Technical Blog Post
The most commonly used WebContainer attributes and Webcontainer custom properties
The two tables below provide the most commonly used Webcontainer attributes and custom properties for WebSphere Application Server. The Webcontainer attributes are configured at the application level in the ibm-web-ext.xmi or ibm-web-ext.xml file. They are only used by specific application.
|fileServingEnabled||true||Allow web applications to serve static file types, such as HTML. If it is set to false, the webserver serves the requests for static files instead.|
|directoryBrowsingEnabled||false||When this custom property set to true, the application server will display the content of .war file (Excluding the WEB-INF folder) and let you browse through it.|
|serveServletsByClassnameEnabled||false||When setting this custom property to true, it allows a servlet to be served via a URI by its class package and class name. This introduces a possible security exposure because the URI pattern which reveals both the fact that your Internet application is a Java™ Servlet and its Java Class name is basically making public more information than is required|
To enable the serving of servlets by class name, the new custom property, com.ibm.ws.webcontainer.disallowserveservletsbyclassname, must be set to false(default) and serveServletsByClassnameEnabled must be enabled for the application which provides the classes to be served. The below technote provides more details about this security vulnerability:
|extendedDocumentRoot||None||Use the extended document root facility when applications require access to files outside of the application web application archive (WAR) directory. This facility enables you to configure an application with one or more directory paths from which you can serve static files and JSP files. For example, if several applications require access to a set of common files, you can place the common files in a directory to which you can link each application as an extended document root directory.|
|reloadingEnabled||true||Specifies whether to enable class reloading when application files (servlet and JSP) are updated.|
The Webcontainer custom properties are configured in the administrative console at the JVM level. They affect all applications running in the server. To set up the Webcontainer custom properties, see Setting Webcontainer custom properties for WebSphere Application Server.
|com.ibm.ws.webcontainer.disallowAllFileServing||false||Enabling this custom property to disable file serving on all applications on a specific application server. This prevents the application server from serving static files.|
|The getServerPort method relies on the getVirtualPort method of the channel, which returns a port number in the following order:|
Port number from the request URL
Port number from the request host header
The Webcontainer was modified to return a port number from the host header, if any, or the URL port that accepted the client connection. You must set the trusthostheaderport and the com.ibm.ws.webcontainer.extractHostHeaderPort custom property to true to return the port number from the request host header first.
|com.ibm.ws.webcontainer.channelwritetype||async||By default, the Webcontainer uses asynchronous writes to write response data in chunks up to the response buffer size (32KB). If the response is more than the response buffer size, the Webcontainer continues to buffer response data into memory while waiting for an asynchronous write of a response data chunk to complete. This process can result in part of a large response held in memory, which can lead to high memory usage and potentially an out of memory error.|
To prevent out of memory issue, set this property to sync so synchronous writing is used. With synchronous writing, response data are written synchronously in chunks of up to the value of responsebuffersize and no response data are buffered into memory while waiting for a synchronous write of a response data chunk to complete.
|com.ibm.ws.webcontainer.SkipMetaInfResourcesProcessing||false||The Webcontainer searches for static files and JavaServer Pages (JSP) files in different locations, depending on application configuration. A web fragment comprises a JAR file in an application WEB-INF/lib directory. The JAR might include static resources in a META-INF/resources directory that are defined within the JAR file.|
Searching for static resources in the web fragment JAR files is required by the Servlet Specification 3.0. If the application is not relying on the Servlet 3.0 searching behavior, you can disable the META-INF resource searching by setting this custom property to true.
Enable this custom property would help to improve performance.
a list of case-
insensitive application cookie names which are
separated by a comma.
|Provides a level of defense against a client-side script accessing a protected cookie and acquiring its content. When you use this custom property, you can prevent Java scripts that run in a browser from accessing all cookies or a particular list of cookies of your choosing. The HTTPOnly attribute is added to each cookie specified in this custom property and enables protection from client-side script access.|
To disable, Application servers > server_name > Webcontainer > Session management > Cookies
- Uncheck the checkbox “Set session cookies to HTTPOnly to help prevent cross-site scripting attacks
A full list of the WebContainer custom properties can be found in the product documentation in topic Webcontainer custom properties.