References
Settings
The following table lists all configuration settings available in Structr. You can view and modify these settings in the Configuration Interface, which opens in a separate browser tab when you click the wrench icon in the Admin UI header bar. The Configuration Interface requires authentication with the superuser password from structr.conf. Alternatively, you can edit the structr.conf file directly and restart the server.
Advanced Settings
| Name | Description |
|---|---|
json.redundancyreduction |
If enabled, nested nodes (which were already rendered in the current output) are rendered with limited set of attribute (id, type, name). |
json.lenient |
Whether to use lenient serialization, e.g. allow to serialize NaN, -Infinity, Infinity instead of just returning null. Note: as long as Javascript doesn’t support NaN etc., most of the UI will be broken |
json.output.forcearrays |
If enabled, collections with a single element are always represented as a collection. |
json.reductiondepth |
For restricted views (ui, custom, all), only a limited amount of attributes (id, type, name) are rendered for nested objects after this depth. The default is 0, meaning that on the root depth (0), all attributes are rendered and reduction starts at depth 1. Can be overridden on a per-request basis by using the request parameter _outputReductionDepth |
json.output.dateformat |
Output format pattern for date objects in JSON |
geocoding.provider |
Geocoding configuration |
geocoding.language |
Geocoding configuration |
geocoding.apikey |
Geocoding configuration |
dateproperty.defaultformat |
Default ISO8601 date format pattern |
zoneddatetimeproperty.defaultformat |
Default zoneddatetime format pattern |
Markdown Rendering Hint: Children of Topic(Advanced Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Application Configuration Settings
| Name | Description |
|---|---|
application.changelog.enabled |
Turns on logging of changes to nodes and relationships |
application.changelog.user_centric.enabled |
Turns on user-centric logging of what a user changed/created/deleted |
application.filesystem.enabled |
If enabled, Structr will create a separate home directory for each user. The home directory of authenticated users will override the default upload folder setting. See Filesystem for more information. |
application.filesystem.unique.paths |
If enabled, Structr will not allow files/folders of the same name in the same folder and automatically rename the file. |
application.filesystem.unique.insertionposition |
Defines the insertion position of the uniqueness criterion (currently a timestamp).
|
application.filesystem.checksums.default |
List of additional checksums to be calculated on file creation by default. (File.checksum is always popuplated with an xxHash)
|
application.filesystem.indexing.enabled |
Whether indexing is enabled globally (can be controlled separately for each file) |
application.filesystem.indexing.maxsize |
Maximum size (MB) of a file to be indexed |
application.uploads.folder |
The default upload folder for files uploaded via the UploadServlet. This must be a valid folder path and can not be empty (uploads to the root directory are not allowed). |
application.feeditem.indexing.remote |
Whether indexing for type FeedItem will index the target URL of the FeedItem or the description |
application.feeditemcontent.indexing.enabled |
Whether indexing is enabled for type FeedItemContent |
application.feeditemcontent.indexing.limit |
Maximum number of words to be indexed per FeedItemContent. |
application.feeditemcontent.indexing.minlength |
Minimum length of words to be indexed for FeedItemContent |
application.feeditemcontent.indexing.maxlength |
Maximum length of words to be indexed for FeedItemContent |
application.remotedocument.indexing.enabled |
Whether indexing is enabled for type RemoteDocument |
application.remotedocument.indexing.limit |
Maximum number of words to be indexed per RemoteDocument. |
application.remotedocument.indexing.minlength |
Minimum length of words to be indexed for RemoteDocument |
application.remotedocument.indexing.maxlength |
Maximum length of words to be indexed for RemoteDocument |
application.proxy.mode |
Sets the mode of the proxy servlet. Possible values are ‘disabled’ (off, servlet responds with 503 error code), ‘protected’ (only authenticated requests allowed) and ‘public’ (anonymous requests allowed). Default is disabled. |
application.httphelper.timeouts.connectionrequest |
Timeout for outbound connections in seconds to wait when requesting a connection from the connection manager. A timeout value of zero is interpreted as an infinite timeout. |
application.httphelper.timeouts.connect |
Timeout for outbound connections in seconds to wait until a connection is established. A timeout value of zero is interpreted as an infinite timeout. |
application.httphelper.timeouts.socket |
Socket timeout for outbound connections in seconds to wait for data or, put differently, a maximum inactivity period between two consecutive data packets. A timeout value of zero is interpreted as an infinite timeout. |
application.httphelper.useragent |
User agent string for outbound connections |
application.httphelper.charset |
Default charset for outbound connections |
application.httphelper.urlwhitelist |
A comma-separated list of URL patterns that can be used in HTTP request scripting functions (GET, PUT, POST etc.). If this value is anything other than *, whitelisting is applied to all outgoing requests. |
application.schema.automigration |
Enable automatic migration of schema information between versions (if possible – may delete schema nodes) |
application.schema.allowunknownkeys |
Enables get() and set() built-in functions to use property keys that are not defined in the schema. |
application.localization.logmissing |
Turns on logging for requested but non-existing localizations. |
application.localization.usefallbacklocale |
Turns on usage of fallback locale if for the current locale no localization is found |
application.localization.fallbacklocale |
The default locale used, if no localization is found and using a fallback is active. |
deployment.schema.format |
Configures how the schema is exported in a deployment export. file exports the schema as a single file. tree exports the schema as a tree where methods/function properties are written to single files in a tree structure. |
deployment.data.import.nodes.batchsize |
Sets the batch size for data deployment when importing nodes. |
deployment.data.import.relationships.batchsize |
Sets the batch size for data deployment when importing relationships. |
deployment.data.export.nodes.batchsize |
Sets the batch size for data deployment when exporting nodes. The relationships for each node are collected and exported while the node itself is exported. It can make sense to reduce this number, if all/most nodes have very high amount of relationships. |
application.encryption.secret |
Sets the global secret for encrypted string properties. Using this configuration setting is one of several possible ways to set the secret. Using the set_encryption_key() function is a way to set the encryption key without persisting it on disk. |
callbacks.logout.onsave |
Setting this to true enables the execution of the User.onSave method when a user logs out. Disabled by default because the global login handler onStructrLogout would be the right place for such functionality. |
callbacks.login.onsave |
Setting this to true enables the execution of the User.onSave method for login actions. This will also trigger for failed login attempts and for two-factor authentication intermediate steps. Disabled by default because the global login handler onStructrLogin would be the right place for such functionality. |
application.xml.parser.security |
Enables various security measures for XML parsing to prevent exploits. |
Markdown Rendering Hint: Children of Topic(Application Configuration Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Cron Jobs Settings
| Name | Description |
|---|---|
cronservice.tasks |
List with cron task configurations or method names. This only configures the list of tasks. For each task, there needs to be another configuration entry named ‘ |
cronservice.allowparallelexecution |
Enables the parallel execution of the same cron job. This can happen if the method runs longer than the defined cron interval. Since this could lead to problems, the default is false. |
Markdown Rendering Hint: Children of Topic(Cron Jobs Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Database Configuration Settings
| Name | Description |
|---|---|
database.cache.uuid.size |
Size of the database driver relationship cache |
database.result.lazy |
Forces Structr to use lazy evaluation for relationship queries |
log.cypher.debug |
Turns on debug logging for the generated Cypher queries |
log.cypher.debug.ping |
Turns on debug logging for the generated Cypher queries of the websocket PING command. Can only be used in conjunction with log.cypher.debug |
database.result.softlimit |
Soft result count limit for a single query (can be overridden by setting the _pageSize request parameter or by adding the request parameter _disableSoftLimit to a non-null value) |
database.result.fetchsize |
Number of database records to fetch per batch when fetching large results |
database.prefetching.threshold |
How many identical queries must run in a transaction to activate prefetching for that query. |
database.prefetching.maxduration |
How long a prefetching query may take before prefetching will be deactivated for that query. |
database.prefetching.maxcount |
How many results a prefetching query may return before prefetching will be deactivated for that query. |
Markdown Rendering Hint: Children of Topic(Database Configuration Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
DoS Filter Settings
| Name | Description |
|---|---|
httpservice.dosfilter.ratelimiting |
Enables rate limiting using Jetty’s DoSFilter. |
httpservice.dosfilter.maxrequestspersec |
The maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. |
httpservice.dosfilter.delayms |
The delay given to all requests over the rate limit, before they are considered at all. -1 means just reject request, 0 means no delay, otherwise it is the delay. |
httpservice.dosfilter.maxwaitms |
How long to blocking wait for the throttle semaphore in milliseconds. |
httpservice.dosfilter.throttledrequests |
The number of requests over the rate limit able to be considered at once. |
httpservice.dosfilter.throttlems |
How long to async wait for semaphore in milliseconds. |
httpservice.dosfilter.maxrequestms |
How long to allow a request to run in milliseconds. |
httpservice.dosfilter.maxidletrackerms |
How long to keep track of request rates for a connection before deciding that the user has gone away and discarding it, in milliseconds. |
httpservice.dosfilter.insertheaders |
If true, insert the DoSFilter headers into the response. |
httpservice.dosfilter.remoteport |
If true then rate is tracked by IP+port (effectively connection). If false, rate is tracked by IP address only. |
httpservice.dosfilter.ipwhitelist |
A comma-separated list of IP addresses that will not be rate limited. Defaults to localhost. |
httpservice.dosfilter.managedattr |
If set to true, this servlet is set as a ServletContext attribute with the filter name as the attribute name. This allows context external mechanisms (e.g. JMX via ContextHandler managed attribute) to manage the configuration of the filter. |
httpservice.dosfilter.toomanycode |
The HTTP status code to send if there are too many requests. By default is 429 (too many requests), but 503 (service unavailable) is another option. |
Markdown Rendering Hint: Children of Topic(DoS Filter Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
General Settings
| Name | Description |
|---|---|
application.title |
The title of the application as shown in the log file. This entry exists for historical reasons and has no functional impact other than appearing in the log file. |
application.instance.name |
The name of the Structr instance (displayed in the top right corner of structr-ui) |
application.instance.stage |
The stage of the Structr instance (displayed in the top right corner of structr-ui) |
application.console.cypher.maxresults |
The maximum number of results returned by a cypher query in the admin console. If a query yields more results, an error message is shown. |
application.runtime.enforce.recommended |
Enforces version check for Java runtime. |
application.systeminfo.disabled |
Disables transmission of telemetry information. This information is used to improve the software and to better adapt to different hardware configurations. |
application.legacy.requestparameters.enabled |
Enables pre-4.0 request parameter names (sort, page, pageSize, etc. instead of _sort, _page, _pageSize, …) |
application.heap.min_size |
Minimum Java heap size (-Xms). Examples: 512m, 1g, 2g. Note: Changes require a restart of Structr. |
application.heap.max_size |
Maximum Java heap size (-Xmx). Examples: 2g, 4g, 8g. Note: Changes require a restart of Structr. |
application.timezone |
Application timezone (e.g. UTC, Europe/Berlin). If not set, falls back to system timezone or UTC. Note: Changes require a restart of Structr. |
application.uuid.allowedformats |
Configures which UUIDv4 types are allowed: With dashes, without dashes or both. |
application.uuid.createcompact |
Determines if UUIDs are created with or without dashes. This setting is only used if application.uuid.allowedformats is set to both. WARNING: Requires a restart to take effect. |
application.email.validation.regex |
Regular expression used to validate email addresses for User.eMail and is_valid_email() function. |
application.scripting.debugger |
Enables Chrome debugger initialization in scripting engine. The current debugger URL will be shown in the server log and also made available on the dashboard. |
application.scripting.js.wrapinmainfunction |
Forces js scripts to be wrapped in a main function for legacy behaviour. |
application.scripting.allowedhostclasses |
Space-separated list of fully-qualified Java class names that you can load dynamically in a scripting environment. |
application.cluster.enabled |
Enables cluster mode (experimental) |
application.cluster.name |
The name of the Structr cluster |
application.cluster.log.enabled |
Enables debug logging for cluster mode communication |
application.stats.aggreation.interval |
Minimum aggregation interval for HTTP request stats. |
base.path |
Path of the Structr working directory. All files will be located relative to this directory. |
tmp.path |
Path to the temporary directory. Uses java.io.tmpdir by default |
files.path |
Path to the Structr file storage folder |
changelog.path |
Path to the Structr changelog storage folder |
data.exchange.path |
IMPORTANT: Path is relative to base.path |
scripts.path |
Path to the Structr scripts folder. IMPORTANT: Path is relative to base.path |
scripts.path.allowsymboliclinks |
Setting to true disables an additional check that disallows symbolic links in script paths. |
scripts.path.allowpathtraversal |
Setting to true disables an additional check that disallows path traversals (.. in path). |
log.level |
Configures the default log level. Takes effect immediately. |
log.querytime.threshold |
Milliseconds after which a long-running query will be logged. |
log.callback.threshold |
Number of callbacks after which a transaction will be logged. |
log.functions.stacktrace |
If true, the full stacktrace is logged for exceptions in system functions. |
log.scriptprocess.commandline |
Configures the default logging behaviour for the command line generated for script processes. This applies to the exec()- and exec_binary() functions, as well as some processes handling media conversion or processing. For the exec() and exec_binary() function, this can be overridden for each call of the function. |
log.directorywatchservice.scanquietly |
Prevents logging of each scan process for every folder processed by the directory watch service |
configuration.provider |
Fully-qualified class name of a Java class in the current class path that implements the org.structr.schema.ConfigurationProvider interface. |
configured.services |
Services that are listed in this configuration key will be started when Structr starts. |
Markdown Rendering Hint: Children of Topic(General Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Licensing Settings
| Name | Description |
|---|---|
license.key |
Base64-encoded string that contains the complete license data, typically saved as ‘license.key’ in the main directory. |
license.validation.timeout |
Timeout in seconds for license validation requests. |
license.allow.fallback |
Allow Structr to fall back to the Community License if no valid license exists (or license cannot be validated). Set this to false in production environments to prevent Structr from starting without a license. |
Markdown Rendering Hint: Children of Topic(Licensing Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Miscellaneous Settings
| Name | Description |
|---|---|
translation.google.apikey |
Google Cloud Translation API Key |
translation.deepl.apikey |
DeepL API Key |
Markdown Rendering Hint: Children of Topic(Miscellaneous Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
OAuth Settings
| Name | Description |
|---|---|
oauth.servers |
Space-separated list of available OAuth services. Defaults to a list of all available services. |
oauth.logging.verbose |
Optional. Enables verbose logging for OAuth login. Useful for debugging. |
oauth.github.authorization_location |
Optional. URL of the authorization endpoint. Uses default GitHub endpoint if not set. |
oauth.github.token_location |
Optional. URL of the token endpoint. Uses default GitHub endpoint if not set. |
oauth.github.client_id |
Required. Client ID from your GitHub OAuth application. |
oauth.github.client_secret |
Required. Client secret from your GitHub OAuth application. |
oauth.github.redirect_uri |
Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/github/auth’. |
oauth.github.user_details_resource_uri |
Optional. User details endpoint. Defaults to ‘https://api.github.com/user’. |
oauth.github.error_uri |
Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’. |
oauth.github.return_uri |
Optional. Redirect URI on successful authentication. Defaults to ‘/’. |
oauth.github.logout_uri |
Optional. Logout URI. Defaults to ‘/logout’. |
oauth.github.scope |
Optional. OAuth scope. Defaults to ‘user:email’. |
oauth.linkedin.authorization_location |
Optional. URL of the authorization endpoint. Uses default LinkedIn endpoint if not set. |
oauth.linkedin.token_location |
Optional. URL of the token endpoint. Uses default LinkedIn endpoint if not set. |
oauth.linkedin.client_id |
Required. Client ID from your LinkedIn OAuth application. |
oauth.linkedin.client_secret |
Required. Client secret from your LinkedIn OAuth application. |
oauth.linkedin.redirect_uri |
Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/linkedin/auth’. |
oauth.linkedin.user_details_resource_uri |
Optional. User details endpoint. Defaults to ‘https://api.linkedin.com/v2/userinfo’. |
oauth.linkedin.error_uri |
Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’. |
oauth.linkedin.return_uri |
Optional. Redirect URI on successful authentication. Defaults to ‘/’. |
oauth.linkedin.logout_uri |
Optional. Logout URI. Defaults to ‘/logout’. |
oauth.linkedin.scope |
Optional. OAuth scope. Defaults to ‘openid profile email’. |
oauth.google.authorization_location |
Optional. URL of the authorization endpoint. Uses default Google endpoint if not set. |
oauth.google.token_location |
Optional. URL of the token endpoint. Uses default Google endpoint if not set. |
oauth.google.client_id |
Required. Client ID from your Google Cloud Console OAuth credentials. |
oauth.google.client_secret |
Required. Client secret from your Google Cloud Console OAuth credentials. |
oauth.google.redirect_uri |
Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/google/auth’. |
oauth.google.user_details_resource_uri |
Optional. User details endpoint. Defaults to ‘https://www.googleapis.com/oauth2/v3/userinfo’. |
oauth.google.error_uri |
Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’. |
oauth.google.return_uri |
Optional. Redirect URI on successful authentication. Defaults to ‘/’. |
oauth.google.logout_uri |
Optional. Logout URI. Defaults to ‘/logout’. |
oauth.google.scope |
Optional. OAuth scope. Defaults to ‘email’. |
oauth.facebook.authorization_location |
Optional. URL of the authorization endpoint. Uses default Facebook endpoint if not set. |
oauth.facebook.token_location |
Optional. URL of the token endpoint. Uses default Facebook endpoint if not set. |
oauth.facebook.client_id |
Required. App ID from your Facebook Developer application. |
oauth.facebook.client_secret |
Required. App secret from your Facebook Developer application. |
oauth.facebook.redirect_uri |
Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/facebook/auth’. |
oauth.facebook.user_details_resource_uri |
Optional. User details endpoint. Defaults to ‘https://graph.facebook.com/me’. |
oauth.facebook.error_uri |
Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’. |
oauth.facebook.return_uri |
Optional. Redirect URI on successful authentication. Defaults to ‘/’. |
oauth.facebook.logout_uri |
Optional. Logout URI. Defaults to ‘/logout’. |
oauth.facebook.scope |
Optional. OAuth scope. Defaults to ‘email’. |
oauth.auth0.tenant |
Required (recommended). Auth0 tenant domain (e.g., ‘your-tenant.auth0.com’). When set, authorization_location and token_location are built automatically. |
oauth.auth0.authorization_path |
Optional. Path to authorization endpoint. Only used with tenant setting. Defaults to ‘/authorize’. |
oauth.auth0.token_path |
Optional. Path to token endpoint. Only used with tenant setting. Defaults to ‘/oauth/token’. |
oauth.auth0.userinfo_path |
Optional. Path to userinfo endpoint. Only used with tenant setting. Defaults to ‘/userinfo’. |
oauth.auth0.authorization_location |
Required if tenant not set. Full URL of the authorization endpoint. Ignored if tenant is configured. |
oauth.auth0.token_location |
Required if tenant not set. Full URL of the token endpoint. Ignored if tenant is configured. |
oauth.auth0.client_id |
Required. Client ID from your Auth0 application. |
oauth.auth0.client_secret |
Required. Client secret from your Auth0 application. |
oauth.auth0.redirect_uri |
Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/auth0/auth’. |
oauth.auth0.user_details_resource_uri |
Optional. User details endpoint. Built from tenant if not set. |
oauth.auth0.error_uri |
Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’. |
oauth.auth0.return_uri |
Optional. Redirect URI on successful authentication. Defaults to ‘/’. |
oauth.auth0.logout_uri |
Optional. Logout URI. Defaults to ‘/logout’. |
oauth.auth0.scope |
Optional. OAuth scope. Defaults to ‘openid profile email’. |
oauth.auth0.audience |
Optional. The API audience (identifier) of your Auth0 API. Required for API access tokens. |
oauth.azure.tenant_id |
Required. Azure AD tenant ID, or ‘common’ for multi-tenant apps, or ‘organizations’ for work accounts only. |
oauth.azure.authorization_location |
Optional. URL of the authorization endpoint. Built automatically from tenant_id if not set. |
oauth.azure.token_location |
Optional. URL of the token endpoint. Built automatically from tenant_id if not set. |
oauth.azure.client_id |
Required. Application (client) ID from Azure AD app registration. |
oauth.azure.client_secret |
Required. Client secret from Azure AD app registration. |
oauth.azure.redirect_uri |
Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/azure/auth’. |
oauth.azure.user_details_resource_uri |
Optional. User details endpoint. Defaults to ‘https://graph.microsoft.com/v1.0/me’. |
oauth.azure.error_uri |
Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’. |
oauth.azure.return_uri |
Optional. Redirect URI on successful authentication. Defaults to ‘/’. |
oauth.azure.logout_uri |
Optional. Logout URI. Defaults to ‘/logout’. |
oauth.azure.scope |
Optional. OAuth scope. Defaults to ‘openid profile email’. |
oauth.keycloak.server_url |
Required. Keycloak server URL (e.g., ‘https://keycloak.example.com’). |
oauth.keycloak.realm |
Required. Keycloak realm name. Defaults to ‘master’. |
oauth.keycloak.authorization_location |
Optional. URL of the authorization endpoint. Built automatically from server_url and realm if not set. |
oauth.keycloak.token_location |
Optional. URL of the token endpoint. Built automatically from server_url and realm if not set. |
oauth.keycloak.client_id |
Required. Client ID from your Keycloak client configuration. |
oauth.keycloak.client_secret |
Required. Client secret from your Keycloak client configuration. |
oauth.keycloak.redirect_uri |
Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/keycloak/auth’. |
oauth.keycloak.user_details_resource_uri |
Optional. User details endpoint. Built automatically from server_url and realm if not set. |
oauth.keycloak.error_uri |
Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’. |
oauth.keycloak.return_uri |
Optional. Redirect URI on successful authentication. Defaults to ‘/’. |
oauth.keycloak.logout_uri |
Optional. Logout URI. Defaults to ‘/logout’. |
oauth.keycloak.scope |
Optional. OAuth scope. Defaults to ‘openid profile email’. |
Markdown Rendering Hint: Children of Topic(OAuth Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Security Settings
| Name | Description |
|---|---|
superuser.username |
Name of the superuser |
superuser.password |
Password of the superuser |
security.authentication.propertykeys |
List of property keys separated by space in the form of |
initialuser.create |
Enables or disables the creation of an initial admin user when connecting to a database that has never been used with structr. |
initialuser.name |
Name of the initial admin user. This will only be set if the user is created. |
initialuser.password |
Password of the initial admin user. This will only be set if the user is created. |
security.twofactorauthentication.issuer |
Must be URL-compliant in order to scan the created QR code |
security.twofactorauthentication.algorithm |
Respected by the most recent Google Authenticator implementations. Warning: Changing this setting after users are already confirmed will effectively lock them out. Set [User].twoFactorConfirmed to false to show them a new QR code. |
security.twofactorauthentication.digits |
Respected by the most recent Google Authenticator implementations. Warning: Changing this setting after users are already confirmed may lock them out. Set [User].twoFactorConfirmed to false to show them a new QR code. |
security.twofactorauthentication.period |
Defines the period that a TOTP code will be valid for, in seconds. Respected by the most recent Google Authenticator implementations. Warning: Changing this setting after users are already confirmed will effectively lock them out. Set [User].twoFactorConfirmed to false to show them a new QR code. |
security.twofactorauthentication.logintimeout |
Defines how long the two-factor login time window in seconds is. After entering the username and password the user has this amount of time to enter a two factor token before he has to re-authenticate via password |
security.twofactorauthentication.loginpage |
The application page where the user enters the current two factor token |
security.twofactorauthentication.whitelistedips |
A comma-separated (,) list of IPs for which two factor authentication is disabled. Both IPv4 and IPv6 are supported. CIDR notation is also supported. (e.g. 192.168.0.1/24 or 2A01:598:FF30:C500::/64) |
security.jwt.secrettype |
Selects the secret type that will be used to sign or verify a given access or refresh token |
security.jwt.secret |
Used if ‘security.jwt.secrettype’=secret. The secret that will be used to sign and verify all tokens issued and sent to Structr. Must have a min. length of 32 characters. |
security.jwt.jwtissuer |
The issuer for the JWTs created by this Structr instance. |
security.jwt.expirationtime |
Access token timeout in minutes. |
security.jwt.refreshtoken.expirationtime |
Refresh token timeout in minutes. |
security.jwt.keystore |
Used if ‘security.jwt.secrettype’=keypair. A valid keystore file containing a private/public keypair that can be used to sign and verify JWTs |
security.jwt.keystore.password |
The password for the given ‘security.jwt.keystore’ |
security.jwt.key.alias |
The alias of the private key of the given ‘security.jwt.keystore’ |
security.jwks.provider |
URL of the JWKS provider |
security.jwks.group.claim.key |
The name of the key in the JWKS response claims whose value(s) will be used to look for Group nodes with a matching jwksReferenceId. |
security.jwks.id.claim.key |
The name of the key in the JWKS response claims whose value will be used as the ID of the temporary principal object. |
security.jwks.name.claim.key |
The name of the key in the JWKS response claims whose value will be used as the name of the temporary principal object. |
security.jwks.admin.claim.key |
The name of the key in the JWKS response claims in whose values is searched for a value matching the value of security.jwks.admin.claim.value. |
security.jwks.admin.claim.value |
The value that must be present in the JWKS response claims object with the key given in security.jwks.admin.claim.key in order to give the requesting user admin privileges. |
security.passwordpolicy.forcechange |
Indicates if a forced password change is active |
security.passwordpolicy.onchange.clearsessions |
Clear all sessions of a user on password change. |
security.passwordpolicy.maxage |
The number of days after which a user has to change his password |
security.passwordpolicy.remindtime |
The number of days (before the user must change the password) where a warning should be issued. (Has to be handled in application code) |
security.passwordpolicy.maxfailedattempts |
The maximum number of failed login attempts before a user is blocked. (Can be disabled by setting to zero or a negative number) |
security.passwordpolicy.resetfailedattemptsonpasswordreset |
Configures if resetting the users password also resets the failed login attempts counter |
security.passwordpolicy.complexity.enforce |
Configures if password complexity is enforced for user passwords. If active, changes which violate the complexity rules, will result in an error and must be accounted for. |
security.passwordpolicy.complexity.minlength |
The minimum length for user passwords (only active if the enforce setting is active) |
security.passwordpolicy.complexity.requireuppercase |
Require at least one upper case character in user passwords (only active if the enforce setting is active) |
security.passwordpolicy.complexity.requirelowercase |
Require at least one lower case character in user passwords (only active if the enforce setting is active) |
security.passwordpolicy.complexity.requiredigits |
Require at least one digit in user passwords (only active if the enforce setting is active) |
security.passwordpolicy.complexity.requirenonalphanumeric |
Require at least one non alpha-numeric character in user passwords (only active if the enforce setting is active) |
application.ssh.forcepublickey |
Force use of public key authentication for SSH connections |
registration.allowloginbeforeconfirmation |
Enables self-registered users to login without clicking the activation link in the registration email. |
registration.customuserattributes |
Attributes the registering user is allowed to provide. All other attributes are discarded. (eMail is always allowed) |
confirmationkey.passwordreset.validityperiod |
Validity period (in minutes) of the confirmation key generated when a user resets his password. Default is 30. |
confirmationkey.registration.validityperiod |
Validity period (in minutes) of the confirmation key generated during self registration. Default is 2 days (2880 minutes) |
confirmationkey.validwithouttimestamp |
How to interpret confirmation keys without a timestamp |
letsencrypt.wait |
Wait for this amount of seconds before trying to authorize challenge. Default is 300 seconds (5 minutes). |
letsencrypt.challenge.type |
Challenge type for Let’s Encrypt authorization. Possible values are ‘http’ and ‘dns’. |
letsencrypt.domains |
Space-separated list of domains to fetch and update Let’s Encrypt certificates for |
letsencrypt.production.server.url |
URL of Let’s Encrypt server. Default is ‘acme://letsencrypt.org’ |
letsencrypt.staging.server.url |
URL of Let’s Encrypt staging server for testing only. Default is ‘acme://letsencrypt.org/staging’. |
letsencrypt.user.key.filename |
File name of the Let’s Encrypt user key. Default is ‘user.key’. |
letsencrypt.domain.key.filename |
File name of the Let’s Encrypt domain key. Default is ‘domain.key’. |
letsencrypt.domain.csr.filename |
File name of the Let’s Encrypt CSR. Default is ‘domain.csr’. |
letsencrypt.domain.chain.filename |
File name of the Let’s Encrypt domain chain. Default is ‘domain-chain.crt’. |
letsencrypt.key.size |
Encryption key length. Default is 2048. |
Markdown Rendering Hint: Children of Topic(Security Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Server Settings
| Name | Description |
|---|---|
application.host |
The listen address of the Structr server. You can set this to your domain name if that name resolves to the IP of the server the instance is running on. |
application.http.port |
HTTP port the Structr server will listen on |
application.https.port |
HTTPS port the Structr server will listen on (if SSL is enabled) |
application.ssh.port |
SSH port the Structr server will listen on (if SSHService is enabled) |
application.ftp.port |
FTP port the Structr server will listen on (if FtpService is enabled) |
application.ftp.passiveportrange |
FTP port range for pasv mode. Needed if Structr is run in a docker container, so the port mapping can be done correctly. |
application.https.enabled |
Whether SSL is enabled |
application.keystore.path |
The path to the JKS keystore containing the SSL certificate. Default value is ‘domain.key.keystore’ which fits with the default value for letsencrypt.domain.key.filename which is ‘domain.key’. |
application.keystore.password |
The password for the JKS keystore |
application.rest.path |
Defines the URL path of the Structr REST server. Should not be changed because it is hard-coded in many parts of the application. |
application.baseurl.override |
Overrides the baseUrl that can be used to prefix links to local web resources. By default, the value is assembled from the protocol, hostname and port of the server instance Structr is running on |
application.root.path |
Root path of the application, e.g. in case Structr is being run behind a reverse proxy with additional path prefix in URI. If set, the value must start with a ‘/’ and have no trailing ‘/’. A valid value would be /xyz |
maintenance.application.http.port |
HTTP port the Structr server will listen on in maintenance mode |
maintenance.application.https.port |
HTTPS port the Structr server will listen on (if SSL is enabled) in maintenance mode |
maintenance.application.ssh.port |
SSH port the Structr server will listen on (if SSHService is enabled) in maintenance mode |
maintenance.application.ftp.port |
FTP port the Structr server will listen on (if FtpService is enabled) in maintenance mode |
maintenance.resource.path |
The local folder for static resources served in maintenance mode. If no path is provided the a default maintenance page with customizable text is shown in maintenance mode. |
maintenance.message |
Text for default maintenance page (HTML is allowed) |
maintenance.enabled |
Enables maintenance mode where all ports can be changed to prevent users from accessing the application during maintenance. |
httpservice.gzip.enabled |
Use GZIP compression for HTTP transfers |
httpservice.connection.ratelimit |
Defines the rate limit of HTTP/2 frames per connection for the HTTP Service. |
httpservice.async |
Whether the HttpServices uses asynchronous request handling. Disable this option if you encounter problems with HTTP responses. |
httpservice.httpbasicauth.enabled |
Enables HTTP Basic Auth support for pages and files |
httpservice.sni.required |
Enables strict SNI check for the http service. |
httpservice.sni.hostcheck |
Enables SNI host check. |
json.indentation |
Whether JSON output should be indented (beautified) or compacted |
html.indentation |
Whether the page source should be indented (beautified) or compacted. Note: Does not work for template/content nodes which contain raw HTML |
ws.indentation |
Prettyprints websocket responses if set to true. |
application.session.timeout |
The session timeout for inactive HTTP sessions in seconds. Default is 1800. Values lower or equal than 0 indicate that sessions never time out. |
application.session.max.number |
The maximum number of active sessions per user. Default is -1 (unlimited). |
application.session.clear.onstartup |
Clear all sessions on startup if set to true. |
application.session.clear.onshutdown |
Clear all sessions on shutdown if set to true. |
httpservice.uricompliance |
Configures the URI compliance for the Jetty server. This is simply passed down and is Jetty’s own specification. |
httpservice.force.https |
Enables redirecting HTTP requests from the configured HTTP port to the configured HTTPS port (only works if HTTPS is active). |
httpservice.cookies.httponly |
Set HttpOnly to true for cookies. Please note that this will disable backend access! |
httpservice.cookies.samesite |
Sets the SameSite attribute for the JSESSIONID cookie. For SameSite=None the Secure flag must also be set, otherwise the cookie will be rejected by the browser! |
httpservice.cookies.secure |
Sets the secure flag for the JSESSIONID cookie. |
access.control.accepted.origins |
Comma-separated list of accepted origins, sets the Access-Control-Allow-Origin header. |
access.control.max.age |
Sets the value of the Access-Control-Max-Age header. Unit is seconds. |
access.control.allow.methods |
Sets the value of the Access-Control-Allow-Methods header. Comma-delimited list of the allowed HTTP request methods. |
access.control.allow.headers |
Sets the value of the Access-Control-Allow-Headers header. |
access.control.allow.credentials |
Sets the value of the Access-Control-Allow-Credentials header. |
access.control.expose.headers |
Sets the value of the Access-Control-Expose-Headers header. |
Markdown Rendering Hint: Children of Topic(Server Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Servlet Settings
| Name | Description |
|---|---|
httpservice.servlets |
Servlets that are listed in this configuration key will be available in the HttpService. Changes to this setting require a restart of the HttpService in the ‘Services’ tab. |
configservlet.enabled |
Enables the config servlet (available under http(s)://<your-server>/structr/config) |
jsonrestservlet.path |
URL pattern for REST server. Do not change unless you know what you are doing. |
jsonrestservlet.class |
FQCN of servlet class to use in the REST server. Do not change unless you know what you are doing. |
jsonrestservlet.authenticator |
FQCN of authenticator class to use in the REST server. Do not change unless you know what you are doing. |
jsonrestservlet.defaultview |
Default view to use when no view is given in the URL |
jsonrestservlet.outputdepth |
Maximum nesting depth of JSON output |
jsonrestservlet.resourceprovider |
FQCN of resource provider class to use in the REST server. Do not change unless you know what you are doing. |
jsonrestservlet.user.class |
User class that is instantiated when new users are created via the servlet |
jsonrestservlet.user.autologin |
Only works in conjunction with the jsonrestservlet.user.autocreate key. Will log in user after self registration. |
jsonrestservlet.user.autocreate |
Enable this to support user self registration |
jsonrestservlet.unknowninput.validation.mode |
Controls how Structr reacts to unknown keys in JSON input. accept allows the unknown key to be written. ignore removes the key. reject rejects the complete request. The warn options behave identical but also log a warning. |
flowservlet.path |
The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end. |
flowservlet.defaultview |
Default view to use when no view is given in the URL. |
flowservlet.outputdepth |
Maximum nesting depth of JSON output. |
htmlservlet.path |
URL pattern for HTTP server. Do not change unless you know what you are doing. |
htmlservlet.class |
FQCN of servlet class to use for HTTP requests. Do not change unless you know what you are doing. |
htmlservlet.authenticator |
FQCN of authenticator class to use for HTTP requests. Do not change unless you know what you are doing. |
htmlservlet.defaultview |
Not used for HtmlServlet |
htmlservlet.outputdepth |
Not used for HtmlServlet |
htmlservlet.resourceprovider |
FQCN of resource provider class to use in the HTTP server. Do not change unless you know what you are doing. |
htmlservlet.resolveproperties |
Specifies the list of properties that are be used to resolve entities from URL paths. |
htmlservlet.customresponseheaders |
List of custom response headers that will be added to every HTTP response |
pdfservlet.path |
The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end. |
pdfservlet.defaultview |
Default view to use when no view is given in the URL. |
pdfservlet.outputdepth |
Maximum nesting depth of JSON output. |
pdfservlet.resolveproperties |
Specifies the list of properties that are be used to resolve entities from URL paths. |
pdfservlet.customresponseheaders |
List of custom response headers that will be added to every HTTP response |
websocketservlet.path |
URL pattern for WebSockets. Do not change unless you know what you are doing. |
websocketservlet.class |
FQCN of servlet class to use for WebSockets. Do not change unless you know what you are doing. |
websocketservlet.authenticator |
FQCN of authenticator class to use for WebSockets. Do not change unless you know what you are doing. |
websocketservlet.defaultview |
Unused |
websocketservlet.outputdepth |
Maximum nesting depth of JSON output |
websocketservlet.resourceprovider |
FQCN of resource provider class to use with WebSockets. Do not change unless you know what you are doing. |
websocketservlet.user.autologin |
Unused |
websocketservlet.user.autocreate |
Unused |
csvservlet.path |
URL pattern for CSV output. Do not change unless you know what you are doing. |
csvservlet.class |
Servlet class to use for CSV output. Do not change unless you know what you are doing. |
csvservlet.authenticator |
FQCN of Authenticator class to use for CSV output. Do not change unless you know what you are doing. |
csvservlet.defaultview |
Default view to use when no view is given in the URL |
csvservlet.outputdepth |
Maximum nesting depth of JSON output |
csvservlet.resourceprovider |
FQCN of resource provider class to use in the REST server. Do not change unless you know what you are doing. |
csvservlet.user.autologin |
Unused |
csvservlet.user.autocreate |
Unused |
csvservlet.frontendaccess |
Unused |
uploadservlet.path |
URL pattern for file upload. Do not change unless you know what you are doing. |
uploadservlet.class |
FQCN of servlet class to use for file upload. Do not change unless you know what you are doing. |
uploadservlet.authenticator |
FQCN of authenticator class to use for file upload. Do not change unless you know what you are doing. |
uploadservlet.defaultview |
Default view to use when no view is given in the URL |
uploadservlet.outputdepth |
Maximum nesting depth of JSON output |
uploadservlet.resourceprovider |
FQCN of resource provider class to use for file upload. Do not change unless you know what you are doing. |
uploadservlet.user.autologin |
Unused |
uploadservlet.user.autocreate |
Unused |
uploadservlet.allowanonymousuploads |
Allows anonymous users to upload files. |
uploadservlet.maxfilesize |
Maximum allowed file size for single file uploads. Unit is Megabytes |
uploadservlet.maxrequestsize |
Maximum allowed request size for single file uploads. Unit is Megabytes |
loginservlet.path |
The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end. |
loginservlet.defaultview |
Default view to use when no view is given in the URL. |
loginservlet.outputdepth |
Maximum nesting depth of JSON output. |
logoutservlet.path |
The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end. |
logoutservlet.defaultview |
Default view to use when no view is given in the URL. |
logoutservlet.outputdepth |
Maximum nesting depth of JSON output. |
tokenservlet.path |
The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end. |
tokenservlet.defaultview |
Default view to use when no view is given in the URL. |
tokenservlet.outputdepth |
Maximum nesting depth of JSON output. |
deploymentservlet.filegroup.name |
For unix based file systems only. Adds the group ownership to the created deployment files. |
healthcheckservlet.whitelist |
IP addresses in this list are allowed to access the health check endpoint at /structr/health. |
histogramservlet.whitelist |
IP addresses in this list are allowed to access the query histogram endpoint at /structr/histogram. |
openapiservlet.server.title |
The main title of the OpenAPI server definition. |
openapiservlet.server.version |
The version number of the OpenAPI definition |
metricsservlet.whitelist |
IP addresses in this list are allowed to access the health check endpoint at /structr/metrics. |
Markdown Rendering Hint: Children of Topic(Servlet Settings) not rendered because MarkdownTableFormatter prevents rendering of children.
Mail Configuration Settings
| Name | Description |
|---|---|
smtp.host |
Address of the SMTP server used to send e-mails |
smtp.port |
SMTP server port to use when sending e-mails |
smtp.tls.enabled |
Whether to use TLS when sending e-mails |
smtp.tls.required |
Whether TLS is required when sending e-mails |
mail.maxemails |
The number of mails which are checked |
mail.updateinterval |
The interval in which the mailbox is checked. Unit is milliseconds |
mail.attachmentbasepath |
The |
Markdown Rendering Hint: Children of Topic(Mail Configuration Settings) not rendered because MarkdownTableFormatter prevents rendering of children.