This includes all elements of the controller.xml file references.
Note that if you define any of the event blocks in this file (the including file) they
will override (replace) the one in the included file, effectively emptying it. The event
blocks are: firstvisit, preprocessor, postprocessor, after-login, and before-logout.
A redirection HTTP status-code
If set it will override, for this whole controller, the default status-code sets in requestHandler.properties
Most possible redirection status-codes are 301, 303 and 307.
302 (the Java default) is not recommended for SEO reasons, 301 is preferred.
Defines a Java class which handles a specific named type (either request or view).
This allows different logics for processing input from requests.
To keep it short, request is for action when view is for rendering
Mechanism used to protect from data leakage (data stolen from a login/password couple compromised).
It works like the grey list anti-spam feature (aka tarpitting).
Any error will be ignored and will not affect the requests processing flow.
Event runs at the 1st visit and only then.
Any error will be ignored and will not affect the requests processing flow.
Event runs before each request.
Any error will be ignored and will not affect the requests processing flow.
Event runs after each request.
Any error will be ignored and will not affect the requests processing flow.
Event runs after login and only then.
Any error will be ignored and will not affect the requests processing flow.
Event runs before logout and only then.
Any error will be ignored and will not affect the requests processing flow.
If a request cannot be called, or is not defined, the default-request is used
Place where are defined the elements of a request.
The name of this request. This will be the name used to access the request.
The HTTP of this request. This will be the HTTP method used to access the request.
Reserved for future use (not used yet).
Allow or not to track first visit (related to firstvisit preprocessor).
Allow or not to track statistics.
Define the security of the request-map, using https and auth boolean attributes.
If https=true, redirect to/use/generate the secured HTTPS protocol if necessary and possible.
If auth=true, when you hit the request if you are not logged in you will be forwarded to the login page.
It true, check for HTTPS client (x.509) security.
If the request is not secured throws an exception
If false, prevent to pass a view through the url ("chaining" it after the request,
like control/request/view in an FTL file).
Default to true.
If false the request can only be accessed in a chained request, default to true.
If true csrf token is expected. If false no csrf token check. Default to "".
When csrf-token is empty or not set, the behaviour should be determined by
CsrfDefenseStrategy class (or another implementation of ICsrfDefenseStrategy).
When csrf-token is explicitly set to either true or false,
CsrfDefenseStrategy class (or another implementation of ICsrfDefenseStrategy)
should follow the setting.
So if true, csrf token is expected. If false, no csrf token check.
Calculate and maintain a moving average response time for a Request or Event. Request Metrics can be used
for monitoring and reporting, Event Metrics only for reporting. Request Metrics can also be used to trigger an alternate
response if the optional threshold attribute is used.
The metric works by gathering statistics until a configurable maximum is reached (number of
requests or elapsed time), then the average is calculated. A smoothing factor is used to
smooth differences between calculations.
Each metric must have a unique name.
Positive integer number of requests to include in the metrics calculation. Defaults to "100".
Positive integer number of milliseconds to include in the metrics calculation. Defaults to "1000".
Positive decimal smoothing factor - used to smooth the differences between calculations. A value of "1" disables smoothing. Defaults to "0.7".
The metric threshold in milliseconds. If the average response time exceeds this setting,
then a "threshold-exceeded" response code will be generated. That response code can be used
in a response element. The threshold check will ignore the first three requests - to give
the metric a chance to stablize after startup. A value of "0.0" disables the threshold.
Defaults to "0.0".
Before return a response to the end user, we can override the event message from different origin.
Hard coded, from the labelling system or from a given field
Properties ressource to use for resolve the message, if you set a value here, indicate the key on value attribute
otherwise this attribute will be ignored.
'like: CommonUiLabels'
Value to use to display the response user message.
You can set a plain text, a flexible string or use a key from the property file give in ressource attribute.
Set from what field in context we can found the response user message. This field can contain a flexible string
Defines a piece of code (see handlers) which will handles the request need.
Return any string which is then used to route to different responses.
Only one event by request-map.
There are as much as types (of type request) as available defined and accessible event handlers.
Most used are java, service, service-multi, simple and groovy (or bsf).
A most comprehensive list can be found in the common-controller.
Event name, mostly used with special events
(firstvisit,
preprocessor,
postprocessor,
after-login,
before-logout)
where the name allows to differentiate them.
Most of the time request-maps, which have only 1 event, don't use it.
The path to the class or XML file containing this event.
Leave empty for services, except if you want to run it as a job, then use "async"
The name of the method or service to be run.
For service-multi, defines if the event should be wrapped in a transaction, default to true
Defines the timeout for the transaction, in seconds.
Defaults to the value set in the TransactionFactory being used (typically 60 seconds).
You can have one response for each possible return code from the event.
An event can return any string, and that string can be used to route to different responses.
At least one response by request-map.
Defines a possible parameter to redirect
The name of the response, that also matches the string returned by the event
One of the possible types between:
none,
view,
view-last,
view-last-noparam,
view-home,
request,
request-redirect,
request-redirect-noparam,
url,
url-redirect,
cross-redirect
This is used in situations where the event will actually
be generating the response. If you have an event that
returns a binary download for example, you would use
a response of type=none, so that the control servlet
doesn't try to render anything and send it down to the
client.
Send to a view for final rendering
Will use the view from the last request unless there
is a saved from some previous request (using the save-last-view
attribute). Use the value attribute to specify a default view
in case no previous view can be retrieved.
Same than view-last but no parameters are redirect
Will use the view from the last saved 'home' position
(using the save-home-view attribute).
Internally chains to another request.
Automatically redirects all current request parameters to the new request
Send a redirect down to the browser telling it to go to the new request.
Automatically redirects all current request parameters to the new request
or only redirected parameters specified using redirect-param attribute.
Send a redirect down to the browser telling it to go to the new request.
No current request parameters are sent to the new request, nor redirected parameters if specified.
Any URL, relative or absolute. Redirected parameters are not used, you can put them in the url.
Works like URL but you can also pass redirected parameters.
Works like request-redirect for cross applications calls.
Depending on the type of response, will either
be the view or request name (ie view-map-name or request-map URI).
Can be an URL.
Saves the last (previous) request's view for future use, generally
with the view-last type of response.
Saves the current request's view for future use, generally with
the view-last type of response.
Saves the current request's view for future use, generally with
the view-home type of response.
A redirection HTTP status-code
If set it will override, for this request, the default status-code sets in requestHandler.properties
and the possible status-code sets at the controller level (included controllers inclusive)
Most possible redirection status-codes are 301, 303 and 307.
302 (the Java default) is not recommended for SEO reasons, 301 is preferred.
Adds a parameter with the given name to the redirect. Finds value in a
request attribute if exists, or a request parameter if no attribute is found.
Name of the parameter to redirect
If specified used instead of the value of name for the key to find
a request attribute or parameter.
Set a string value to the parameter.
Place where are defined the elements of a view.
The name of this view. This will be the name used to access the view.
The page mapped to this view.
The name of the view handler that will render the output: screen, screenfop, ftl etc...
A most comprehensive list can be found in the handlers-controller.
Extended information passed to the view handler.
Content-type in the HTML sense
Charset in the HTML sense. By default "text/html" is used.
If the encoding is "none" then no charset will be used.
Send no-cache headers if set to true.
Provides clickjacking protection by instructing browsers that this page should not be placed within a frame.
Possible values are:
deny - no rendering within a frame,
sameorigin - no rendering if origin mismatch, and
allow-from: - allow rendering if framing page is within the specified URI domain.
Allow from is supported by IE and Firefox, but not Chrome or Safari.
It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks.
HSTS also disables the ability for users to ignore SSL negotiation warnings.
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted),
it shows an error message and do not allow the user to access the web application.
As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1.
If the strict-transport-security is "none" then it will not be used.