mirror of
https://github.com/google/nomulus.git
synced 2025-05-20 11:19:35 +02:00
ac500652ac
The migration plan is as follows: 1. This CL, which adds the new "pubapi" service that serves the check API, WHOIS, and RDAP. 2a. Update our public facing sites to switch over to use the new service. 2b. (either order) Rewrite the check API to remove dependencies on flows. 3. ... eventually, once the frontend service is no longer being hit by this traffic, remove its handling of these public endpoints. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=197716346
129 lines
4.7 KiB
XML
129 lines
4.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
|
|
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
|
|
<!-- Servlets -->
|
|
|
|
<!-- Servlet for injected frontend actions -->
|
|
<servlet>
|
|
<display-name>PubApiServlet</display-name>
|
|
<servlet-name>pubapi-servlet</servlet-name>
|
|
<servlet-class>google.registry.module.pubapi.PubApiServlet</servlet-class>
|
|
<load-on-startup>1</load-on-startup>
|
|
</servlet>
|
|
|
|
<!-- HTTP WHOIS. -->
|
|
<servlet-mapping>
|
|
<servlet-name>pubapi-servlet</servlet-name>
|
|
<url-pattern>/whois/*</url-pattern>
|
|
</servlet-mapping>
|
|
|
|
<!-- Protocol WHOIS. -->
|
|
<servlet-mapping>
|
|
<servlet-name>pubapi-servlet</servlet-name>
|
|
<url-pattern>/_dr/whois</url-pattern>
|
|
</servlet-mapping>
|
|
|
|
<!-- RDAP (new WHOIS). -->
|
|
<servlet-mapping>
|
|
<servlet-name>pubapi-servlet</servlet-name>
|
|
<url-pattern>/rdap/*</url-pattern>
|
|
</servlet-mapping>
|
|
|
|
<!-- Public API to do availability checks -->
|
|
<servlet-mapping>
|
|
<servlet-name>pubapi-servlet</servlet-name>
|
|
<url-pattern>/check</url-pattern>
|
|
</servlet-mapping>
|
|
|
|
<!-- Security config -->
|
|
<security-constraint>
|
|
<web-resource-collection>
|
|
<web-resource-name>Internal</web-resource-name>
|
|
<description>
|
|
Admin-only internal section. Requests for paths covered by the URL patterns below will be
|
|
checked for a logged-in user account that's allowed to access the AppEngine admin console
|
|
(NOTE: this includes Editor/Viewer permissions in addition to Owner and the new IAM
|
|
App Engine Admin role. See https://cloud.google.com/appengine/docs/java/access-control
|
|
specifically the "Access handlers that have a login:admin restriction" line.)
|
|
|
|
TODO(b/28219927): lift some of these restrictions so that we can allow OAuth authentication
|
|
for endpoints that need to be accessed by open-source automated processes.
|
|
</description>
|
|
|
|
<!-- Internal AppEngine endpoints. The '_ah' is short for app hosting. -->
|
|
<url-pattern>/_ah/*</url-pattern>
|
|
|
|
<!-- Verbatim JavaScript sources (only visible to admins for debugging). -->
|
|
<url-pattern>/assets/sources/*</url-pattern>
|
|
|
|
<!-- TODO(b/26776367): Move these files to /assets/sources. -->
|
|
<url-pattern>/assets/js/registrar_bin.js.map</url-pattern>
|
|
<url-pattern>/assets/js/registrar_dbg.js</url-pattern>
|
|
<url-pattern>/assets/js/brain_bin.js.map</url-pattern>
|
|
<url-pattern>/assets/css/registrar_dbg.css</url-pattern>
|
|
|
|
</web-resource-collection>
|
|
<auth-constraint>
|
|
<role-name>admin</role-name>
|
|
</auth-constraint>
|
|
|
|
<!-- Repeated here since catch-all rule below is not inherited. -->
|
|
<user-data-constraint>
|
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
</user-data-constraint>
|
|
</security-constraint>
|
|
|
|
<security-constraint>
|
|
<web-resource-collection>
|
|
<web-resource-name>Registrar console</web-resource-name>
|
|
<description>
|
|
Registrar console requires user login. This is in addition to the
|
|
code-level "requireLogin" configuration on individual @Actions.
|
|
</description>
|
|
<url-pattern>/registrar*</url-pattern>
|
|
</web-resource-collection>
|
|
<auth-constraint>
|
|
<role-name>*</role-name>
|
|
</auth-constraint>
|
|
<!-- Repeated here since catch-all rule below is not inherited. -->
|
|
<user-data-constraint>
|
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
</user-data-constraint>
|
|
</security-constraint>
|
|
|
|
<!-- Require TLS on all requests. -->
|
|
<security-constraint>
|
|
<web-resource-collection>
|
|
<web-resource-name>Secure</web-resource-name>
|
|
<description>
|
|
Require encryption for all paths. http URLs will be redirected to https.
|
|
</description>
|
|
<url-pattern>/*</url-pattern>
|
|
</web-resource-collection>
|
|
<user-data-constraint>
|
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
</user-data-constraint>
|
|
</security-constraint>
|
|
|
|
<!-- See: https://code.google.com/p/objectify-appengine/wiki/Setup -->
|
|
<filter>
|
|
<filter-name>ObjectifyFilter</filter-name>
|
|
<filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
|
|
</filter>
|
|
<filter-mapping>
|
|
<filter-name>ObjectifyFilter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
|
|
<!-- Register types with Objectify. -->
|
|
<filter>
|
|
<filter-name>OfyFilter</filter-name>
|
|
<filter-class>google.registry.model.ofy.OfyFilter</filter-class>
|
|
</filter>
|
|
<filter-mapping>
|
|
<filter-name>OfyFilter</filter-name>
|
|
<url-pattern>/*</url-pattern>
|
|
</filter-mapping>
|
|
</web-app>
|