xapirest.properties
Use the customer_overrides.properties file to override properties in xapirest.properties.*.
The xapirest.properties file allows the same configuration options as yifclient.properties and controls where XAPI calls take place. XAPI calls are set to LOCAL by default.
The following table lists custom configurations in xapirest.properties:
Property | Values | Description |
---|---|---|
servlet.jwt.auth.enabled |
|
If this property is set to true, JWT authentication for REST APIs is enabled. Note:
|
servlet.authstyle |
CONTAINER CONTAINER_USER (Default) STANDARD OPEN EXTENDED BASIC |
CONTAINER requires a user to be authenticated by the application container with the
userid specified by servlet.userid .CONTAINER_USER requires a user to be authenticated by the application container by using the identified Principal name as the userid. STANDARD requires passage of OPEN always authenticates the
userid that is specified by EXTENDED uses BASIC calls the login API with the specified user and password in the request's Authorization header. No user token is created or returned. |
servlet.userid |
userid | Specifies a userid for making API calls. A userid must
be set when servlet.authstyle is set to CONTAINER or OPEN. |
servlet.ssomanager |
class | Declares the implementation class of YCPSSOManager when servlet.authstyle is
set to EXTENDED. |
servlet.put.enabled |
|
Allows PUT to be used to call Modify APIs if set to true .
PUT behaves exactly like PATCH . |
servlet.realm |
prompt | A custom prompt that can be displayed during BASIC authentication. |
servlet.cors.enabled |
|
If this property is set to true, Cross Original Resource Sharing (CORS) support in REST APIs is enabled. All the other CORS support properties are applicable only if this property is set to true. |
servlet.cors.max.age | Valid values = <number of seconds> Default = 3600 |
Determines the time interval (in seconds) for which the results of preflight request are cached in a preflight results cache by the browser. It corresponds to the HTTP response header, “Access-Control-Max-Age”. |
servlet.cors.allow.credentials |
|
Indicates whether the browser is allowed to send credentials to the server. It corresponds to the HTTP response header, “Access-Control-Allow-Credentials”. |
servlet.cors.allow.origin | Valid values = <comma-separated values of host domains
(protocol://hostname:[portno])> Default = * |
Determines the list of allowed host domains. It corresponds to the HTTP response header,
“Access-Control-Allow-Origin”. The [portno] number is optional. This property can accept
a single value of wildcard (*) to permit access for any origin. Note: IBM® recommends not to use the default value of “*” in the production environment.
|
servlet.cors.expose.headers | Valid values = <comma-separated values of HTTP headers> Default is not set. |
Determines the list of HTTP headers that can be accessed by a browser. It corresponds to the HTTP response header, “Access-Control-Expose-Headers”. |
servlet.cors.allow.headers | Valid values = <comma-separated values of HTTP headers> | Determines the list of allowed HTTP headers. It corresponds to the HTTP response header, “Access-Control-Allow-Headers”. The value of this property is returned in the response to a preflight request. By default, the value of this property is same as the value of the incoming request header, “Access-Control-Request-Headers”. |
servlet.cors.allow.methods | Valid values = <comma-separated values of HTTP methods> | Determines the list of allowed HTTP methods. It corresponds to the HTTP response header, “Access-Control-Allow-Methods”. The value of this property is returned in the response to a preflight request. By default, the value of this property is same as the value of the incoming request header, “Access-Control-Request-Method”. |