# Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageAccess unless the # corresponding RuntimePermission ("accessClassInPackage."+package) has # been granted. package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,org.apache.tomcat. # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageDefinition unless the # corresponding RuntimePermission ("defineClassInPackage."+package) has # been granted. # # by default, no packages are restricted for definition, and none of # the class loaders supplied with the JDK call checkPackageDefinition. # package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,\ org.apache.jasper.,org.apache.naming.,org.apache.tomcat. # # # List of comma-separated paths defining the contents of the "common" # classloader. Prefixes should be used to define what is the repository type. # Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. # If left as blank,the JVM system loader will be used as Catalina's "common" # loader. # Examples: # "foo": Add this folder as a class repository # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository # # Note: Values are enclosed in double quotes ("...") in case either the # ${catalina.base} path or the ${catalina.home} path contains a comma. # Because double quotes are used for quoting, the double quote character # may not appear in a path. common.loader="${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar","${catalina.base}/common/classes","${catalina.base}/common/*.jar","${catalina.home}/common/classes","${catalina.home}/common/*.jar" # # List of comma-separated paths defining the contents of the "server" # classloader. Prefixes should be used to define what is the repository type. # Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. # If left as blank, the "common" loader will be used as Catalina's "server" # loader. # Examples: # "foo": Add this folder as a class repository # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository # # Note: Values may be enclosed in double quotes ("...") in case either the # ${catalina.base} path or the ${catalina.home} path contains a comma. # Because double quotes are used for quoting, the double quote character # may not appear in a path. server.loader="${catalina.base}/server/classes","${catalina.base}/server/*.jar","${catalina.home}/server/classes","${catalina.home}/server/*.jar" # # List of comma-separated paths defining the contents of the "shared" # classloader. Prefixes should be used to define what is the repository type. # Path may be relative to the CATALINA_BASE path or absolute. If left as blank, # the "common" loader will be used as Catalina's "shared" loader. # Examples: # "foo": Add this folder as a class repository # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository # Please note that for single jars, e.g. bar.jar, you need the URL form # starting with file:. # # Note: Values may be enclosed in double quotes ("...") in case either the # ${catalina.base} path or the ${catalina.home} path contains a comma. # Because double quotes are used for quoting, the double quote character # may not appear in a path. shared.loader="${catalina.base}/shared/classes","${catalina.base}/shared/*.jar","${catalina.home}/shared/classes","${catalina.home}/shared/*.jar" # Default list of JAR files that should not be scanned using the JarScanner # functionality. This is typically used to scan JARs for configuration # information. JARs that do not contain such information may be excluded from # the scan to speed up the scanning process. This is the default list. JARs on # this list are excluded from all scans. The list must be a comma separated list # of JAR file names. # The list of JARs to skip may be over-ridden at a Context level for individual # scan types by configuring a JarScanner with a nested JarScanFilter. # The JARs listed below include: # - Tomcat Bootstrap JARs # - Tomcat API JARs # - Catalina JARs # - Jasper JARs # - Tomcat JARs # - Common non-Tomcat JARs # - Test JARs (JUnit, Cobertura and dependencies) tomcat.util.scan.StandardJarScanFilter.jarsToSkip=\ bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\ annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\ jaspic-api.jar,\ catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-storeconfig.jar,\ catalina-tribes.jar,\ jasper.jar,jasper-el.jar,ecj-*.jar,\ tomcat-api.jar,tomcat-util.jar,tomcat-util-scan.jar,tomcat-coyote.jar,\ tomcat-dbcp.jar,tomcat-jni.jar,tomcat-websocket.jar,\ tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\ tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\ tomcat-jdbc.jar,\ tools.jar,\ commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\ commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\ commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\ commons-math*.jar,commons-pool*.jar,\ jstl.jar,taglibs-standard-spec-*.jar,\ geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\ ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\ jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\ xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\ junit.jar,junit-*.jar,hamcrest-*.jar,easymock-*.jar,cglib-*.jar,\ objenesis-*.jar,ant-launcher.jar,\ cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\ jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\ xom-*.jar # Default list of JAR files that should be scanned that overrides the default # jarsToSkip list above. This is typically used to include a specific JAR that # has been excluded by a broad file name pattern in the jarsToSkip list. # The list of JARs to scan may be over-ridden at a Context level for individual # scan types by configuring a JarScanner with a nested JarScanFilter. tomcat.util.scan.StandardJarScanFilter.jarsToScan=\ log4j-web*.jar,log4j-taglib*.jar,log4javascript*.jar,slf4j-taglib*.jar # String cache configuration. tomcat.util.buf.StringCache.byte.enabled=true #tomcat.util.buf.StringCache.char.enabled=true #tomcat.util.buf.StringCache.trainThreshold=500000 #tomcat.util.buf.StringCache.cacheSize=5000 # Allow for changes to HTTP request validation # WARNING: Using this option will expose the server to CVE-2016-6816 #tomcat.util.http.parser.HttpParser.requestTargetAllow=|