclipse.org/legal/epl-2.0. This Source Code may also be made available under the following Secondary Licenses when the conditions for such availability set forth in the Eclipse Public License v. 2.0 are satisfied: GNU General Public License, version 2 with the GNU Classpath Exception, which is available at https://www.gnu.org/software/classpath/license.html. SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 ... The instance documents may indicate the published version of the schema using the xsi:schemaLocation attribute for Jakarta EE namespace with the following location: https://jakarta.ee/xml/ns/jakartaee/web-common_5_0.xsd ]]> The following conventions apply to all Jakarta EE deployment descriptor elements unless indicated otherwise. - In elements that specify a pathname to a file within the same JAR file, relative filenames (i.e., those not starting with "/") are considered relative to the root of the JAR file's namespace. Absolute filenames (i.e., those starting with "/") also specify names in the root of the JAR file's namespace. In general, relative names are preferred. The exception is .war files where absolute names are preferred for consistency with the Servlet API. The context-param element contains the declaration of a web application's servlet context initialization parameters. The metadata-complete attribute defines whether this deployment descriptor and other related deployment descriptors for this module (e.g., web service descriptors) are complete, or whether the class files available to this module and packaged with this application should be examined for annotations that specify deployment information. If metadata-complete is set to "true", the deployment tool must ignore any annotations that specify deployment information, which might be present in the class files of the application. If metadata-complete is not specified or is set to "false", the deployment tool must examine the class files of the application for annotations, as specified by the specifications. The auth-constraintType indicates the user roles that should be permitted access to this resource collection. The role-name used here must either correspond to the role-name of one of the security-role elements defined for this web application, or be the specially reserved role-name "*" that is a compact syntax for indicating all roles in the web application. If both "*" and rolenames appear, the container interprets this as all roles. If no roles are defined, no user is allowed access to the portion of the web application described by the containing security-constraint. The container matches role names case sensitively when determining access. The auth-methodType is used to configure the authentication mechanism for the web application. As a prerequisite to gaining access to any web resources which are protected by an authorization constraint, a user must have authenticated using the configured mechanism. Legal values are "BASIC", "DIGEST", "FORM", "CLIENT-CERT", or a vendor-specific authentication scheme. Used in: login-config The dispatcher has five legal values: FORWARD, REQUEST, INCLUDE, ASYNC, and ERROR. A value of FORWARD means the Filter will be applied under RequestDispatcher.forward() calls. A value of REQUEST means the Filter will be applied under ordinary client calls to the path or servlet. A value of INCLUDE means the Filter will be applied under RequestDispatcher.include() calls. A value of ASYNC means the Filter will be applied under calls dispatched from an AsyncContext. A value of ERROR means the Filter will be applied under the error page mechanism. The absence of any dispatcher elements in a filter-mapping indicates a default of applying filters only under ordinary client calls to the path or servlet. The error-code contains an HTTP error code, ex: 404 Used in: error-page The error-pageType contains a mapping between an error code or exception type to the path of a resource in the web application. Error-page declarations using the exception-type element in the deployment descriptor must be unique up to the class name of the exception-type. Similarly, error-page declarations using the error-code element must be unique in the deployment descriptor up to the status code. If an error-page element in the deployment descriptor does not contain an exception-type or an error-code element, the error page is a default error page. Used in: web-app The exception-type contains a fully qualified class name of a Java exception type. The location element contains the location of the resource in the web application relative to the root of the web application. The value of the location must have a leading `/'. The filterType is used to declare a filter in the web application. The filter is mapped to either a servlet or a URL pattern in the filter-mapping element, using the filter-name value to reference. Filters can access the initialization parameters declared in the deployment descriptor at runtime via the FilterConfig interface. Used in: web-app The fully qualified classname of the filter. The init-param element contains a name/value pair as an initialization param of a servlet filter Declaration of the filter mappings in this web application is done by using filter-mappingType. The container uses the filter-mapping declarations to decide which filters to apply to a request, and in what order. The container matches the request URI to a Servlet in the normal way. To determine which filters to apply it matches filter-mapping declarations either on servlet-name, or on url-pattern for each filter-mapping element, depending on which style is used. The order in which filters are invoked is the order in which filter-mapping declarations that match a request URI for a servlet appear in the list of filter-mapping elements.The filter-name value must be the value of the filter-name sub-elements of one of the filter declarations in the deployment descriptor. This type defines a string which contains at least one character. The logical name of the filter is declare by using filter-nameType. This name is used to map the filter. Each filter name is unique within the web application. Used in: filter, filter-mapping The form-login-configType specifies the login and error pages that should be used in form based login. If form based authentication is not used, these elements are ignored. Used in: login-config The form-login-page element defines the location in the web app where the page that can be used for login can be found. The path begins with a leading / and is interpreted relative to the root of the WAR. The form-error-page element defines the location in the web app where the error page that is displayed when login is not successful can be found. The path begins with a leading / and is interpreted relative to the root of the WAR. A HTTP method type as defined in HTTP 1.1 section 2.2. The login-configType is used to configure the authentication method that should be used, the realm name that should be used for this application, and the attributes that are needed by the form login mechanism. Used in: web-app The realm name element specifies the realm name to use in HTTP Basic authorization. The mime-mappingType defines a mapping between an extension and a mime type. Used in: web-app The extension element contains a string describing an extension. example: "txt" The mime-typeType is used to indicate a defined mime type. Example: "text/plain" Used in: mime-mapping The security-constraintType is used to associate security constraints with one or more web resource collections Used in: web-app The servletType is used to declare a servlet. It contains the declarative data of a servlet. If a jsp-file is specified and the load-on-startup element is present, then the JSP should be precompiled and loaded. Used in: web-app The servlet-class element contains the fully qualified class name of the servlet. The load-on-startup element indicates that this servlet should be loaded (instantiated and have its init() called) on the startup of the web application. The optional contents of these element must be an integer indicating the order in which the servlet should be loaded. If the value is a negative integer, or the element is not present, the container is free to load the servlet whenever it chooses. If the value is a positive integer or 0, the container must load and initialize the servlet as the application is deployed. The container must guarantee that servlets marked with lower integers are loaded before servlets marked with higher integers. The container may choose the order of loading of servlets with the same load-on-start-up value. The servlet-mappingType defines a mapping between a servlet and a url pattern. Used in: web-app The servlet-name element contains the canonical name of the servlet. Each servlet name is unique within the web application. The session-configType defines the session parameters for this web application. Used in: web-app The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes. If the timeout is 0 or less, the container ensures the default behaviour of sessions is never to time out. If this element is not specified, the container must set its default timeout period. The cookie-config element defines the configuration of the session tracking cookies created by this web application. The tracking-mode element defines the tracking modes for sessions created by this web application The cookie-configType defines the configuration for the session tracking cookies of this web application. Used in: session-config The name that will be assigned to any session tracking cookies created by this web application. The default is JSESSIONID The domain name that will be assigned to any session tracking cookies created by this web application. The path that will be assigned to any session tracking cookies created by this web application. The comment that will be assigned to any session tracking cookies created by this web application. Specifies whether any session tracking cookies created by this web application will be marked as HttpOnly Specifies whether any session tracking cookies created by this web application will be marked as secure. When true, all session tracking cookies must be marked as secure independent of the nature of the request that initiated the corresponding session. When false, the session cookie should only be marked secure if the request that initiated the session was secure. The lifetime (in seconds) that will be assigned to any session tracking cookies created by this web application. Default is -1 The name that will be assigned to any session tracking cookies created by this web application. The default is JSESSIONID Used in: cookie-config The domain name that will be assigned to any session tracking cookies created by this web application. Used in: cookie-config The path that will be assigned to any session tracking cookies created by this web application. Used in: cookie-config The comment that will be assigned to any session tracking cookies created by this web application. Used in: cookie-config The tracking modes for sessions created by this web application Used in: session-config The transport-guaranteeType specifies that the communication between client and server should be NONE, INTEGRAL, or CONFIDENTIAL. NONE means that the application does not require any transport guarantees. A value of INTEGRAL means that the application requires that the data sent between the client and server be sent in such a way that it can't be changed in transit. CONFIDENTIAL means that the application requires that the data be transmitted in a fashion that prevents other entities from observing the contents of the transmission. In most cases, the presence of the INTEGRAL or CONFIDENTIAL flag will indicate that the use of SSL is required. Used in: user-data-constraint The user-data-constraintType is used to indicate how data communicated between the client and container should be protected. Used in: security-constraint The elements that use this type designate a path starting with a "/" and interpreted relative to the root of a WAR file. This type contains the recognized versions of web-application supported. It is used to designate the version of the web application. The web-resource-collectionType is used to identify the resources and HTTP methods on those resources to which a security constraint applies. If no HTTP methods are specified, then the security constraint applies to all HTTP methods. If HTTP methods are specified by http-method-omission elements, the security constraint applies to all methods except those identified in the collection. http-method-omission and http-method elements are never mixed in the same collection. Used in: security-constraint The web-resource-name contains the name of this web resource collection. Each http-method names an HTTP method to which the constraint applies. Each http-method-omission names an HTTP method to which the constraint does not apply. The welcome-file-list contains an ordered list of welcome files elements. Used in: web-app The welcome-file element contains file name to use as a default welcome file, such as index.html The localeType defines valid locale defined by ISO-639-1 and ISO-3166. The encodingType defines IANA character sets. The locale-encoding-mapping-list contains one or more locale-encoding-mapping(s). The locale-encoding-mapping contains locale name and encoding name. The locale name must be either "Language-code", such as "ja", defined by ISO-639 or "Language-code_Country-code", such as "ja_JP". "Country code" is defined by ISO-3166. This element indicates that the ordering sub-element in which it was placed should take special action regarding the ordering of this application resource relative to other application configuration resources. See section 8.2.2 of the specification for details. This element specifies configuration information related to the handling of multipart/form-data requests. The directory location where uploaded files will be stored The maximum size limit of uploaded files The maximum size limit of multipart/form-data requests The size threshold after which an uploaded file will be written to disk