Application properties

Modified on Mon, 3 Jun at 1:33 PM

The file application.properties stores several application-wide properties, such as which links are shown on the start page or settings regarding failed logins. The file can be found in the config directory on the master server. The exact location of the propterties files is listed under System > Server information > Used paths > Configuration files.

Contents

UI

Property	Default value	Explanation
login.show.link.register	true	Whether a link for creating a new account is shown on the start page.
login.show.link.password	true	Whether a link for forgotten passwords is shown on the start page.
login.show.link.help	true	Whether a link to these help pages is shown on the start page.
login.show.link.faq	true	Whether a link to the Q&A page is shown on the start page.
login.show.link.privacy	true	Whether a link to the privacy policy is shown on the start page.
login.show.link.imprint	true	Whether a link to the imprint is shown on the start page.
login.show.link.terms	true	Whether a link to the terms and conditions is shown on the start page.
login.show.link.license	true	Whether a link to the licensing conditions is shown on the start page.
login.show.footer	true	Whether the footer is shown on the start page. The footer contains the imprint, privacy policy etc.
defaults.show.logo	true	Whether the logo of the application is shown on the start page.
defaults.show.version	true	Whether the version of the application is shown on the start page.

URLs

Property	Default value	Explanation
defaults.url.help.designer	https://help.formcycle.eu/xwiki/bin/view/Main/Designer	URL for the help pages of the formcycle Designer.
defaults.url.video	http://www.formcycle.de/videos/	URL for the tutorial videos for formcycle.
defaults.url.help	https://help.formcycle.eu/xwiki/bin/view/Main/	URL for the help pages of formcycle.
defaults.url.qa	https://faq.formcycle.eu/	URL for the Q&A pages for formcycle.
defaults.url.register	https://form.cloud	URL for creating a new account.
defaults.url.privacy	https://form.cloud/datenschutz.html	URL for the privacy policy.
defaults.url.imprint	https://www.xima.de/impressum/	URL for the imprint.
defaults.url.terms	https://form.cloud/agb.html	URL for the terms and conditions.
defaults.url.license	https://www.formcycle.de/lizenzbedingungen	URL for the licensing conditions.
defaults.url.formcycle	https://www.formcycle.de	URL to formcycle
defaults.url.formcloud	https://www.form.cloud	URL to the Formcloud.
defaults.url.loopback.base ^{since 5.0.17}		Alternative loopback URL for internal calls (e.g. print) .

Default language

Change the default language of the application by modifying these properties. The application itself is fully internationalizable.

Property	Default value	Explanation
defaults.systemeinstellung.language	-	Language code for the default language of the application.ISO-639 alpha-2 oder alpha-3.
defaults.systemeinstellung.county	-	Region code for the default language of the application. ISO 3166 alpha-2 country code or UN M.49 numeric-3 area code.
defaults.systemeinstellung.variant	-	Language variation for the default language of the application.

To prevent attacks on user passwords, you can limit how often each user may fail to enter the correct password before they are locked out for a certain amount of time.

By default, a user must wait for 15 minutes after 5 consecutive failed login attempts.

On a technical level, the system stores one entry per user in a cache, with data related to the login attempts. The cache can be configured via the following properties:

Property	Default value	Explanation
login.duplicated.message.suppress	false	Whether to show a message when a user logs in and another session already exists for the same user.
login.fails.lock.timeout	900 (=15 minutes)	The amount of time in seconds a user needs to wait after using up all their login attempts. If the value is less than 60, it is clamped to 60.
login.fails.lock.count	5	The number of consecutive failed login attempts before a user is locked out. Set to 0 for an unlimited amount of attempts.
login.fails.lock.onfullcache	true	Whether the system is locked when the login cache is full. Users cannot login anymore if the system is locked.
login.fails.cache.heap.count	10000	The number of login attempts kept in memory. If less than or equal to 0, it is set to 1000.
login.fails.lock.maxentries	11000	The maximum number of login attempts stored in the cache. If the cache is full, no more logins are allowed. Set to 0 to disable the limit.
login.fails.cache.disk.size	102400	The number of login attempts stored on the hard disk. Set to 0 to disable the limit. When disabled, the cache uses up as much disk space as required. If less than 0, it is set to 1000.
last.login.save	false	Whether the most recent date when a user signed in is saved and shown for each client.

An example for a configuration requiring a user to wait to 100 minutes after 10 failed login attempts.

login.fails.lock.timeout=6000
login.fails.lock.count=10

The number of login attempts before a user is locked out is separate for each master server and frontend server. Please note that this may change in upcoming releases.

Forgot password email

8.1.0

To prevent email flooding attacks, you can limit how often a user may send an email to themselves with instruction on how to change the password. When a user attempts to send too many email, they need to wait for a certain amount of time before another emali can be sent.

By default, a user must wait for 15 minutes after sending 5 password emails.

On a technical level, the system stores one entry per user in a cache, with data related to the sent emails. The cache can be configured via the following properties:

Property	Default value	Explanation
password.reset.attempt.lock.timeout	900 (15 min)	The amount of time in seconds a user needs to wait after sending too many password emails. If the value is less than 60, it is set to 60.
password.reset.attempt.lock.count	5	The number of password emails a user may send before they need to wait for a certain amount of time. Set to 0 for an unlimited amount of emails.
password.reset.attempt.lock.onfullcache	true	Whether no more emails can be sent when the login cache is full.
password.reset.attempt.lock.maxentries	11000	The maximum number of entries stored in the cache. If the cache is full, no more emails can be send (unless this behavior is disabled via password.reset.attempt.lock.onfullcache). Set to 0 to disable the limit.
password.reset.attempt.cache.disk.size	102400	The number of cache entries stored on the hard disk. Set to 0 to disable the limit. When disabled, the cache uses up as much disk space as required. If less than 0, it is set to 1000.
password.reset.attempt.cache.heap.count	10000	The number of cache entries kept in memory. If less than or equal to 0, it is set to 1000.
password.reset.attempt.time.expire	3600	Time in seconds the until the cache removes entries. This value should be equal to or greater than password.reset.attempt.lock.timeout.

System

Property	Default value	Explanation
bot.field.name	x-i-m-a-5536-required	Name of the hidden input field for detecting bots. Since V7, the field name is automatically renewed when the form is opened.
7.1.0+ bot.field.autocomplete	new-password	Value for the autocomplete attribute of the bot field. When this property is not present, it defaults to new-password. When the value is empty, the autocomplete attribute is not set. Any other value is used for the autocomplete attribute.
defaults.systemeinstellung.loginName	sadmin	Login name for the super administrator of the system.
defaults.systemeinstellung.passwort	hash(admin)	Login name for the super administrator of the system. Should be changed after installing the application. The password is stored hashed, it should not be set manually in the configuration file, but only via the user interface.
cluster.implementation	jgroups	The implementation used for clustering. Allowed options are jgroups and shoal.
system.server.id	(generated)	Unique ID of the server which can be included in the HTTP header and attached to the submit URL of a form for the use of load balancers. See HTTP.
7.1.0+ monitoring.enabled	false	Whether the frontend server monitoring URL is enabled.
7.1.0+ monitoring.allowed.hosts	(empty)	List of host, that are allowd to access the frontend server monitoring URL . localhost (loopback) is always granted access.
defaults.http.use_system_properties 7.2.0+	true	When true, uses settings from JVM system properties to configure HTTP requests. The following system properties are read: https.protocols, https.cipherSuites, http.keepAlive, http.maxConnections, http.agent. In addition, when a proxy was configured for the JVM, that proxy is used unless an explicit proxy server was configured within formcycle. Finally, when attempting to access protected resources, the default system credentials provider is also queried for credentials.
plugin.unpack.jar.file	true	Whether to unpack uploaded JAR files. The default value is true, which works with all Java versions. Before formcycle version 8, JAR file were not unpacked, which may or may not work, depending on the Java version. This setting exists as a fallback when the new behavior does not work properly. Do not change this setting unless absolutely necessary.

Limits

Property	Default value	Explanation
defaults.upload.max_size	-1	Maximum size in bytes for file uploads within forms. Applies to each file individually. Set to -1 to disable.
defaults.query.database.max_rowcount	5000	Maximum number of returned rows for a query to the database. Set to 0 to disable.
defaults.upload.max_fieldsize	0	Maximum size in bytes when retrieving columns of type character (eg. char or varchar) or binary. Set to 0 to disable.

Frontend server

These settings control the connection to the frontend server. They should be edited via the user interface.

Property	Default value	Explanation
fs.settings.interface	0.0.0.0	The network interface the frontend server uses for listening to connections from the master server.
fs.settings.port	4753	The port for the connection to the master server.
fs.settings.ssl.use	false	Whether the connection between the master serverand frontend server is encrypted via SSL.
fs.settings.authKey	(empty string)	The token of this frontend server. Used to check if the master server is authorized to establish a connection to this frontend server.
fs.settings.ssl.keystore.path	(empty string)	The path to the keystore file (on the file system) for the connection. Required if SSL is used.
fs.settings.ssl.keystore.pass	(empty string)	The password needed to access the keystore. Required if SSL is used.
fs.settings.statuspage.type	all	Controls what is shown on the status page of the frontend server. The following values are supported: all - Shows all details about the frontend server. This is the previous behavior. status-code-only - Only returns an HTTP status code, but no HTML content with further details. The status code indicates whether the frontend server is connnected. none - Returns no information. All attempts to access the status page are rejected with a 404 HTTP status code.

LDAP

Property	Default value	Explanation
ldap.override.filter.user	(\|(objectclass=user)(objectclass=person)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))	LDAP filter for searching for available LDAP users. By default, finds all objects with the object class user, person, inetOrgPerson, or organinsationalPerson.
ldap.override.filter.user.login	(\|(sAMAccountName={0})(userPrincipalName={0})(uid={0}))	LDAP-Filter for locating a user with a given login name. Specify the login name with the placeholder {0}. By default, finds all users if the attribute sAMAccountName, userPrincipalName or uid matches the login name.
ldap.override.filter.kerberos.user	Value of the user query see above.	LDAP filter for searching a user after Kerberos authentication. The available login corresponds to the pattern <username>(/<instance>)@<REALM> where the /<instance> part is optional. Using the example test/admin@EXAMPLE.COM, the individual components are available in the corresponding filter as follows: {0}=test/admin@EXAMPLE.COM, {1}=test/admin, {2}=test,{3}=admin,{4}=EXAMPLE.COM. For example, to perform a user search within a single-domain environment with a non-standard userPrincipalName, the query could be defined as follows: (sAMAccountName={2})
ldap.override.filter.group	(\|(objectclass=group)(objectclass=groupofnames)(objectclass=groupofuniquenames))	LDAP filter for searching for LDAP groups. By default, searches for all objects with the object class group, groupofnames, or groupofuniquenames.

HTTP

Property	Default value	Explanation
http.header.referer	same-origin	The referre policy for HTTP responses. You can also change this setting in the system settings menu .
http.header.hsts.max	(empty)	The value for the max-age of the HTTP Strict Transport Security. You can also change this setting in the system settings menu .
http.header.hsts.sub	false	Whether the HTTP Strict Transport Security should be applied to sub domains as well. You can also change this setting in the system settings menu .
http.header.serverid.name	(not available)	Specifies the header name with which the system.server.id is written to all requests. If this entry exists but is empty the corresponding header will not be set. If the entry does not exist the default XFC-Server-Id is used.
http.param.serverid.name	(not available)	Specifies the name of the URL parameter used to append the system.server.id to the form submission URL. If the value is empty or not available, no parameter will be appended.
http.header.csp.backend 7.2.1+	(empty)	Sets the value for the HTTP headder Content-Security-Policy in the backend (configuration UI). You can also edit this value in the backend via the menu System, General.
http.header.csp.frontend 7.2.1+	(empty)	Sets the value for the HTTP headder Content-Security-Policy in the frontend (web form). You can also edit this value in the backend via the menu System, General.
http.header.csp.reportonly.backend 7.2.1+	(empty)	Sets the value for the HTTP headder Content-Security-Policy-Report-Only in the backend (configuration UI). You can also edit this value in the backend via the menu System, General.
http.header.csp.reportonly.frontend 7.2.1+	(empty)	Sets the value for the HTTP headder Content-Security-Policy-Report-Only in the frontend (web forms). You can also edit this value in the backend via the menu System, General.

Debug

Property	Default value	Explanation
debug.show_sql	false	Sets the Hibernate properties hibernate.show_sql and hibernate.format_sql to true. Write all executed SQL statements to the console.

Quartz jobs

Property	Default value	Explanation
cleanup.worker.active	true	Whether the system cleanup job is active and run periodically. The system clean up jobs, for example, checks for unconfirmed form records waitning for a double opt-in confirmation, and deletes them when they are expired.
cleanup.worker.cronexpression	0 0,15,30,45 * ? * *	The cron expression for the system clean up job that indicates when and how often that job is run. The system clean up jobs, for example, checks for unconfirmed form records waitning for a double opt-in confirmation, and deletes them when they are expired.
quartz.threadpool.thread.count 7.0.10+	10	The number of threads for the scheduler. Default value is 10. When set to 0, new jobs are created, but no jobs are executed. This is useful in scenarios when the jobs should be run by another server.
quartz.scheduler.check.interval 7.0.10+	30000	Is the amount of time in milliseconds that the scheduler will wait before re-queries for available triggers when the scheduler is otherwise idle. Normally you should not have to 'tune' this parameter, unless you’re using XA transactions, and are having problems with delayed firings of triggers that should fire immediately. Values less than 5000 ms are not recommended as it will cause excessive database querying. Values less than 1000 are not legal.
quartz.jobstore.misfire.threshold 7.0.10+	60000	The number of milliseconds the scheduler will 'tolerate' a trigger to pass its next-fire-time by, before being considered "misfired". The default value (if you don’t make an entry of this property in your configuration) is 60000 (60 seconds).

Sending of emails

The following properties must be stored in the system-mail.properties file in order to be used.

Property	Default value	Explanation
mail.smtp.connectiontimeout 7.0.4+	300000	SMTP Socket connection timeout value in milliseconds.
mail.smtp.timeout 7.0.4+	300000	SMTP Socket I/O timeout value in milliseconds.

Property	Default value	Explanation
validity.period.credentials.reset.days	1	Specifies the validity period of the link for setting a (new) password for the user profile in days.
validity.period.email.verification.days	1	Specifies the validity period of the link for verifying an email address in the user profile in days.
validity.period.primary.email.change.days	1	Specifies the validity period in days of the link for changing the primary email address of a user profile.
validity.period.user.identity.removal.days	1	Specifies the validity period in days of the link to remove an account link from the user profile.
validity.period.user.profile.merge.days	1	Specifies the validity period of the link for connecting user profiles in days.
validity.period.user.profile.delete.days	1	Specifies the validity period of the link to delete the user profile in days.
validity.period.user.invitation.days	1	Specifies the validity period of the link to a client invitation in days.
validity.period.mfa.registration.minutes	60	Specifies the validity period of the link for registering two-factor authentication using the Authenticator app in minutes.
validity.period.mfa.removal.minutes	60	Specifies the validity period of the link to disable two-factor authentication in minutes.
validity.period.mfa.code.minutes	10	Specifies the validity period of the two-factor authentication email authentication code in minutes.

Workflow

The following properties can be used to selectively enable or disable certain events or actions of the new workflow.

The properties for events share the following pattern:

trigger.<technischer_name_des_ereignisses>.enable=false

The properties for actions share the following pattern:

processing.<technischer_name_der_aktion>.enable=false

The technical event names are as follows:

fc_catch_error: Workflow error
fc_doi_verified: Double opt-in confirmed
fc_form_submit_button: Technical name
fc_invitation_error: Invitation failed
fc_invitation_sent: Invitation sent
fc_manual: Custom
fc_qualified_form_submit_button: Submit button
fc_state_timer: After state change
fc_time_point: Date and time

The technical action names are as follows:

fc_change_form_availability: Change availability
fc_change_form_value: Change form values
fc_change_state: Set state
fc_compress_as_zip: Compress files
fc_copy_form_record: Copy form record
fc_counter: Change counter
fc_create_text_file: Create text file
fc_decode_base64: Decode a base64 string into a file.
fc_delete_form_record: Delete form record
fc_doi_init: Send double opt-in email
fc_email: Email
fc_empty: Empty statement
fc_encode_base64: Convert a file into a base64 string
fc_experiment: Handle errors
fc_export_to_persistence: Export to persistence file
fc_export_to_xml: Export as XML
fc_fill_pdf: Fill PDF document
fc_fill_word: Fill word document
fc_import_form_value_from_xml: Import from XML
fc_ldap_query: LDAP query
fc_log_entry: Create a protocol entry.
fc_move_form_record_to_inbox: Move to inbox
fc_multiple_condition: Condition (Check value)
fc_post_request: HTTP request
fc_process_log_pdf: Create a PDF document with the history of a form record
fc_provide_resource: Provide file
fc_queue_task: Queue custom event
fc_redirect: Redirect
fc_renew_process_id: Create new process ID
fc_return: Stop processing chain
fc_return_file: File download
fc_save_to_file_system: Save to file system
fc_set_saved_flag: Save
fc_show_template: HTML response page
fc_sql_statement: Database query
fc_switch: Switch action
fc_switch_case Switch case
fc_switch_default Switch default case
fc_throw_exception: Throw error
fc_write_form_record_attributes: Set server attribute
sequence: Block statement

fs.settings.statuspage.type