From d940f9be66dad4fe2631ca3c1b554068ec131833 Mon Sep 17 00:00:00 2001
From: christophe mangeat <christophe.mangeat@camptocamp.com>
Date: Thu, 31 Oct 2024 10:26:55 +0100
Subject: [PATCH] attempt to override a class

---
 pom.xml                                       |   3 +-
 web/pom.xml                                   |  23 +-
 .../fao/geonet/web/XFrameOptionsFilter.java   | 138 +++++
 web/src/main/webapp/WEB-INF/web.xml           | 505 ++++++++++++++++++
 4 files changed, 660 insertions(+), 9 deletions(-)
 create mode 100644 web/src/main/java/org/fao/geonet/web/XFrameOptionsFilter.java
 create mode 100644 web/src/main/webapp/WEB-INF/web.xml

diff --git a/pom.xml b/pom.xml
index 20c91d63f65..4712d942cdf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -96,8 +96,7 @@
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
         <configuration>
-          <source>1.11</source>
-          <target>1.11</target>
+          <release>11</release>
           <debug>true</debug>
           <encoding>UTF-8</encoding>
           <fork>${fork.javac}</fork>
diff --git a/web/pom.xml b/web/pom.xml
index 78047ff4731..c5706d46e38 100644
--- a/web/pom.xml
+++ b/web/pom.xml
@@ -8,7 +8,7 @@
     <artifactId>geonetwork</artifactId>
     <version>4.4.6-0</version>
   </parent>
-  
+
   <artifactId>web</artifactId>
   <packaging>war</packaging>
 
@@ -17,12 +17,12 @@
     Web application using maven war overlay functionality to reuse
     geonetwork war and hnap schema plugin for ${customer}.
   </description>
- 
+
   <properties>
     <build.webapp.resources>${project.build.directory}/webapp</build.webapp.resources>
     <jetty.env>jetty-env.xml</jetty.env>
   </properties>
- 
+
   <dependencies>
     <!-- war includes prebuilt geonetwork jars -->
     <dependency>
@@ -32,12 +32,21 @@
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
+
+    <!-- used to compile, already included in war -->
+    <dependency>
+      <groupId>org.geonetwork-opensource</groupId>
+      <artifactId>gn-web-app</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+      <classifier>classes</classifier>
+    </dependency>
   </dependencies>
-    
+
   <build>
     <finalName>geonetwork</finalName>
     <plugins>
-      
+
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-war-plugin</artifactId>
@@ -50,7 +59,7 @@
           </overlays>
         </configuration>
       </plugin>
-      
+
       <plugin>
         <groupId>org.eclipse.jetty</groupId>
         <artifactId>jetty-maven-plugin</artifactId>
@@ -71,7 +80,7 @@
         </dependencies>-->
       </plugin>
     </plugins>
- 
+
   </build>
 
 </project>
diff --git a/web/src/main/java/org/fao/geonet/web/XFrameOptionsFilter.java b/web/src/main/java/org/fao/geonet/web/XFrameOptionsFilter.java
new file mode 100644
index 00000000000..2c207fb64e9
--- /dev/null
+++ b/web/src/main/java/org/fao/geonet/web/XFrameOptionsFilter.java
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2001-2016 Food and Agriculture Organization of the
+ * United Nations (FAO-UN), United Nations World Food Programme (WFP)
+ * and United Nations Environment Programme (UNEP)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
+ * Rome - Italy. email: geonetwork@osgeo.org
+ */
+package org.fao.geonet.web;
+
+import org.apache.commons.lang.StringUtils;
+import org.fao.geonet.constants.Geonet;
+import org.fao.geonet.utils.Log;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+/**
+ * Filter to avoid clickjaking attacks.
+ *
+ * See https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet.
+ *
+ * Modes supported:
+ *  - DENY: prevents any domain from framing the content.
+ *  - SAMEORIGIN, which only allows the current site to frame the content.
+ *  - ALLOW-FROM uri, which permits the specified 'uri' to frame this page.
+ *      Not all browsers support this mode.
+ *
+ * Any other value will default to DENY.
+ *
+ * Sets X-Frame-Options and Content-Security-Policy (for frame-ancestors) headers.
+ *
+ * @author Jose García
+ */
+public class XFrameOptionsFilter implements Filter {
+    private static String MODE_DENY = "DENY";
+    private static String MODE_SAMEORIGIN = "SAMEORIGIN";
+    private static String MODE_ALLOWFROM = "ALLOW-FROM";
+
+    private String mode;
+    private String url;
+    private String domain;
+
+    public void init(FilterConfig filterConfig) throws ServletException {
+        mode = filterConfig.getInitParameter("mode");
+        url = filterConfig.getInitParameter("url");
+
+        // Mode: DENY, SAMEORIGIN, ALLOW-FROM. Any other value will default to SAMEORIGIN
+        if (!mode.equals(MODE_DENY) && !mode.equals(MODE_SAMEORIGIN) && !mode.equals(MODE_ALLOWFROM)) {
+            mode = MODE_DENY;
+        }
+
+        // If ALLOW-FROM, make sure a valid url is given, otherwise fallback to deny
+        if (mode.equals(MODE_ALLOWFROM)) {
+            if (StringUtils.isEmpty(url)) {
+                Log.info(Geonet.GEONETWORK,
+                    "XFrameOptions filter url parameter is missing for mode ALLOW-FROM. Setting mode to DENY.");
+                mode = MODE_DENY;
+            } else {
+                domain = url;
+            }
+        }
+
+        if (Log.isDebugEnabled(Geonet.GEONETWORK)) {
+            Log.debug(Geonet.GEONETWORK, String.format(
+                "XFrameOptions filter initialized. Using mode %s.", getXFrameOptionsValue()));
+        }
+
+    }
+
+
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
+                         FilterChain filterChain) throws IOException, ServletException {
+
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        response.addHeader("X-Frame-Options", getXFrameOptionsValue());
+        response.addHeader("Content-Security-Policy", getContentSecurityPolicyFramAncestorsValue());
+
+        filterChain.doFilter(servletRequest, response);
+    }
+
+
+    public void destroy() {
+    }
+
+
+    /**
+     * Calculates the X-Frame-Options header value.
+     *
+     * @return X-Frame-Options header value.
+     */
+    private String getXFrameOptionsValue() {
+        if (mode.equals(MODE_ALLOWFROM)) {
+            return mode + " " + url;
+        } else {
+            return mode;
+        }
+    }
+
+
+    /**
+     * Calculates the Content-Security-Policy header frame-ancestors value.
+     *
+     * @return Content-Security-Policy header frame-ancestors value.
+     */
+    private String getContentSecurityPolicyFramAncestorsValue() {
+        if (mode.equals(MODE_SAMEORIGIN)) {
+            return "frame-ancestors 'self'";
+        } else if (mode.equals(MODE_ALLOWFROM)) {
+            return "frame-ancestors " + domain;
+        } else {
+            return "frame-ancestors 'none'";
+        }
+    }
+
+}
diff --git a/web/src/main/webapp/WEB-INF/web.xml b/web/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 00000000000..7302b8f8eab
--- /dev/null
+++ b/web/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,505 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  ~ Copyright (C) 2001-2016 Food and Agriculture Organization of the
+  ~ United Nations (FAO-UN), United Nations World Food Programme (WFP)
+  ~ and United Nations Environment Programme (UNEP)
+  ~
+  ~ This program is free software; you can redistribute it and/or modify
+  ~ it under the terms of the GNU General Public License as published by
+  ~ the Free Software Foundation; either version 2 of the License, or (at
+  ~ your option) any later version.
+  ~
+  ~ This program is distributed in the hope that it will be useful, but
+  ~ WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU General Public License
+  ~ along with this program; if not, write to the Free Software
+  ~ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+  ~
+  ~ Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
+  ~ Rome - Italy. email: geonetwork@osgeo.org
+  -->
+
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+	     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+	     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+	     version="3.0"
+         metadata-complete="true">
+
+  <display-name>${application.name}</display-name>
+  <listener>
+    <listener-class>jeeves.config.springutil.JeevesContextLoaderListener</listener-class>
+  </listener>
+  <listener>
+    <listener-class>
+      org.springframework.web.context.request.RequestContextListener
+    </listener-class>
+  </listener>
+
+  <!-- shut down java cache used for xlinks and spatial index -->
+  <listener>
+    <listener-class>
+      org.apache.jcs.utils.servlet.JCSServletContextListener
+    </listener-class>
+  </listener>
+  <filter>
+    <filter-name>characterEncodingFilter</filter-name>
+    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
+    <init-param>
+      <param-name>encoding</param-name>
+      <param-value>UTF-8</param-value>
+    </init-param>
+  </filter>
+  <filter-mapping>
+    <filter-name>characterEncodingFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+  <listener>
+    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
+  </listener>
+
+  <!-- listeter used to send signout event. Used by keycloak-->
+  <listener>
+    <listener-class>org.fao.geonet.kernel.security.listener.HttpSessionEventPublisher</listener-class>
+  </listener>
+  <!-- Spring security -->
+  <!--     <filter>
+          <filter-name>springSecurityFilterChain</filter-name>
+          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+      </filter> -->
+  <filter>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <filter-class>jeeves.config.springutil.JeevesDelegatingFilterProxy</filter-class>
+    <init-param>
+      <param-name>loginService</param-name>
+      <param-value>signin</param-value>
+    </init-param>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+  <filter>
+    <filter-name>SessionTimeoutCookieFilter</filter-name>
+    <filter-class>org.geonetwork.http.SessionTimeoutCookieFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>SessionTimeoutCookieFilter</filter-name>
+    <url-pattern>/srv/*</url-pattern>
+  </filter-mapping>
+
+  <!-- Add CORS Header -->
+  <filter>
+    <filter-name>cors</filter-name>
+    <filter-class>org.fao.geonet.web.CORSResponseFilter</filter-class>
+    <init-param>
+      <param-name>allowedHosts</param-name>
+      <param-value>${cors.allowedHosts}</param-value>
+    </init-param>
+  </filter>
+  <filter-mapping>
+    <filter-name>cors</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+  <!-- url rewrite filter -->
+  <filter>
+    <filter-name>UrlRewriteFilter</filter-name>
+    <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
+    <!-- set the amount of seconds the conf file will be checked for reload. can be a valid integer (0 denotes
+        check every time, empty/not set denotes no reload check) -->
+    <!--<init-param>-->
+    <!--<param-name>confReloadCheckInterval</param-name>-->
+    <!--<param-value>0</param-value>-->
+    <!--</init-param>-->
+
+
+    <!-- sets up log level (will be logged to context log). Can be: TRACE, DEBUG, INFO (default), WARN, ERROR,
+        FATAL, log4j, commons, sysout:{level} (ie, sysout:DEBUG). If you are having trouble using normal levels use
+        sysout:DEBUG -->
+    <init-param>
+      <param-name>logLevel</param-name>
+      <param-value>WARN</param-value>
+    </init-param>
+
+    <!-- you can disable status page if desired. Can be: true, false (default true) -->
+    <init-param>
+      <param-name>statusEnabled</param-name>
+      <param-value>true</param-value>
+    </init-param>
+
+    <!-- you can change status path so that it does not conflict with your installed apps (note: defaults to
+        /rewrite-status). Note: must start with / -->
+    <init-param>
+      <param-name>statusPath</param-name>
+      <param-value>/rewritestatus</param-value>
+    </init-param>
+  </filter>
+  <filter-mapping>
+    <filter-name>UrlRewriteFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+    <dispatcher>REQUEST</dispatcher>
+    <dispatcher>FORWARD</dispatcher>
+  </filter-mapping>
+
+  <!-- XFrameOptionsFilter to avoid Clickjacking attacks.
+     See https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet.
+  -->
+  <filter>
+    <filter-name>XFrameOptionsFilter</filter-name>
+    <filter-class>
+      org.fao.geonet.web.XFrameOptionsFilter
+    </filter-class>
+    <!-- Mode: DENY, SAMEORIGIN, ALLOW-FROM. Any other value will default to DENY
+          - DENY: prevents any domain from framing the content.
+          - SAMEORIGIN, which only allows the current site to frame the content.
+          - ALLOW-FROM uri, which permits the specified 'uri' to frame this page.
+            Not all browsers support this mode.
+    -->
+    <init-param>
+      <param-name>mode</param-name>
+      <param-value>ALLOW-FROM</param-value>
+    </init-param>
+    <init-param>
+      <param-name>url</param-name>
+      <param-value>https://*.admin.ch https://*.cartoriviera.ch https://*.vsgis.ch http://ext.fr.ch  http://mapplus.vdf.loc http://mapplus01.vdf.loc https://*.ne.ch https://*.cartolacote.ch https://*.geomapfish.dev</param-value>
+    </init-param>
+  </filter>
+  <filter-mapping>
+    <filter-name>XFrameOptionsFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+
+  <!-- Resources servlet -->
+  <filter>
+    <filter-name>resources</filter-name>
+    <filter-class>org.fao.geonet.resources.ResourceFilter</filter-class>
+  </filter>
+
+  <filter>
+    <!--
+        WebResourceOptimizer is a WRO4J Filter (https://code.google.com/p/wro4j/wiki/Introduction)
+        which runs css and javascript linting, compiling, minification and compression.  We use it in two ways.
+
+        * Runtime as a Servlet Filter - at runtime WRO4J compiles, lints, minifies and compresses all javascript and css files.
+                                        This allows a developer to be able to get instant feed back when he/she changes a file.
+                                        By Default the javascript and css is minimized.  To not have it minimized use ?minimize=false
+        * Maven build - The same configuration is run on all javascript files during build time.  The artifacts are ignored
+                        because they are generated at runtime, but it is a check to verify that when deployed all artifacts can be
+                        correctly built.
+    -->
+
+    <filter-name>WebResourceOptimizer</filter-name>
+    <filter-class>
+      org.fao.geonet.wro4j.GeonetWro4jFilter
+    </filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>WebResourceOptimizer</filter-name>
+    <url-pattern>/static/*</url-pattern>
+  </filter-mapping>
+
+  <!-- Only allow administrators or localhost access to the monitoring metrics -->
+  <filter>
+    <filter-name>MetricsRegistryInitializerFilter</filter-name>
+    <filter-class>org.fao.geonet.monitor.webapp.MetricsRegistryInitializerFilter</filter-class>
+  </filter>
+
+  <!--  Monitors the number of Active requests, request length and return codes -->
+  <filter>
+    <filter-name>webappMetricsFilter</filter-name>
+    <filter-class>org.fao.geonet.monitor.webapp.DefaultWebappMetricsFilter</filter-class>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>MetricsRegistryInitializerFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>webappMetricsFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>resources</filter-name>
+    <url-pattern>/images/logos/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>resources</filter-name>
+    <url-pattern>/config/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>resources</filter-name>
+    <url-pattern>/images/harvesting/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>resources</filter-name>
+    <url-pattern>/xml/schemas/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>resources</filter-name>
+    <url-pattern>/images/statTmp/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>resources</filter-name>
+    <url-pattern>/htmlcache/*</url-pattern>
+  </filter-mapping>
+
+  <filter-mapping>
+    <filter-name>resources</filter-name>
+    <url-pattern>/map/*</url-pattern>
+  </filter-mapping>
+
+  <!-- Print servlet -->
+  <servlet>
+    <servlet-name>mapfish.print</servlet-name>
+    <servlet-class>org.mapfish.print.servlet.MapPrinterServlet</servlet-class>
+    <init-param>
+      <param-name>config</param-name>
+      <param-value>WEB-INF/config-print/print-config.yaml</param-value>
+    </init-param>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>mapfish.print</servlet-name>
+    <url-pattern>/pdf/*</url-pattern>
+  </servlet-mapping>
+
+  <!-- Convenience servlet for linking to various webapps for accessing monitoring data
+      Contains 4 sub mappings:
+          /metrics?[pretty=(true|false)][class=metric.name] - returns a json response with all of the registered metrics
+          /threads - returns a text representation of the stack dump at the moment of the call
+          /healthcheck - returns 200 if all checks pass or 500 Internal Service Error if one fails (and human readable response of the failures)
+  -->
+  <servlet>
+    <servlet-name>monitor</servlet-name>
+    <servlet-class>com.yammer.metrics.reporting.AdminServlet</servlet-class>
+    <init-param>
+      <param-name>SHOW_JVM_METRICS</param-name>
+      <param-value>true</param-value>
+    </init-param>
+  </servlet>
+  <servlet>
+    <servlet-name>criticalHealthChecks</servlet-name>
+    <servlet-class>org.fao.geonet.monitor.webapp.GeonetworkHealthCheckServlet</servlet-class>
+    <init-param>
+      <param-name>REGISTRY_ATTRIBUTE_KEY</param-name>
+      <param-value>com.yammer.metrics.reporting.HealthCheckServlet.registry.critical</param-value>
+    </init-param>
+  </servlet>
+  <servlet>
+    <servlet-name>warningHealthChecks</servlet-name>
+    <servlet-class>org.fao.geonet.monitor.webapp.GeonetworkHealthCheckServlet</servlet-class>
+    <init-param>
+      <param-name>REGISTRY_ATTRIBUTE_KEY</param-name>
+      <param-value>com.yammer.metrics.reporting.HealthCheckServlet.registry.warning</param-value>
+    </init-param>
+  </servlet>
+  <servlet>
+    <servlet-name>expensiveHealthChecks</servlet-name>
+    <servlet-class>org.fao.geonet.monitor.webapp.GeonetworkHealthCheckServlet</servlet-class>
+    <init-param>
+      <param-name>REGISTRY_ATTRIBUTE_KEY</param-name>
+      <param-value>com.yammer.metrics.reporting.HealthCheckServlet.registry.expensive</param-value>
+    </init-param>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>monitor</servlet-name>
+    <url-pattern>/monitor/*</url-pattern>
+  </servlet-mapping>
+  <servlet-mapping>
+    <servlet-name>criticalHealthChecks</servlet-name>
+    <url-pattern>/criticalhealthcheck</url-pattern>
+  </servlet-mapping>
+  <servlet-mapping>
+    <servlet-name>warningHealthChecks</servlet-name>
+    <url-pattern>/warninghealthcheck</url-pattern>
+  </servlet-mapping>
+  <servlet-mapping>
+    <servlet-name>expensiveHealthChecks</servlet-name>
+    <url-pattern>/expensivehealthcheck</url-pattern>
+  </servlet-mapping>
+
+  <servlet>
+    <servlet-name>gn-servlet</servlet-name>
+    <servlet-class>jeeves.server.sources.http.JeevesServlet</servlet-class>
+    <!--
+        Specified what geonetwork data directory to use.
+        <init-param>
+        <param-name>geonetwork.dir</param-name>
+        <param-value>/app/geonetwork_data_dir</param-value>
+    </init-param>-->
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+
+  <servlet>
+    <servlet-name>HttpProxy</servlet-name>
+    <servlet-class>org.fao.geonet.proxy.URITemplateProxyServlet</servlet-class>
+    <init-param>
+      <param-name>targetUri</param-name>
+      <param-value>{url}</param-value>
+    </init-param>
+    <init-param>
+      <param-name>log</param-name>
+      <param-value>false</param-value>
+    </init-param>
+    <init-param>
+      <param-name>http.protocol.handle-redirects</param-name>
+      <param-value>true</param-value>
+    </init-param>
+    <init-param>
+      <param-name>securityMode</param-name>
+      <param-value>${proxy.securityMode}</param-value>
+    </init-param>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>HttpProxy</servlet-name>
+    <url-pattern>/proxy/*</url-pattern>
+  </servlet-mapping>
+
+
+  <servlet>
+    <servlet-name>MicroServicesProxy</servlet-name>
+    <servlet-class>org.fao.geonet.proxy.URITemplateProxyServlet</servlet-class>
+    <init-param>
+      <param-name>targetUri</param-name>
+      <param-value>${microservices.url}</param-value>
+    </init-param>
+    <init-param>
+      <param-name>forwardHost</param-name>
+      <param-value>true</param-value>
+    </init-param>
+    <init-param>
+      <param-name>forwardHostPrefixPath</param-name>
+      <param-value>/api</param-value>
+    </init-param>
+    <init-param>
+      <param-name>log</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>MicroServicesProxy</servlet-name>
+    <url-pattern>/api/*</url-pattern>
+  </servlet-mapping>
+
+
+  <!--Direct proxy to ES server.
+  One specific proxy for features
+  which are requested by client apps. Redirect
+  to the proper index which may not have the default name.
+  -->
+  <servlet>
+    <servlet-name>ESFeaturesProxy</servlet-name>
+    <servlet-class>org.fao.geonet.proxy.URITemplateProxyServlet</servlet-class>
+    <init-param>
+      <param-name>targetUri</param-name>
+      <param-value>${es.url}/${es.index.features}/{_}</param-value>
+    </init-param>
+    <init-param>
+      <param-name>log</param-name>
+      <param-value>false</param-value>
+    </init-param>
+    <!--
+     If Elasticsearch has a security layer, create a readonly user
+     with access to the features index and configure the proxy
+     with basic authentication if needed.-->
+    <!--<init-param>
+      <param-name>username</param-name>
+      <param-value>${es.ro.username}</param-value>
+    </init-param>
+    <init-param>
+      <param-name>password</param-name>
+      <param-value>${es.ro.password}</param-value>
+    </init-param>
+    <init-param>
+      <param-name>isSecured</param-name>
+      <param-value>true</param-value>
+    </init-param>-->
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>ESFeaturesProxy</servlet-name>
+    <url-pattern>/index/features</url-pattern>
+  </servlet-mapping>
+
+
+  <servlet>
+    <servlet-name>HttpDashboardProxy</servlet-name>
+    <servlet-class>org.mitre.dsmiley.httpproxy.ProxyServlet</servlet-class>
+    <init-param>
+      <param-name>targetUri</param-name>
+      <param-value>${kb.url}</param-value>
+    </init-param>
+    <init-param>
+      <param-name>log</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>HttpDashboardProxy</servlet-name>
+    <url-pattern>/dashboards/*</url-pattern>
+  </servlet-mapping>
+
+
+  <servlet>
+    <servlet-name>jolokia-agent</servlet-name>
+    <servlet-class>org.jolokia.http.AgentServlet</servlet-class>
+    <init-param>
+      <param-name>policyLocation</param-name>
+      <param-value>classpath:/jolokia-access.xml</param-value>
+    </init-param>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>jolokia-agent</servlet-name>
+    <url-pattern>/jolokia/*</url-pattern>
+  </servlet-mapping>
+
+
+  <!-- Spring dispatcher servlet -->
+  <servlet>
+    <servlet-name>spring</servlet-name>
+    <servlet-class>
+      jeeves.config.springutil.JeevesDispatcherServlet
+    </servlet-class>
+    <init-param>
+      <param-name>nodeId</param-name>
+      <param-value>srv</param-value>
+    </init-param>
+    <load-on-startup>2</load-on-startup>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>spring</servlet-name>
+    <url-pattern>/*</url-pattern>
+  </servlet-mapping>
+
+  <session-config>
+    <tracking-mode>COOKIE</tracking-mode>
+    <session-timeout>${sessionTimeout}</session-timeout>
+    <cookie-config>
+      <http-only>true</http-only>
+      <secure>${cookieSecureFlag}</secure>
+    </cookie-config>
+  </session-config>
+
+  <welcome-file-list>
+    <welcome-file>index.html</welcome-file>
+  </welcome-file-list>
+</web-app>