google-nomulus/java/google/registry/env/common/default/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                             http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <!-- Servlets -->

  <!-- Servlet for injected frontend actions -->
  <servlet>
    <display-name>FrontendServlet</display-name>
    <servlet-name>frontend-servlet</servlet-name>
    <servlet-class>google.registry.module.frontend.FrontendServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>

  <!-- The primary EPP endpoint for the Registry, which accepts EPP requests from our TLS proxy. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/_dr/epp</url-pattern>
  </servlet-mapping>

  <!-- Registrar Console endpoint, which accepts EPP XHRs from GAE GAIA-authenticated sessions. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar-xhr</url-pattern>
  </servlet-mapping>

  <!-- Registrar Console. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar</url-pattern>
  </servlet-mapping>

  <!-- Registrar Self-serve Settings. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar-settings</url-pattern>
  </servlet-mapping>

  <!-- OT&E creation console. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar-ote-setup</url-pattern>
  </servlet-mapping>

  <!-- Registrar creation console. -->
  <servlet-mapping>
    <servlet-name>frontend-servlet</servlet-name>
    <url-pattern>/registrar-create</url-pattern>
  </servlet-mapping>

  <!-- Security config -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Internal</web-resource-name>
      <description>
        Admin-only internal section.  Requests for paths covered by the URL patterns below will be
        checked for a logged-in user account that's allowed to access the AppEngine admin console
        (NOTE: this includes Editor/Viewer permissions in addition to Owner and the new IAM
        App Engine Admin role.  See https://cloud.google.com/appengine/docs/java/access-control
        specifically the "Access handlers that have a login:admin restriction" line.)

        TODO(b/28219927): lift some of these restrictions so that we can allow OAuth authentication
        for endpoints that need to be accessed by open-source automated processes.
      </description>

      <!-- Internal AppEngine endpoints.  The '_ah' is short for app hosting.  -->
      <url-pattern>/_ah/*</url-pattern>

      <!-- Verbatim JavaScript sources (only visible to admins for debugging). -->
      <url-pattern>/assets/sources/*</url-pattern>

      <!-- TODO(b/26776367): Move these files to /assets/sources. -->
      <url-pattern>/assets/js/registrar_bin.js.map</url-pattern>
      <url-pattern>/assets/js/registrar_dbg.js</url-pattern>
      <url-pattern>/assets/css/registrar_dbg.css</url-pattern>

    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>

    <!-- Repeated here since catch-all rule below is not inherited. -->
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Registrar console</web-resource-name>
      <description>
        Registrar console requires user login.  This is in addition to the
        code-level "requireLogin" configuration on individual @Actions.
      </description>
      <url-pattern>/registrar*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
    <!-- Repeated here since catch-all rule below is not inherited. -->
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <!-- Require TLS on all requests. -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Secure</web-resource-name>
      <description>
        Require encryption for all paths. http URLs will be redirected to https.
      </description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <!-- See: https://code.google.com/p/objectify-appengine/wiki/Setup -->
  <filter>
    <filter-name>ObjectifyFilter</filter-name>
    <filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>ObjectifyFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- Register types with Objectify. -->
  <filter>
    <filter-name>OfyFilter</filter-name>
    <filter-class>google.registry.model.ofy.OfyFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>OfyFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
</web-app>