Package weblogic.management.configuration

Interface WebAppContainerMBean

All Superinterfaces:

ConfigurationMBean, DescriptorBean, javax.management.DynamicMBean, javax.management.MBeanRegistration, javax.management.NotificationBroadcaster, SettableBean, WebLogicMBean

public interface WebAppContainerMBean
extends ConfigurationMBean

This MBean is used to specify domain-wide defaults for the WebApp container. In general, these properties can be overridden at the cluster level (in ClusterMBean, if the same property is present there), the server level (in ServerMBean, if the same property is present there) or for a specific Web application (in weblogic.xml).

Field Summary

Fields inherited from interface weblogic.management.configuration.ConfigurationMBean

DEFAULT_EMPTY_BYTE_ARRAY

Method Summary

Modifier and Type	Method	Description
java.lang.String	getFormAuthXFrameOptionsHeaderValue()	Returns the X-Frame-Options header value (DENY, SAMEORIGIN, or ALLOW-FROM uri) that will be set in the responses for all requests to the "j_security_check" endpoint when using FORM authentication.
GzipCompressionMBean	getGzipCompression()	Get the GzipCompressionMBean, which represents GZIP compression support configuration.
Http2ConfigMBean	getHttp2Config()	Get the getHttp2Config from WebSerevrMBean.
int	getMaxPostSize()	The maximum post size this server allows for reading HTTP POST data in a servlet request.
int	getMaxPostTimeSecs()	Maximum post time (in seconds) for reading HTTP POST data in a servlet request.
int	getMaxRequestParameterCount()	The maximum request parameter count this server allows for reading maximum HTTP POST parameters count in a servlet request.
int	getMaxSingleHeaderSize()	The maximum size of a single header (name and value) this server allows in a servlet request.
int	getMaxTotalHeadersSize()	The maximum total headers size this server allows for reading HTTP headers in a servlet request.
java.lang.String	getMimeMappingFile()	Returns the name of the file containing mime-mappings for the domain.
java.lang.String	getP3PHeaderValue()	Returns the P3P header value that will be sent with all responses for HTTP requests (if non-null).
int	getPostTimeoutSecs()	The amount of time this server waits between receiving chunks of data in an HTTP POST data before it times out.
java.lang.String[]	getSameSiteFilterCookieSettings()	The HTTP Cookie configuration for the WebLogic HTTP SameSite Java EE Servlet Filter.
java.lang.String[]	getSameSiteFilterUserAgentRegEx()	The User Agent configuration for the WebLogic HTTP SameSite Java EE Servlet Filter.
int	getServletReloadCheckSecs()
java.lang.String	getXPoweredByHeaderLevel()	WebLogic Server uses the X-Powered-By HTTP header, as recommended by the Servlet 3.1 specification, to publish its implementation information.
boolean	isAllowAllRoles()	In the security-constraints elements defined in a web application's web.xml deployment descriptor, the auth-constraint element indicates the user roles that should be permitted access to this resource collection.
boolean	isAuthCookieEnabled()	Specifies whether the AuthCookie feature is enabled or not.
boolean	isChangeSessionIDOnAuthentication()	Global property to determine if we need to generate a new SessionID after authentication.
boolean	isClientCertProxyEnabled()	Specifies whether or not to honor the WL-Proxy-Client-Cert header coming with the request.
boolean	isFilterDispatchedRequestsEnabled()	Indicates whether or not to apply filters to dispatched requests.
boolean	isHttpTraceSupportEnabled()	Returns the value of HttpTraceSupportEnabled.
boolean	isJaxRsMonitoringDefaultBehavior()	Global property to determine the behavior of monitoring in JAX-RS applications.
boolean	isJSPCompilerBackwardsCompatible()	Global property to determine the behavior of the JSP compiler.
boolean	isMaxRequestParameterCountSet()
boolean	isOptimisticSerialization()	When OptimisticSerialization is turned on, WebLogic Server does not serialize-deserialize context and request attributes upon getAttribute(name) when a request gets dispatched across servlet contexts.
boolean	isOverloadProtectionEnabled()	This parameter is used to enable overload protection in the web application container against low memory conditions.
boolean	isRejectMaliciousPathParameters()	The WebApp Container configuration for rejection of URIs with malicious path parameters.
boolean	isReloginEnabled()	Beginning with the 9.0 release, the FORM/BASIC authentication behavior has been modified to conform strictly to the Java EE Specification.
boolean	isRetainOriginalURL()	The retain-original-url property is used in FORM based authentication scenarios.
boolean	isRtexprvalueJspParamName()	Global property which determines the behavior of the JSP compiler when a jsp:param attribute "name" has a request time value.
boolean	isSameSiteFilterSecureChannelRequired()	The Secure Channel configuration for the WebLogic SameSite Java EE Servlet Filter.
boolean	isServletAuthenticationFormURL()	ServletAuthenticationFormURL is used for backward compatibility with previous releases of Weblogic Server.
boolean	isServletReloadCheckSecsSet()
boolean	isShowArchivedRealPathEnabled()	Global property to determine the behavior of getRealPath() for archived web applications.
boolean	isSynchronizedSessionTimeoutEnabled()	Indicates whether to also invalidate all the other sessions when one of the sessions that share the same ID expires.
boolean	isWAPEnabled()	Indicates whether the session ID should include JVM information.
boolean	isWeblogicPluginEnabled()	Specifies whether or not the proprietary WL-Proxy-Client-IP header should be honored.
boolean	isWorkContextPropagationEnabled()	Indicates whether or not WorkContextPropagation is enabled.
void	setAllowAllRoles(boolean allowAllRoles)	Sets the value of the backward compatibility switch AllowAllRoles attribute.
void	setAuthCookieEnabled(boolean enable)	Sets the value of the isAuthCookieEnabled attribute.
void	setChangeSessionIDOnAuthentication(boolean changeSessionIDOnAuthentication)	Sets the value of the ChangeSessionIDOnAuthentication parameter.
void	setClientCertProxyEnabled(boolean ccp)	A value of true causes proxy-server plug-ins to pass identity certificates from clients to all web applications that are deployed on all server instances in the domain.
void	setFilterDispatchedRequestsEnabled(boolean enabled)	Sets the value of the backward-compatibility parameter "FilterDispatchedRequestsEnabled".
void	setFormAuthXFrameOptionsHeaderValue(java.lang.String formAuthXFrameOptionsHeader)	Set the "X-Frame-Options" header to DENY, SAMEORIGIN, or ALLOW-FROM uri, in the responses for all requests to the "j_security_check" endpoint when using FORM authentication.
void	setHttpTraceSupportEnabled(boolean tse)	Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers, such as cookies and authentication data.
void	setJaxRsMonitoringDefaultBehavior(boolean value)	Global property to determine the behavior of monitoring in JAX-RS applications.
void	setJSPCompilerBackwardsCompatible(boolean compat)	Sets the value of the JSPCompilerBackwardsCompatible parameter.
void	setMaxPostSize(int bytes)	Sets the value of the maxPostSize attribute.
void	setMaxPostTimeSecs(int secs)	Maximum post time (in seconds) for reading HTTP POST data in a servlet request.
void	setMaxRequestParameterCount(int limit)	Sets the value of the maxRequestParameterCount attribute.
void	setMaxSingleHeaderSize(int bytes)	Sets the value of the maxSingleHeaderSize attribute.
void	setMaxTotalHeadersSize(int bytes)	Sets the value of the maxTotalHeadersSize attribute.
void	setMimeMappingFile(java.lang.String mimeMapping)	Sets the MimeMapping file name for the domain.
void	setOptimisticSerialization(boolean b)	Sets the OptimisticSerialization value.
void	setOverloadProtectionEnabled(boolean enabled)	Sets the value of the OverloadProtectionEnabled parameter.
void	setP3PHeaderValue(java.lang.String p3pHeader)	If set to a non-null value, a "P3P" header will always be sent with all responses for HTTP requests.
void	setPostTimeoutSecs(int secs)	Sets the value of the postTimeoutSecs attribute.
void	setRejectMaliciousPathParameters(boolean reject)	Sets whether the WebApp Container will reject requests with malicious path parameters.
void	setReloginEnabled(boolean enabled)	Enables re-login for FORM/BASIC authentication in web applications.
void	setRetainOriginalURL(boolean b)	Sets the RetainOriginalURL value.
void	setRtexprvalueJspParamName(boolean rtexprvalue)	Sets the value of RtexprvalueJspParamName.
void	setSameSiteFilterCookieSettings(java.lang.String[] cookieSettings)	Sets the HTTP Cookie configuration for the WebLogic HTTP SameSite Java EE Servlet Filter.
void	setSameSiteFilterSecureChannelRequired(boolean enabled)	Sets whether Secure Channel is required for the Secure attribute in the WebLogic SameSite Java EE Servlet Filter.
void	setSameSiteFilterUserAgentRegEx(java.lang.String[] regEx)	Sets the User Agent configuration for the WebLogic SameSite Java EE Servlet Filter.
void	setServletAuthenticationFormURL(boolean b)	Sets the ServletAuthenticationFormURL value.
void	setServletReloadCheckSecs(int servletReloadCheckSecs)
void	setShowArchivedRealPathEnabled(boolean showArchivedRealPathEnabled)	Sets the value of the ShowArchivedRealPathEnabled parameter.
void	setSynchronizedSessionTimeoutEnabled(boolean enabled)	Sets the value for SynchronizedSessionTimeoutEnabled
void	setWAPEnabled(boolean enable)	Sets the value of the IsWAPEnabled attribute.
void	setWeblogicPluginEnabled(boolean wpe)	WebLogic Server HttpRequest.getRemoteAddr() is used to rely on X-Forwarded-For for its returned value.
void	setWorkContextPropagationEnabled(boolean workContextPropagationEnabled)	Sets the value of WorkContextPropagationEnabled.
void	setXPoweredByHeaderLevel(java.lang.String xPoweredByHeaderLevel)	Sets the level for XPoweredBy header information.

Methods inherited from interface weblogic.management.configuration.ConfigurationMBean

freezeCurrentValue, getId, getInheritedProperties, getName, getNotes, isDynamicallyCreated, isInherited, isSet, restoreDefaultValue, setComments, setDefaultedMBean, setName, setNotes, setPersistenceEnabled, unSet

Methods inherited from interface weblogic.descriptor.DescriptorBean

addPropertyChangeListener, createChildCopyIncludingObsolete, getParentBean, isEditable, removePropertyChangeListener

Methods inherited from interface javax.management.DynamicMBean

getAttribute, getAttributes, invoke, setAttribute, setAttributes

Methods inherited from interface javax.management.MBeanRegistration

postDeregister, postRegister, preDeregister, preRegister

Methods inherited from interface javax.management.NotificationBroadcaster

addNotificationListener, getNotificationInfo, removeNotificationListener

Methods inherited from interface weblogic.management.WebLogicMBean

getMBeanInfo, getObjectName, getParent, getType, isCachingDisabled, isRegistered, setParent

Method Detail

isReloginEnabled

boolean isReloginEnabled()

Beginning with the 9.0 release, the FORM/BASIC authentication behavior has been modified to conform strictly to the Java EE Specification. If a user has logged-in but does not have privileges to access a resource, the 403 (FORBIDDEN) page will be returned. Turn this flag on to enable the old behavior, which was to return the user to the login form.

Returns:

The ReloginEnabled value

See Also:

setReloginEnabled(boolean)

setReloginEnabled

void setReloginEnabled(boolean enabled)

Enables re-login for FORM/BASIC authentication in web applications. Corresponding weblogic.xml element: container-descriptor -> relogin-enabled takes precedence over this value (if set).

Parameters:

enabled - ReloginEnabled value

See Also:

isReloginEnabled()

Default Value:

false

isAllowAllRoles

boolean isAllowAllRoles()

In the security-constraints elements defined in a web application's web.xml deployment descriptor, the auth-constraint element indicates the user roles that should be permitted access to this resource collection. Here role-name = "*" is a compact syntax for indicating all roles in the Web application. In previous releases, role-name = "*" was treated as all users/roles defined in the realm.

This parameter is a backward-compatibility switch to restore old behavior. Default behavior is one required by the specification, meaning all roles defined in the web application.

If set, the value defined in weblogic.xml (container-descriptor -> allow-all-roles) takes precedence (if set) over this value.

Returns:

The allowAllRoles value

See Also:

setAllowAllRoles(boolean)

setAllowAllRoles

void setAllowAllRoles(boolean allowAllRoles)
               throws javax.management.InvalidAttributeValueException

Sets the value of the backward compatibility switch AllowAllRoles attribute.

Parameters:

allowAllRoles -

Throws:

javax.management.InvalidAttributeValueException

javax.management.InvalidAttributeValueException

See Also:

isAllowAllRoles()

Default Value:

false

isFilterDispatchedRequestsEnabled

boolean isFilterDispatchedRequestsEnabled()

Indicates whether or not to apply filters to dispatched requests. This is a backward compatibility flag. Until version 8.1, WebLogic Server applied ServletFilters (if configured for the web application) on request dispatches (and includes/forwards). Servlet 2.4 has introduced the "Dispatcher" element to make this behavior explicit. The default value is Dispatcher=REQUEST. In order to be compliant with the Java EE specification, the default value for FilterDispatchedRequestsEnabled is false beginning with WebLogic Server 9.0. Note that if you are using old descriptors (meaning web.xml does not have version=2.4), then WebLogic Server automatically uses FilterDispatchedRequestsEnabled = true for the web applications, unless filter-dispatched-requests-enabled is explicitly set to false in weblogic.xml. This means that old applications will work fine without any modification. Additionally, during migration of old domains to the 9.0 domain, the migration plug-in automatically sets this flag to true.

See Also:

setFilterDispatchedRequestsEnabled(boolean)

Default Value:

false

setFilterDispatchedRequestsEnabled

void setFilterDispatchedRequestsEnabled(boolean enabled)
                                 throws javax.management.InvalidAttributeValueException

Sets the value of the backward-compatibility parameter "FilterDispatchedRequestsEnabled".

Parameters:

enabled -

Throws:

javax.management.InvalidAttributeValueException

See Also:

isFilterDispatchedRequestsEnabled()

Default Value:

false

isOverloadProtectionEnabled

boolean isOverloadProtectionEnabled()

This parameter is used to enable overload protection in the web application container against low memory conditions. When a low memory situation occurs, new session creation attempts will result in weblogic.servlet.SessionCreationException. The application code needs to catch this exception and take proper action. Alternatively appropriate error-pages can be configured in web.xml against weblogic.servlet.SessionCreationException. This check is performed only on memory and replicated sessions.

Returns:

OverloadProtectionEnabled value

See Also:

SessionCreationException, setOverloadProtectionEnabled(boolean)

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setOverloadProtectionEnabled

void setOverloadProtectionEnabled(boolean enabled)

Sets the value of the OverloadProtectionEnabled parameter.

Parameters:

enabled -

See Also:

isOverloadProtectionEnabled()

Default Value:

false

getXPoweredByHeaderLevel

java.lang.String getXPoweredByHeaderLevel()

WebLogic Server uses the X-Powered-By HTTP header, as recommended by the Servlet 3.1 specification, to publish its implementation information.

Following are the options:

• "NONE" (default): X-Powered-By header will not be sent
• "SHORT": "Servlet/3.1 JSP/2.3"
• "MEDIUM": "Servlet/3.1 JSP/2.3 (WebLogic/12.2)"
• "FULL": "Servlet/3.1 JSP/2.3 (WebLogic/12.2 JDK/1.8)"

Returns:

the xPoweredByHeaderLevel value

See Also:

setXPoweredByHeaderLevel(String)

Default Value:

"NONE"

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Valid Values:

"NONE","SHORT","MEDIUM","FULL"

setXPoweredByHeaderLevel

void setXPoweredByHeaderLevel(java.lang.String xPoweredByHeaderLevel)

Sets the level for XPoweredBy header information.

Parameters:

xPoweredByHeaderLevel -

See Also:

getXPoweredByHeaderLevel()

Valid Values:

"NONE","SHORT","MEDIUM","FULL"

getMimeMappingFile

java.lang.String getMimeMappingFile()

Returns the name of the file containing mime-mappings for the domain.

The Format of the file should be: extension=mime-type

For Example:

htm=text/html

gif=image/gif

jpg=image/jpeg

If this file does not exist, WebLogic Server uses an implicit mime-mapping set of mappings defined in weblogic.utils.http.HttpConstants (DEFAULT_MIME_MAPPINGS). To remove a mapping defined in implicit map, set it to blank.

Returns:

mimeMappingFile

See Also:

setMimeMappingFile(String)

Default Value:

"./config/mimemappings.properties"

setMimeMappingFile

void setMimeMappingFile(java.lang.String mimeMapping)

Sets the MimeMapping file name for the domain.

Parameters:

mimeMapping -

See Also:

getMimeMappingFile()

isOptimisticSerialization

boolean isOptimisticSerialization()

When OptimisticSerialization is turned on, WebLogic Server does not serialize-deserialize context and request attributes upon getAttribute(name) when a request gets dispatched across servlet contexts. This means you will need to make sure that the attributes common to web applications are scoped to a common parent classloader (they are application-scoped) or placed in the system classpath if the two web applications do not belong to the same application. When OptimisticSerialization is turned off (which is the default), WebLogic Server does serialize-deserialize context and request attributes upon getAttribute(name) to avoid the possibility of ClassCastExceptions. The value of OptimisticSerialization can also be overridden for specific web applications by setting the optimistic-serialization value in weblogic.xml.

Returns:

optimisticSerialization value

See Also:

isOptimisticSerialization()

Default Value:

false

setOptimisticSerialization

void setOptimisticSerialization(boolean b)

Sets the OptimisticSerialization value.

Parameters:

b -

See Also:

isOptimisticSerialization()

isRetainOriginalURL

boolean isRetainOriginalURL()

The retain-original-url property is used in FORM based authentication scenarios. When this property is set to true, after a successful authentication, WebLogic Server will redirect back to the web resource (page/servlet) retaining the protocol (http/https) used to access the protected resource in the original request. If set to false (which is the default value), WebLogic Server will redirect back to the protected resource using the current protocol. The retain-original-url value can also be specified at per web application level in weblogic.xml. The value in weblogic.xml, if specified, overrides the domain level value.

Returns:

retainOriginalURL value

See Also:

isRetainOriginalURL()

Default Value:

false

setRetainOriginalURL

void setRetainOriginalURL(boolean b)

Sets the RetainOriginalURL value.

Parameters:

b -

See Also:

isRetainOriginalURL()

isServletAuthenticationFormURL

boolean isServletAuthenticationFormURL()

ServletAuthenticationFormURL is used for backward compatibility with previous releases of Weblogic Server. If ServletAuthenticationFormURL is set to true (default), then ServletAuthentication.getTargetURLForFormAuthentication() and HttpSession.getAttribute(AuthFilter.TARGET_URL) will return the URL of the protected target resource. If set to false, the above APIs will return the URI of the protected target resource. By default, the value is set to true.(new method added in 9.0.0.1)

Returns:

servletAuthenticationFormURL value

See Also:

ServletAuthentication.getTargetURLForFormAuthentication(javax.servlet.http.HttpSession), ServletAuthentication.getTargetURIForFormAuthentication(javax.servlet.http.HttpSession), isServletAuthenticationFormURL()

Default Value:

true

setServletAuthenticationFormURL

void setServletAuthenticationFormURL(boolean b)

Sets the ServletAuthenticationFormURL value.

Parameters:

b -

See Also:

isServletAuthenticationFormURL()

isRtexprvalueJspParamName

boolean isRtexprvalueJspParamName()

Global property which determines the behavior of the JSP compiler when a jsp:param attribute "name" has a request time value. Without this property set to "true", the JSP compiler throws an error for a JSP using a request time value for the "name" attribute as mandated by the JSP 2.0 specification. This property exists for backward compatibility.

Returns:

rtexprvalueJspParamName

See Also:

setRtexprvalueJspParamName(boolean)

Default Value:

false

setRtexprvalueJspParamName

void setRtexprvalueJspParamName(boolean rtexprvalue)

Sets the value of RtexprvalueJspParamName.

Parameters:

rtexprvalue -

See Also:

isRtexprvalueJspParamName()

setClientCertProxyEnabled

void setClientCertProxyEnabled(boolean ccp)

A value of true causes proxy-server plug-ins to pass identity certificates from clients to all web applications that are deployed on all server instances in the domain.

A proxy-server plug-in encodes each identify certification in the WL-Proxy-Client-Cert header and passes the header to WebLogic Server instances. Each WebLogic Server instance takes the certificate information from the header, trusting that it came from a secure source, and uses that information to authenticate the user.

If you specify true, use a ConnectionFilter to ensure that each WebLogic Server instance accepts connections only from the machine on which the proxy-server plug-in is running. Specifying true without using a connection filter creates a potential security vulnerability because the WL-Proxy-Client-Cert header can be spoofed.

A value of true overrides the value that each server instance within the domain specifies with ServerTemplateMBean.setClientCertProxyEnabled(boolean).

By default (or if you specify false):

• Each server instance can determine whether its applications trust certificates sent from the proxy server plug-in.

• If a server instance does not set a value for its ClientCertProxyEnabled attribute (or if it specifies false), the weblogic.xml deployment descriptor for each web application determines whether the web application trusts certificates sent from the proxy server plug-in.

• By default (or if the deployment descriptor specifies false), users cannot log in to the web application from a proxy server plug-in.

Parameters:

ccp - The new clientCertProxyEnabled value

See Also:

isClientCertProxyEnabled(), ClusterMBean.setClientCertProxyEnabled(boolean), ServerTemplateMBean.setClientCertProxyEnabled(boolean)

Default Value:

false

isClientCertProxyEnabled

boolean isClientCertProxyEnabled()

Specifies whether or not to honor the WL-Proxy-Client-Cert header coming with the request.

Returns:

The clientCertProxyEnabled value

See Also:

setClientCertProxyEnabled(boolean), ClusterMBean.isClientCertProxyEnabled(), ServerTemplateMBean.isClientCertProxyEnabled()

setHttpTraceSupportEnabled

void setHttpTraceSupportEnabled(boolean tse)

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers, such as cookies and authentication data. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

This attribute disables HTTP TRACE support. It is present also in ClusterMBean and ServerMBean, so the attribute HttpTraceSupportEnabled can be set differently for different clusters or servers.

See Also:

isHttpTraceSupportEnabled(), ClusterMBean.setHttpTraceSupportEnabled(boolean), ServerTemplateMBean.setHttpTraceSupportEnabled(boolean)

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isHttpTraceSupportEnabled

boolean isHttpTraceSupportEnabled()

Returns the value of HttpTraceSupportEnabled.

Returns:

HttpTraceSupportEnabled value

See Also:

setHttpTraceSupportEnabled(boolean), ClusterMBean.setHttpTraceSupportEnabled(boolean), ServerTemplateMBean.setHttpTraceSupportEnabled(boolean)

setWeblogicPluginEnabled

void setWeblogicPluginEnabled(boolean wpe)

WebLogic Server HttpRequest.getRemoteAddr() is used to rely on X-Forwarded-For for its returned value. This is a security hole as the HTTP header can be easily mocked, and we end up returning a wrong value. This is improved by introducing a proprietary header WL-Proxy-Client-IP from our plug-ins, and this header will only be used if WebLogic Server is configured to use our plug-ins. This is duplicated both in the ClusterMBean and the ServerMBean so the attribute WebLogicPluginEnabled can be used cluster-wide. The ClusterMBean overrides the ServerMBean.

Parameters:

wpe - The new weblogicPluginEnabled value

See Also:

isWeblogicPluginEnabled(), ClusterMBean.setWeblogicPluginEnabled(boolean), ServerTemplateMBean.setWeblogicPluginEnabled(boolean)

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isWeblogicPluginEnabled

boolean isWeblogicPluginEnabled()

Specifies whether or not the proprietary WL-Proxy-Client-IP header should be honored. (This is needed only when WebLogic Server plug-ins are configured.)

Returns:

The weblogicPluginEnabled value

See Also:

setWeblogicPluginEnabled(boolean), ClusterMBean.isWeblogicPluginEnabled(), ServerTemplateMBean.isWeblogicPluginEnabled()

setAuthCookieEnabled

void setAuthCookieEnabled(boolean enable)

Sets the value of the isAuthCookieEnabled attribute.

Enables use of additional secure AuthCookie to make access to HTTPS pages with security constraints more secure. The session cookie will not be sufficient to gain access. This property can be overridden at WebServerMBean level.

See Also:

isAuthCookieEnabled(), WebServerMBean.setAuthCookieEnabled(boolean)

Default Value:

true

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isAuthCookieEnabled

boolean isAuthCookieEnabled()

Specifies whether the AuthCookie feature is enabled or not.

Returns:

AuthCookieEnabled value

See Also:

setAuthCookieEnabled(boolean), WebServerMBean.isAuthCookieEnabled()

setWAPEnabled

void setWAPEnabled(boolean enable)

Sets the value of the IsWAPEnabled attribute. This property can be overridden at the WebServerMBean level.

Parameters:

enable - The new WAPEnabled value

See Also:

isWAPEnabled(), WebServerMBean.setWAPEnabled(boolean)

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isWAPEnabled

boolean isWAPEnabled()

Indicates whether the session ID should include JVM information. (Checking this box may be necessary when using URL rewriting with WAP devices that limit the size of the URL to 128 characters, and may also affect the use of replicated sessions in a cluster.) When this box is selected, the default size of the URL will be set at 52 characters, and it will not contain any special characters.

Returns:

The WAPEnabled value

See Also:

setWAPEnabled(boolean), WebServerMBean.isWAPEnabled()

setPostTimeoutSecs

void setPostTimeoutSecs(int secs)
                 throws javax.management.InvalidAttributeValueException

Sets the value of the postTimeoutSecs attribute.

Timeout (in seconds) for reading HTTP POST data in a servlet request. This parameter can be overridden at the WebServerMBean level.

Parameters:

secs - The new postTimeoutSecs value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getMaxPostTimeSecs(), WebServerMBean.setPostTimeoutSecs(int)

Default Value:

30

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Maximum Value:

120

Minimum Value:

0

getPostTimeoutSecs

int getPostTimeoutSecs()

The amount of time this server waits between receiving chunks of data in an HTTP POST data before it times out. (This is used to prevent denial-of-service attacks that attempt to overload the server with POST data.)

Returns:

The postTimeoutSecs value

See Also:

setPostTimeoutSecs(int), WebServerMBean.getPostTimeoutSecs()

setMaxPostTimeSecs

void setMaxPostTimeSecs(int secs)
                 throws javax.management.InvalidAttributeValueException

Maximum post time (in seconds) for reading HTTP POST data in a servlet request. MaxPostTime < 0 means unlimited. This parameter can be overridden at the WebServerMBean level.

Parameters:

secs - The new maxPostTimeSecs value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getMaxPostTimeSecs(), WebServerMBean.setMaxPostTimeSecs(int)

Default Value:

-1

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getMaxPostTimeSecs

int getMaxPostTimeSecs()

Maximum post time (in seconds) for reading HTTP POST data in a servlet request. MaxPostTime < 0 means unlimited

Returns:

The maxPostTimeSecs value

See Also:

setMaxPostTimeSecs(int), WebServerMBean.getMaxPostTimeSecs()

setMaxPostSize

void setMaxPostSize(int bytes)
             throws javax.management.InvalidAttributeValueException

Sets the value of the maxPostSize attribute. This parameter can be overridden at the WebServerMBean level.

Maximum post size (in bytes) for reading HTTP POST data in a servlet request. MaxPostSize < 0 means unlimited.

Parameters:

bytes - The new maxPostSize value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getMaxPostSize(), WebServerMBean.setMaxPostSize(int)

Default Value:

-1

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getMaxPostSize

int getMaxPostSize()

The maximum post size this server allows for reading HTTP POST data in a servlet request. A value less than 0 indicates an unlimited size.

Returns:

The maxPostSize value

See Also:

setMaxPostSize(int), WebServerMBean.getMaxPostSize()

setMaxTotalHeadersSize

void setMaxTotalHeadersSize(int bytes)
                     throws javax.management.InvalidAttributeValueException

Sets the value of the maxTotalHeadersSize attribute. This parameter can be overridden at the WebServerMBean level.

Max total headers size (in bytes) for reading HTTP headers in a servlet request. MaxTotalHeadersSize < 0 means unlimited.

Parameters:

bytes - The new maxTotalHeadersSize value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getMaxTotalHeadersSize(), WebServerMBean.setMaxTotalHeadersSize(int)

Default Value:

131072

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getMaxTotalHeadersSize

int getMaxTotalHeadersSize()

The maximum total headers size this server allows for reading HTTP headers in a servlet request.

A value less than 0 indicates an unlimited size.

Returns:

The maxTotalHeadersSize value

See Also:

setMaxTotalHeadersSize(int), WebServerMBean.getMaxTotalHeadersSize()

setMaxSingleHeaderSize

void setMaxSingleHeaderSize(int bytes)
                     throws javax.management.InvalidAttributeValueException

Sets the value of the maxSingleHeaderSize attribute. This parameter can be overridden at the WebServerMBean level.

Max size (in bytes) of a single header (name and value) in a servlet request. MaxSingleHeaderSize < 0 means unlimited.

Parameters:

bytes - The new maxSingleHeaderSize value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getMaxSingleHeaderSize(), WebServerMBean.setMaxSingleHeaderSize(int)

Default Value:

-1

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getMaxSingleHeaderSize

int getMaxSingleHeaderSize()

The maximum size of a single header (name and value) this server allows in a servlet request.

A value less than 0 indicates an unlimited size.

Returns:

The maxSingleHeaderSize value

See Also:

setMaxSingleHeaderSize(int), WebServerMBean.getMaxSingleHeaderSize()

setMaxRequestParameterCount

void setMaxRequestParameterCount(int limit)
                          throws javax.management.InvalidAttributeValueException

Sets the value of the maxRequestParameterCount attribute.

The maximum request parameter count for reading HTTP POST parameters in a servlet request. maxRequestParameterCount

Parameters:

limit - The new maxRequestParameterCount value

Throws:

javax.management.InvalidAttributeValueException

See Also:

WebServerMBean.setMaxRequestParameterCount(int)

Default Value:

10000

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getMaxRequestParameterCount

int getMaxRequestParameterCount()

The maximum request parameter count this server allows for reading maximum HTTP POST parameters count in a servlet request.

Gets the maxRequestParameterCount attribute of the WebServerMBean object.

Returns:

The maxRequestParameterCount value

See Also:

WebServerMBean.getMaxRequestParameterCount()

isMaxRequestParameterCountSet

boolean isMaxRequestParameterCountSet()

Returns:

true if maxRequestParameterCount is set

isWorkContextPropagationEnabled

boolean isWorkContextPropagationEnabled()

Indicates whether or not WorkContextPropagation is enabled. By default, it is turned on. There is a little overhead involved in propagating WorkContexts. Therefore, if you don't want WorkContext propagation, turn this value off in production environments.

Returns:

whether WorkContextPropagation is turned on or not

See Also:

setWorkContextPropagationEnabled(boolean)

Default Value:

true

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setWorkContextPropagationEnabled

void setWorkContextPropagationEnabled(boolean workContextPropagationEnabled)

Sets the value of WorkContextPropagationEnabled.

Parameters:

workContextPropagationEnabled -

See Also:

isWorkContextPropagationEnabled()

setP3PHeaderValue

void setP3PHeaderValue(java.lang.String p3pHeader)

If set to a non-null value, a "P3P" header will always be sent with all responses for HTTP requests. The value of the P3P header will be the value assigned to this configuration parameter. The value should be equal to the location of the policy reference file for the website.

Alternatively, a servlet filter can be used to set the P3P header.

Parameters:

p3pHeader - P3P Header value (location of the policy reference file)

See Also:

getP3PHeaderValue()

getP3PHeaderValue

java.lang.String getP3PHeaderValue()

Returns the P3P header value that will be sent with all responses for HTTP requests (if non-null). The value of this header points to the location of the policy reference file for the website.

Alternatively, a servlet filter can be used to set the P3P header.

Returns:

P3P header value (location of the policy reference file)

See Also:

setP3PHeaderValue(String)

setFormAuthXFrameOptionsHeaderValue

void setFormAuthXFrameOptionsHeaderValue(java.lang.String formAuthXFrameOptionsHeader)

Set the "X-Frame-Options" header to DENY, SAMEORIGIN, or ALLOW-FROM uri, in the responses for all requests to the "j_security_check" endpoint when using FORM authentication. The "X-Frame-Options" header indicates to the browser how to behave when handling your site content and can be used to avoid click-jacking attacks by ensuring that content is not embedded into other sites.

Parameters:

formAuthXFrameOptionsHeader - X-Frame-Options header value

See Also:

getFormAuthXFrameOptionsHeaderValue()

getFormAuthXFrameOptionsHeaderValue

java.lang.String getFormAuthXFrameOptionsHeaderValue()

Returns the X-Frame-Options header value (DENY, SAMEORIGIN, or ALLOW-FROM uri) that will be set in the responses for all requests to the "j_security_check" endpoint when using FORM authentication.

A system property has been added and is used for the same purpose: weblogic.web.servlet.FormAuth.X-Frame-Options.

The FormAuthXFrameOptionsHeaderValue is decided by both the MBean attribute and the system property. The valid values are: DENY, SAMEORIGIN or ALLOW-FROM uri:

1. If the MBean attribute is set and valid, then use the MBean attribute value.
2. If not, then check the system property.
3. If it is set and valid, then use the system property value.
4. If neither is set and valid, then use default value: DENY.

Returns:

X-Frame-Options header value

See Also:

setFormAuthXFrameOptionsHeaderValue(String)

isJSPCompilerBackwardsCompatible

boolean isJSPCompilerBackwardsCompatible()

Global property to determine the behavior of the JSP compiler. When this property set to "true", the JSP compiler throws a translation error for JSPs that do not conform to the JSP2.0 specification. This property exists for backward compatibility.

Returns:

isJspCompilerBackwardsCompatible

Default Value:

false

setJSPCompilerBackwardsCompatible

void setJSPCompilerBackwardsCompatible(boolean compat)

Sets the value of the JSPCompilerBackwardsCompatible parameter.

Parameters:

compat -

getServletReloadCheckSecs

int getServletReloadCheckSecs()

Default Value:

1

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Default value in production mode:

-1

setServletReloadCheckSecs

void setServletReloadCheckSecs(int servletReloadCheckSecs)

isServletReloadCheckSecsSet

boolean isServletReloadCheckSecsSet()

isShowArchivedRealPathEnabled

boolean isShowArchivedRealPathEnabled()

Global property to determine the behavior of getRealPath() for archived web applications. When this property is set to "true", getRealPath() will return the canonical path of the resource files.

Returns:

isShowArchivedRealPathEnabled

Default Value:

false

setShowArchivedRealPathEnabled

void setShowArchivedRealPathEnabled(boolean showArchivedRealPathEnabled)

Sets the value of the ShowArchivedRealPathEnabled parameter.

Parameters:

showArchivedRealPathEnabled -

isChangeSessionIDOnAuthentication

boolean isChangeSessionIDOnAuthentication()

Global property to determine if we need to generate a new SessionID after authentication. When this property is set to "false", the previous sessionID will be retained even after authorization.

Returns:

isChangeSessionIDOnAuthentication();

Default Value:

true

setChangeSessionIDOnAuthentication

void setChangeSessionIDOnAuthentication(boolean changeSessionIDOnAuthentication)

Sets the value of the ChangeSessionIDOnAuthentication parameter.

Parameters:

changeSessionIDOnAuthentication -

getGzipCompression

GzipCompressionMBean getGzipCompression()

Get the GzipCompressionMBean, which represents GZIP compression support configuration.

Returns:

the GzipCompressionMBean.

getHttp2Config

Http2ConfigMBean getHttp2Config()

Get the getHttp2Config from WebSerevrMBean.

Returns:

The Http2Config.

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setJaxRsMonitoringDefaultBehavior

void setJaxRsMonitoringDefaultBehavior(boolean value)

Global property to determine the behavior of monitoring in JAX-RS applications. When the property is set to true (or not set) the monitoring is turned on (if not overridden by properties set directly in application). If the property is set to false the monitoring for all JAX-RS applications is disabled (each JAX-RS application can override this by setting similar properties via WebAppComponentMBean.isJaxRsMonitoringDefaultBehavior()).

Default value is true.

Parameters:

value - value to determine the default behavior.

Default Value:

true

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isJaxRsMonitoringDefaultBehavior

boolean isJaxRsMonitoringDefaultBehavior()

Global property to determine the behavior of monitoring in JAX-RS applications. When the property is set to true (or not set) the monitoring is turned on (if not overridden by properties set directly in application). If the property is set to false the monitoring for all JAX-RS applications is disabled.

Returns:

true (or null) if the JAX-RS monitoring behaves in the default way, false if monitoring is disabled.

Default Value:

true

getSameSiteFilterCookieSettings

java.lang.String[] getSameSiteFilterCookieSettings()

The HTTP Cookie configuration for the WebLogic HTTP SameSite Java EE Servlet Filter.

The Cookie configuration specifies a String array of settings. Each setting specifies a match for the Cookie name using a regular expression, a value for the SameSite attribute and optionally, a secure setting for the Cookie. The regular expression follows the Java Pattern syntax specification.

For example: ["match=JSESSIONID; value=Strict", "match=MYAPP.*; value=None; secure=true"]

By default, there are no cookie settings, thus the WebLogic HTTP SameSite filter will not be used. Once settings are configured, any newly deployed applications will use the WebLogic HTTP SameSite filter. Running applications must be re-started or re-deployed for the filter to be applied.

When the WebLogic HTTP SameSite filter runs and the HTTP response has already been committed, then no update to the Cookies in the HTTP response can be performed.

Returns:

The WebLogic HTTP SameSite Filter Cookie Settings

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setSameSiteFilterCookieSettings

void setSameSiteFilterCookieSettings(java.lang.String[] cookieSettings)

Sets the HTTP Cookie configuration for the WebLogic HTTP SameSite Java EE Servlet Filter.

Parameters:

cookieSettings - An array of strings with the cookie settings

getSameSiteFilterUserAgentRegEx

java.lang.String[] getSameSiteFilterUserAgentRegEx()

The User Agent configuration for the WebLogic HTTP SameSite Java EE Servlet Filter.

The User Agent configuration specifies a String array of regular expressions. When the WebLogic HTTP SameSite filter matches any of these expressions with the HTTP User-Agent header value, then the Cookie settings will be applied for the HTTP request. The regular expression follows the Java Pattern syntax specification.

For example: [".*Chrom(e|ium).*"]

By default, there are no expressions, thus the SameSite Cookie settings are applied for all requests.

Note that if the HTTP response has been committed when the WebLogic HTTP SameSite filter runs, then no update to the Cookies in the HTTP response can be performed.

Returns:

The WebLogic HTTP SameSite Filter User-Agent Regular Expression Settings

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setSameSiteFilterUserAgentRegEx

void setSameSiteFilterUserAgentRegEx(java.lang.String[] regEx)

Sets the User Agent configuration for the WebLogic SameSite Java EE Servlet Filter.

Parameters:

regEx - An array of strings with the regular expressions for matching User-Agent header

isSameSiteFilterSecureChannelRequired

boolean isSameSiteFilterSecureChannelRequired()

The Secure Channel configuration for the WebLogic SameSite Java EE Servlet Filter.

The Secure Channel configuration specifies if a secure channel is required when setting the SameSite Cookie attribute where the Secure attribute is also set to true for the specific Cookie.

By default, the Secure attribute setting will be applied for any channel as the user agent may reside in front of a proxy or load balancer when accessing resources.

Returns:

The WebLogic HTTP SameSite Filter Secure Channel Required Setting

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setSameSiteFilterSecureChannelRequired

void setSameSiteFilterSecureChannelRequired(boolean enabled)

Sets whether Secure Channel is required for the Secure attribute in the WebLogic SameSite Java EE Servlet Filter.

isRejectMaliciousPathParameters

boolean isRejectMaliciousPathParameters()

The WebApp Container configuration for rejection of URIs with malicious path parameters.

The WebApp Container configuration specifies whether URIs with malicious path parameters will be rejected.

By default, the WebApp Container will reject URIs with malicious path parameters.

Returns:

The WebApp Container Reject Malicious Path Parameters setting

Default Value:

true

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setRejectMaliciousPathParameters

void setRejectMaliciousPathParameters(boolean reject)

Sets whether the WebApp Container will reject requests with malicious path parameters.

isSynchronizedSessionTimeoutEnabled

boolean isSynchronizedSessionTimeoutEnabled()

Indicates whether to also invalidate all the other sessions when one of the sessions that share the same ID expires.

Returns:

the SynchronizedSessionTimeoutEnabled value

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setSynchronizedSessionTimeoutEnabled

void setSynchronizedSessionTimeoutEnabled(boolean enabled)

Sets the value for SynchronizedSessionTimeoutEnabled

Parameters:

enabled -