google-nomulus/java/google/registry/env/common/default/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <!-- Servlets -->

  <!-- Servlet for injected frontend actions -->
  <servlet>
    <display-name>FrontendServlet</display-name>
    <servlet-name>frontend-servlet</servlet-name>
    <servlet-class>google.registry.module.frontend.FrontendServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>

  <!-- The primary EPP endpoint for the Registry, which accepts EPP requests from our TLS proxy. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/_dr/epp</url-pattern>
  </servlet-mapping>

  <!-- Registrar Console endpoint, which accepts EPP XHRs from GAE GAIA-authenticated sessions. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar-xhr</url-pattern>
  </servlet-mapping>

  <servlet>
    <display-name>Registrar Self-serve Settings</display-name>
    <servlet-name>registrar-settings</servlet-name>
    <servlet-class>google.registry.ui.server.registrar.RegistrarServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>registrar-settings</servlet-name>
    <url-pattern>/registrar-settings</url-pattern>
  </servlet-mapping>

  <!-- Registrar Console. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar</url-pattern>
  </servlet-mapping>

  <!-- Registrar Braintree payment form setup. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar-payment-setup</url-pattern>
  </servlet-mapping>

  <!-- Registrar Braintree payment. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar-payment</url-pattern>
  </servlet-mapping>

  <!-- HTTP WHOIS. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/whois/*</url-pattern>
  </servlet-mapping>

  <!-- Protocol WHOIS. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/_dr/whois</url-pattern>
  </servlet-mapping>

  <!-- RDAP (new WHOIS). -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/rdap/*</url-pattern>
  </servlet-mapping>

  <!-- Public API to do availability checks -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/check</url-pattern>
  </servlet-mapping>

  <!-- Security config -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Internal</web-resource-name>
      <description>
        Any request path starting with `/_dr/` will be restricted to requests originating
        from the backend or by anyone authenticated to a Google account that's listed in
        the AppEngine control panel settings for this project as a Viewer/Owner/Developer.
        The `_dr` is short for Nomulus to follow AppEngine naming conventions.
      </description>
      <url-pattern>/_dr/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>profile-registrar-xhr</web-resource-name>
      <description>
        Only allow logged-in users to even try to issue EPP commands. This is an additional
        layer of safety on top of in-servlet authentication and XSRF protection.
      </description>
      <url-pattern>/registrar-xhr</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>profile-registrar-settings</web-resource-name>
      <description>
        Only allow logged-in users to even try to change registrar settings. This is an additional
        layer of safety on top of in-servlet authentication and XSRF protection.
      </description>
      <url-pattern>/registrar-settings</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>profile-registrar-payment</web-resource-name>
      <description>
        Only allow logged-in users to even try to change registrar settings. This is an additional
        layer of safety on top of in-servlet authentication and XSRF protection.
      </description>
      <url-pattern>/registrar-payment</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>profile-registrar-payment-token</web-resource-name>
      <description>
        Only allow logged-in users to even try to change registrar settings. This is an additional
        layer of safety on top of in-servlet authentication and XSRF protection.
      </description>
      <url-pattern>/registrar-payment-token</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- Require TLS on all requests. -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Secure</web-resource-name>
      <description>
        Require encryption for all paths. http URLs will be redirected to https.
      </description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <!-- Restrict access to source code. -->
  <!-- This directory contains all the JavaScript sources verbatim. -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>internal-sources</web-resource-name>
      <description>No soup for you!</description>
      <url-pattern>/assets/sources/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- TODO(b/26776367): Move these files to /assets/sources. -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>registrar-bin-js-map</web-resource-name>
      <description>No soup for you!</description>
      <url-pattern>/assets/js/registrar_bin.js.map</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>registrar-dbg-js</web-resource-name>
      <description>No soup for you!</description>
      <url-pattern>/assets/js/registrar_dbg.js</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>brain-bin-js-map</web-resource-name>
      <description>No soup for you!</description>
      <url-pattern>/assets/js/brain_bin.js.map</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>registrar-dbg-css</web-resource-name>
      <description>No soup for you!</description>
      <url-pattern>/assets/css/registrar_dbg.css</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- See: https://code.google.com/p/objectify-appengine/wiki/Setup -->
  <filter>
    <filter-name>ObjectifyFilter</filter-name>
    <filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>ObjectifyFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- Register types with Objectify. -->
  <filter>
    <filter-name>OfyFilter</filter-name>
    <filter-class>google.registry.model.ofy.OfyFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>OfyFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

</web-app>