Sign in

References

Settings

The following table lists all configuration settings available in Structr. You can view and modify these settings in the Configuration Interface, which opens in a separate browser tab when you click the wrench icon in the Admin UI header bar. The Configuration Interface requires authentication with the superuser password from structr.conf. Alternatively, you can edit the structr.conf file directly and restart the server.

Advanced Settings

Name Description
dateproperty.defaultformat Default ISO8601 date format pattern
geocoding.apikey Geocoding configuration
geocoding.language Geocoding configuration
geocoding.provider Geocoding configuration
json.lenient Whether to use lenient serialization, e.g. allow to serialize NaN, -Infinity, Infinity instead of just returning null. Note: as long as Javascript doesn’t support NaN etc., most of the UI will be broken
json.output.dateformat Output format pattern for date objects in JSON
json.reductiondepth For restricted views (ui, custom, all), only a limited amount of attributes (id, type, name) are rendered for nested objects after this depth. The default is 0, meaning that on the root depth (0), all attributes are rendered and reduction starts at depth 1.

Can be overridden on a per-request basis by using the request parameter _outputReductionDepth
json.redundancyreduction If enabled, nested nodes (which were already rendered in the current output) are rendered with limited set of attribute (id, type, name).
zoneddatetimeproperty.defaultformat Default zoneddatetime format pattern

Markdown Rendering Hint: Children of Topic(Advanced Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Application Configuration Settings

Name Description
application.changelog.enabled Turns on logging of changes to nodes and relationships
application.changelog.user_centric.enabled Turns on user-centric logging of what a user changed/created/deleted
application.encryption.secret Sets the global secret for encrypted string properties. Using this configuration setting is one of several possible ways to set the secret. Using the set_encryption_key() function is a way to set the encryption key without persisting it on disk.
application.feeditem.indexing.remote Whether indexing for type FeedItem will index the target URL of the FeedItem or the description
application.feeditemcontent.indexing.enabled Whether indexing is enabled for type FeedItemContent
application.feeditemcontent.indexing.limit Maximum number of words to be indexed per FeedItemContent.
application.feeditemcontent.indexing.maxlength Maximum length of words to be indexed for FeedItemContent
application.feeditemcontent.indexing.minlength Minimum length of words to be indexed for FeedItemContent
application.filesystem.checksums.default List of additional checksums to be calculated on file creation by default. (File.checksum is always popuplated with an xxHash)
crc32
Cyclic Redundancy Check - long value
md5
md5 algorithm - 32 character hex string
sha1
SHA-1 algorithm - 40 character hex string
sha512
SHA-512 algorithm - 128 character hex string
application.filesystem.enabled If enabled, Structr will create a separate home directory for each user. The home directory of authenticated users will override the default upload folder setting. See Filesystem for more information.
application.filesystem.indexing.enabled Whether indexing is enabled globally (can be controlled separately for each file)
application.filesystem.indexing.maxsize Maximum size (MB) of a file to be indexed
application.filesystem.unique.insertionposition Defines the insertion position of the uniqueness criterion (currently a timestamp).
start
prefixes the name with a timestamp
beforeextension
puts the timestamp before the last dot (or at the end if the name does not contain a dot)
end
appends the timestamp after the complete name
application.filesystem.unique.paths If enabled, Structr will not allow files/folders of the same name in the same folder and automatically rename the file.
application.httphelper.charset Default charset for outbound connections
application.httphelper.timeouts.connect Timeout for outbound connections in seconds to wait until a connection is established. A timeout value of zero is interpreted as an infinite timeout.
application.httphelper.timeouts.connectionrequest Timeout for outbound connections in seconds to wait when requesting a connection from the connection manager. A timeout value of zero is interpreted as an infinite timeout.
application.httphelper.timeouts.socket Socket timeout for outbound connections in seconds to wait for data or, put differently, a maximum inactivity period between two consecutive data packets. A timeout value of zero is interpreted as an infinite timeout.
application.httphelper.urlwhitelist A comma-separated list of URL patterns that can be used in HTTP request scripting functions (GET, PUT, POST etc.). If this value is anything other than *, whitelisting is applied to all outgoing requests.
application.httphelper.useragent User agent string for outbound connections
application.localization.fallbacklocale The default locale used, if no localization is found and using a fallback is active.
application.localization.logmissing Turns on logging for requested but non-existing localizations.
application.localization.usefallbacklocale Turns on usage of fallback locale if for the current locale no localization is found
application.proxy.mode Sets the mode of the proxy servlet. Possible values are ‘disabled’ (off, servlet responds with 503 error code), ‘protected’ (only authenticated requests allowed) and ‘public’ (anonymous requests allowed). Default is disabled.
application.remotedocument.indexing.enabled Whether indexing is enabled for type RemoteDocument
application.remotedocument.indexing.limit Maximum number of words to be indexed per RemoteDocument.
application.remotedocument.indexing.maxlength Maximum length of words to be indexed for RemoteDocument
application.remotedocument.indexing.minlength Minimum length of words to be indexed for RemoteDocument
application.schema.allowunknownkeys Enables get() and set() built-in functions to use property keys that are not defined in the schema.
application.schema.automigration Enable automatic migration of schema information between versions (if possible – may delete schema nodes)
application.security.ssrf.protection Enables SSRF protection for outbound HTTP requests. When enabled, requests to private/internal IP ranges (loopback, link-local, site-local) are blocked. Disable only for testing or when internal network access is explicitly required.
application.uploads.folder The default upload folder for files uploaded via the UploadServlet. This must be a valid folder path and can not be empty. Final slashes are automatically removed. Uploads to the root directory are not allowed.
application.xml.parser.security Enables various security measures for XML parsing to prevent exploits.
callbacks.login.onsave Setting this to true enables the execution of the User.onSave method for login actions. This will also trigger for failed login attempts and for two-factor authentication intermediate steps. Disabled by default because the global login handler onStructrLogin would be the right place for such functionality.
callbacks.logout.onsave Setting this to true enables the execution of the User.onSave method when a user logs out. Disabled by default because the global login handler onStructrLogout would be the right place for such functionality.
deployment.data.export.nodes.batchsize Sets the batch size for data deployment when exporting nodes.

The relationships for each node are collected and exported while the node itself is exported. It can make sense to reduce this number, if all/most nodes have very high amount of relationships.
deployment.data.import.nodes.batchsize Sets the batch size for data deployment when importing nodes.
deployment.data.import.relationships.batchsize Sets the batch size for data deployment when importing relationships.
deployment.schema.format Configures how the schema is exported in a deployment export. file exports the schema as a single file. tree exports the schema as a tree where methods/function properties are written to single files in a tree structure.

Markdown Rendering Hint: Children of Topic(Application Configuration Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Cron Jobs Settings

Name Description
cronservice.allowparallelexecution Enables the parallel execution of the same cron job. This can happen if the method runs longer than the defined cron interval. Since this could lead to problems, the default is false.
cronservice.tasks List of cron task configurations or method names separated by space. This only configures the list of tasks. For each task, there needs to be another configuration entry named ‘.cronExpression’ with the appropriate cron schedule configuration. Restart of CronService required.

Markdown Rendering Hint: Children of Topic(Cron Jobs Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Database Configuration Settings

Name Description
database.cache.uuid.size Size of the database driver relationship cache
database.prefetching.maxcount How many results a prefetching query may return before prefetching will be deactivated for that query.
database.prefetching.maxduration How long a prefetching query may take before prefetching will be deactivated for that query.
database.prefetching.threshold How many identical queries must run in a transaction to activate prefetching for that query.
database.result.fetchsize Number of database records to fetch per batch when fetching large results
database.result.lazy Forces Structr to use lazy evaluation for relationship queries
database.result.softlimit Soft result count limit for a single query (can be overridden by setting the _pageSize request parameter or by adding the request parameter _disableSoftLimit to a non-null value)
log.cypher.debug Turns on debug logging for the generated Cypher queries
log.cypher.debug.ping Turns on debug logging for the generated Cypher queries of the websocket PING command. Can only be used in conjunction with log.cypher.debug

Markdown Rendering Hint: Children of Topic(Database Configuration Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

DoS Filter Settings

Name Description
httpservice.dosfilter.delayms The delay given to all requests over the rate limit, before they are considered at all. -1 means just reject request, 0 means no delay, otherwise it is the delay.
httpservice.dosfilter.insertheaders If true, insert the DoSFilter headers into the response.
httpservice.dosfilter.ipwhitelist A comma-separated list of IP addresses that will not be rate limited. Defaults to localhost.
httpservice.dosfilter.managedattr If set to true, this servlet is set as a ServletContext attribute with the filter name as the attribute name. This allows context external mechanisms (e.g. JMX via ContextHandler managed attribute) to manage the configuration of the filter.
httpservice.dosfilter.maxidletrackerms How long to keep track of request rates for a connection before deciding that the user has gone away and discarding it, in milliseconds.
httpservice.dosfilter.maxrequestms How long to allow a request to run in milliseconds.
httpservice.dosfilter.maxrequestspersec The maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled.
httpservice.dosfilter.maxwaitms How long to blocking wait for the throttle semaphore in milliseconds.
httpservice.dosfilter.ratelimiting Enables rate limiting using Jetty’s DoSFilter.
httpservice.dosfilter.remoteport If true then rate is tracked by IP+port (effectively connection). If false, rate is tracked by IP address only.
httpservice.dosfilter.throttledrequests The number of requests over the rate limit able to be considered at once.
httpservice.dosfilter.throttlems How long to async wait for semaphore in milliseconds.
httpservice.dosfilter.toomanycode The HTTP status code to send if there are too many requests. By default is 429 (too many requests), but 503 (service unavailable) is another option.

Markdown Rendering Hint: Children of Topic(DoS Filter Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

General Settings

Name Description
application.cluster.enabled Enables cluster mode (experimental)
application.cluster.log.enabled Enables debug logging for cluster mode communication
application.cluster.name The name of the Structr cluster
application.console.cypher.maxresults The maximum number of results returned by a cypher query in the admin console. If a query yields more results, an error message is shown.
application.email.validation.regex Regular expression used to validate email addresses for User.eMail and is_valid_email() function.
application.heap.max_size Maximum Java heap size (-Xmx). Examples: 2g, 4g, 8g. Note: Changes require a restart of Structr.
application.heap.min_size Minimum Java heap size (-Xms). Examples: 512m, 1g, 2g. Note: Changes require a restart of Structr.
application.instance.name The name of the Structr instance (displayed in the top right corner of structr-ui)
application.instance.stage The stage of the Structr instance (displayed in the top right corner of structr-ui)
application.legacy.requestparameters.enabled Enables pre-4.0 request parameter names (sort, page, pageSize, etc. instead of _sort, _page, _pageSize, …)
application.runtime.enforce.recommended Enforces version check for Java runtime.
application.scripting.allowedhostclasses Space-separated list of fully-qualified Java class names that you can load dynamically in a scripting environment.
application.scripting.debugger Enables Chrome debugger initialization in scripting engine. The current debugger URL will be shown in the server log and also made available on the dashboard.
application.scripting.js.wrapinmainfunction Forces js scripts to be wrapped in a main function for legacy behaviour.
application.stats.aggregation.interval Minimum aggregation interval for HTTP request stats.
application.systeminfo.disabled Disables transmission of telemetry information. This information is used to improve the software and to better adapt to different hardware configurations.
application.timezone Application timezone (e.g. UTC, Europe/Berlin). If not set, falls back to system timezone or UTC. Note: Changes require a restart of Structr.
application.title The title of the application as shown in the log file. This entry exists for historical reasons and has no functional impact other than appearing in the log file.
application.uuid.allowedformats Configures which UUIDv4 types are allowed: With dashes, without dashes or both. Show details
application.uuid.createcompact Determines if UUIDs are created with or without dashes. This setting is only used if application.uuid.allowedformats is set to both.

WARNING: Requires a restart to take effect.
base.path Path of the Structr working directory. All files will be located relative to this directory.
changelog.path Path to the Structr changelog storage folder
configuration.provider Fully-qualified class name of a Java class in the current class path that implements the org.structr.schema.ConfigurationProvider interface.
configured.services Services that are listed in this configuration key will be started when Structr starts.
data.exchange.path IMPORTANT: Path is relative to base.path
files.path Path to the Structr file storage folder
log.callback.threshold Number of callbacks after which a transaction will be logged.
log.directorywatchservice.scanquietly Prevents logging of each scan process for every folder processed by the directory watch service
log.functions.stacktrace If true, the full stacktrace is logged for exceptions in system functions.
log.level Configures the default log level. Takes effect immediately.
log.querytime.threshold Milliseconds after which a long-running query will be logged.
log.scriptprocess.commandline Configures the default logging behaviour for the command line generated for script processes. This applies to the exec()- and exec_binary() functions, as well as some processes handling media conversion or processing. For the exec() and exec_binary() function, this can be overridden for each call of the function.
scripts.path Path to the Structr scripts folder. IMPORTANT: Path is relative to base.path
scripts.path.allowpathtraversal Setting to true disables an additional check that disallows path traversals (.. in path).
scripts.path.allowsymboliclinks Setting to true disables an additional check that disallows symbolic links in script paths.
tmp.path Path to the temporary directory. Uses java.io.tmpdir by default

Markdown Rendering Hint: Children of Topic(General Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Licensing Settings

Name Description
license.allow.fallback Allow Structr to fall back to the Community License if no valid license exists (or license cannot be validated). Set this to false in production environments to prevent Structr from starting without a license.
license.key Base64-encoded string that contains the complete license data, typically saved as ‘license.key’ in the main directory.
license.validation.timeout Timeout in seconds for license validation requests.

Markdown Rendering Hint: Children of Topic(Licensing Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Miscellaneous Settings

Name Description
translation.deepl.apikey DeepL API Key
translation.google.apikey Google Cloud Translation API Key

Markdown Rendering Hint: Children of Topic(Miscellaneous Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

OAuth Settings

Name Description
oauth.auth0.audience Optional. The API audience (identifier) of your Auth0 API. Required for API access tokens.
oauth.auth0.authorization_location Required if tenant not set. Full URL of the authorization endpoint. Ignored if tenant is configured.
oauth.auth0.authorization_path Optional. Path to authorization endpoint. Only used with tenant setting. Defaults to ‘/authorize’.
oauth.auth0.client_id Required. Client ID from your Auth0 application.
oauth.auth0.client_secret Required. Client secret from your Auth0 application.
oauth.auth0.error_uri Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’.
oauth.auth0.logout_uri Optional. Logout URI. Defaults to ‘/logout’.
oauth.auth0.redirect_uri Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/auth0/auth’.
oauth.auth0.return_uri Optional. Redirect URI on successful authentication. Defaults to ‘/’.
oauth.auth0.scope Optional. OAuth scope. Defaults to ‘openid profile email’.
oauth.auth0.tenant Required (recommended). Auth0 tenant domain (e.g., ‘your-tenant.auth0.com’). When set, authorization_location and token_location are built automatically.
oauth.auth0.token_location Required if tenant not set. Full URL of the token endpoint. Ignored if tenant is configured.
oauth.auth0.token_path Optional. Path to token endpoint. Only used with tenant setting. Defaults to ‘/oauth/token’.
oauth.auth0.user_details_resource_uri Optional. User details endpoint. Built from tenant if not set.
oauth.auth0.userinfo_path Optional. Path to userinfo endpoint. Only used with tenant setting. Defaults to ‘/userinfo’.
oauth.azure.authorization_location Optional. URL of the authorization endpoint. Built automatically from tenant_id if not set.
oauth.azure.client_id Required. Application (client) ID from Azure AD app registration.
oauth.azure.client_secret Required. Client secret from Azure AD app registration.
oauth.azure.error_uri Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’.
oauth.azure.logout_uri Optional. Logout URI. Defaults to ‘/logout’.
oauth.azure.redirect_uri Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/azure/auth’.
oauth.azure.return_uri Optional. Redirect URI on successful authentication. Defaults to ‘/’.
oauth.azure.scope Optional. OAuth scope. Defaults to ‘openid profile email’.
oauth.azure.tenant_id Required. Azure AD tenant ID, or ‘common’ for multi-tenant apps, or ‘organizations’ for work accounts only.
oauth.azure.token_location Optional. URL of the token endpoint. Built automatically from tenant_id if not set.
oauth.azure.user_details_resource_uri Optional. User details endpoint. Defaults to ‘https://graph.microsoft.com/v1.0/me’.
oauth.facebook.authorization_location Optional. URL of the authorization endpoint. Uses default Facebook endpoint if not set.
oauth.facebook.client_id Required. App ID from your Facebook Developer application.
oauth.facebook.client_secret Required. App secret from your Facebook Developer application.
oauth.facebook.error_uri Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’.
oauth.facebook.logout_uri Optional. Logout URI. Defaults to ‘/logout’.
oauth.facebook.redirect_uri Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/facebook/auth’.
oauth.facebook.return_uri Optional. Redirect URI on successful authentication. Defaults to ‘/’.
oauth.facebook.scope Optional. OAuth scope. Defaults to ‘email’.
oauth.facebook.token_location Optional. URL of the token endpoint. Uses default Facebook endpoint if not set.
oauth.facebook.user_details_resource_uri Optional. User details endpoint. Defaults to ‘https://graph.facebook.com/me’.
oauth.github.authorization_location Optional. URL of the authorization endpoint. Uses default GitHub endpoint if not set.
oauth.github.client_id Required. Client ID from your GitHub OAuth application.
oauth.github.client_secret Required. Client secret from your GitHub OAuth application.
oauth.github.error_uri Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’.
oauth.github.logout_uri Optional. Logout URI. Defaults to ‘/logout’.
oauth.github.redirect_uri Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/github/auth’.
oauth.github.return_uri Optional. Redirect URI on successful authentication. Defaults to ‘/’.
oauth.github.scope Optional. OAuth scope. Defaults to ‘user:email’.
oauth.github.token_location Optional. URL of the token endpoint. Uses default GitHub endpoint if not set.
oauth.github.user_details_resource_uri Optional. User details endpoint. Defaults to ‘https://api.github.com/user’.
oauth.google.authorization_location Optional. URL of the authorization endpoint. Uses default Google endpoint if not set.
oauth.google.client_id Required. Client ID from your Google Cloud Console OAuth credentials.
oauth.google.client_secret Required. Client secret from your Google Cloud Console OAuth credentials.
oauth.google.error_uri Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’.
oauth.google.logout_uri Optional. Logout URI. Defaults to ‘/logout’.
oauth.google.redirect_uri Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/google/auth’.
oauth.google.return_uri Optional. Redirect URI on successful authentication. Defaults to ‘/’.
oauth.google.scope Optional. OAuth scope. Defaults to ‘email’.
oauth.google.token_location Optional. URL of the token endpoint. Uses default Google endpoint if not set.
oauth.google.user_details_resource_uri Optional. User details endpoint. Defaults to ‘https://www.googleapis.com/oauth2/v3/userinfo’.
oauth.keycloak.authorization_location Optional. URL of the authorization endpoint. Built automatically from server_url and realm if not set.
oauth.keycloak.client_id Required. Client ID from your Keycloak client configuration.
oauth.keycloak.client_secret Required. Client secret from your Keycloak client configuration.
oauth.keycloak.error_uri Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’.
oauth.keycloak.logout_uri Optional. Logout URI. Defaults to ‘/logout’.
oauth.keycloak.realm Required. Keycloak realm name. Defaults to ‘master’.
oauth.keycloak.redirect_uri Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/keycloak/auth’.
oauth.keycloak.return_uri Optional. Redirect URI on successful authentication. Defaults to ‘/’.
oauth.keycloak.scope Optional. OAuth scope. Defaults to ‘openid profile email’.
oauth.keycloak.server_url Required. Keycloak server URL (e.g., ‘https://keycloak.example.com’).
oauth.keycloak.token_location Optional. URL of the token endpoint. Built automatically from server_url and realm if not set.
oauth.keycloak.user_details_resource_uri Optional. User details endpoint. Built automatically from server_url and realm if not set.
oauth.linkedin.authorization_location Optional. URL of the authorization endpoint. Uses default LinkedIn endpoint if not set.
oauth.linkedin.client_id Required. Client ID from your LinkedIn OAuth application.
oauth.linkedin.client_secret Required. Client secret from your LinkedIn OAuth application.
oauth.linkedin.error_uri Optional. Redirect URI on unsuccessful authentication. Defaults to ‘/login’.
oauth.linkedin.logout_uri Optional. Logout URI. Defaults to ‘/logout’.
oauth.linkedin.redirect_uri Optional. Structr endpoint for the OAuth authorization callback. Defaults to ‘/oauth/linkedin/auth’.
oauth.linkedin.return_uri Optional. Redirect URI on successful authentication. Defaults to ‘/’.
oauth.linkedin.scope Optional. OAuth scope. Defaults to ‘openid profile email’.
oauth.linkedin.token_location Optional. URL of the token endpoint. Uses default LinkedIn endpoint if not set.
oauth.linkedin.user_details_resource_uri Optional. User details endpoint. Defaults to ‘https://api.linkedin.com/v2/userinfo’.
oauth.logging.verbose Optional. Enables verbose logging for OAuth login. Useful for debugging.
oauth.servers List of available OAuth services separated by space. Defaults to a list of all available services.

Markdown Rendering Hint: Children of Topic(OAuth Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Security Settings

Name Description
application.ssh.forcepublickey Force use of public key authentication for SSH connections
confirmationkey.passwordreset.validityperiod Validity period (in minutes) of the confirmation key generated when a user resets his password. Default is 30.
confirmationkey.registration.validityperiod Validity period (in minutes) of the confirmation key generated during self registration. Default is 2 days (2880 minutes)
confirmationkey.validwithouttimestamp How to interpret confirmation keys without a timestamp
initialuser.create Enables or disables the creation of an initial admin user when connecting to a database that has never been used with structr.
initialuser.name Name of the initial admin user. This will only be set if the user is created.
initialuser.password Password of the initial admin user. This will only be set if the user is created.
letsencrypt.challenge.type Challenge type for Let’s Encrypt authorization. Possible values are ‘http’ and ‘dns’.
letsencrypt.domain.chain.filename File name of the Let’s Encrypt domain chain. Default is ‘domain-chain.crt’.
letsencrypt.domain.csr.filename File name of the Let’s Encrypt CSR. Default is ‘domain.csr’.
letsencrypt.domain.key.filename File name of the Let’s Encrypt domain key. Default is ‘domain.key’.
letsencrypt.domains List of domains separated by space to fetch and update Let’s Encrypt certificates for
letsencrypt.key.size Encryption key length. Default is 2048.
letsencrypt.production.server.url URL of Let’s Encrypt server. Default is ‘acme://letsencrypt.org
letsencrypt.staging.server.url URL of Let’s Encrypt staging server for testing only. Default is ‘acme://letsencrypt.org/staging’.
letsencrypt.user.key.filename File name of the Let’s Encrypt user key. Default is ‘user.key’.
letsencrypt.wait Wait for this amount of seconds before trying to authorize challenge. Default is 300 seconds (5 minutes).
registration.allowloginbeforeconfirmation Enables self-registered users to login without clicking the activation link in the registration email.
registration.customuserattributes Attributes the registering user is allowed to provide. All other attributes are discarded. (eMail is always allowed)
security.authentication.propertykeys List of property keys separated by space in the form of . (example: ‘Member.memberId’) to be used in addition to the default ‘Principal.name Principal.eMail’
security.jwks.admin.claim.key The name of the key in the JWKS response claims in whose values is searched for a value matching the value of security.jwks.admin.claim.value.
security.jwks.admin.claim.value The value that must be present in the JWKS response claims object with the key given in security.jwks.admin.claim.key in order to give the requesting user admin privileges.
security.jwks.group.claim.key The name of the key in the JWKS response claims whose value(s) will be used to look for Group nodes with a matching jwksReferenceId.
security.jwks.id.claim.key The name of the key in the JWKS response claims whose value will be used as the ID of the temporary principal object.
security.jwks.name.claim.key The name of the key in the JWKS response claims whose value will be used as the name of the temporary principal object.
security.jwks.provider URL of the JWKS provider
security.jwt.expirationtime Access token timeout in minutes.
security.jwt.jwtissuer The issuer for the JWTs created by this Structr instance.
security.jwt.key.alias The alias of the private key of the given ‘security.jwt.keystore’
security.jwt.keystore Used if ‘security.jwt.secrettype’=keypair. A valid keystore file containing a private/public keypair that can be used to sign and verify JWTs
security.jwt.keystore.password The password for the given ‘security.jwt.keystore’
security.jwt.refreshtoken.expirationtime Refresh token timeout in minutes.
security.jwt.secret Used if ‘security.jwt.secrettype’=secret. The secret that will be used to sign and verify all tokens issued and sent to Structr. Must have a min. length of 32 characters.
security.jwt.secrettype Selects the secret type that will be used to sign or verify a given access or refresh token
security.passwordpolicy.complexity.enforce Configures if password complexity is enforced for user passwords. If active, changes which violate the complexity rules, will result in an error and must be accounted for.
security.passwordpolicy.complexity.minlength The minimum length for user passwords (only active if the enforce setting is active)
security.passwordpolicy.complexity.requiredigits Require at least one digit in user passwords (only active if the enforce setting is active)
security.passwordpolicy.complexity.requirelowercase Require at least one lower case character in user passwords (only active if the enforce setting is active)
security.passwordpolicy.complexity.requirenonalphanumeric Require at least one non alpha-numeric character in user passwords (only active if the enforce setting is active)
security.passwordpolicy.complexity.requireuppercase Require at least one upper case character in user passwords (only active if the enforce setting is active)
security.passwordpolicy.forcechange Indicates if a forced password change is active
security.passwordpolicy.maxage The number of days after which a user has to change his password
security.passwordpolicy.maxfailedattempts The maximum number of failed login attempts before a user is blocked. (Can be disabled by setting to zero or a negative number)
security.passwordpolicy.onchange.clearsessions Clear all sessions of a user on password change.
security.passwordpolicy.remindtime The number of days (before the user must change the password) where a warning should be issued. (Has to be handled in application code)
security.passwordpolicy.resetfailedattemptsonpasswordreset Configures if resetting the users password also resets the failed login attempts counter
security.twofactorauthentication.algorithm Respected by the most recent Google Authenticator implementations. Warning: Changing this setting after users are already confirmed will effectively lock them out. Set [User].twoFactorConfirmed to false to show them a new QR code.
security.twofactorauthentication.digits Respected by the most recent Google Authenticator implementations. Warning: Changing this setting after users are already confirmed may lock them out. Set [User].twoFactorConfirmed to false to show them a new QR code.
security.twofactorauthentication.issuer Must be URL-compliant in order to scan the created QR code
security.twofactorauthentication.loginpage The application page where the user enters the current two factor token
security.twofactorauthentication.logintimeout Defines how long the two-factor login time window in seconds is. After entering the username and password the user has this amount of time to enter a two factor token before he has to re-authenticate via password
security.twofactorauthentication.period Defines the period that a TOTP code will be valid for, in seconds.
Respected by the most recent Google Authenticator implementations. Warning: Changing this setting after users are already confirmed will effectively lock them out. Set [User].twoFactorConfirmed to false to show them a new QR code.
security.twofactorauthentication.whitelistedips Comma-separated list of IPs for which two factor authentication is disabled. Both IPv4 and IPv6 are supported. CIDR notation is also supported. (e.g. 192.168.0.1/24 or 2A01:598:FF30:C500::/64)
superuser.password Password of the superuser
superuser.username Name of the superuser

Markdown Rendering Hint: Children of Topic(Security Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Server Settings

Name Description
access.control.accepted.origins Comma-separated list of accepted origins, sets the Access-Control-Allow-Origin header.
access.control.allow.credentials Sets the value of the Access-Control-Allow-Credentials header.
access.control.allow.headers Sets the value of the Access-Control-Allow-Headers header.
access.control.allow.methods Sets the value of the Access-Control-Allow-Methods header. Comma-delimited list of the allowed HTTP request methods.
access.control.expose.headers Sets the value of the Access-Control-Expose-Headers header.
access.control.max.age Sets the value of the Access-Control-Max-Age header. Unit is seconds.
application.baseurl.override Overrides the baseUrl that can be used to prefix links to local web resources. By default, the value is assembled from the protocol, hostname and port of the server instance Structr is running on
application.ftp.passiveportrange FTP port range for pasv mode. Needed if Structr is run in a docker container, so the port mapping can be done correctly.
application.ftp.port FTP port the Structr server will listen on (if FtpService is enabled)
application.host The listen address of the Structr server. You can set this to your domain name if that name resolves to the IP of the server the instance is running on.
application.http.port HTTP port the Structr server will listen on
application.https.enabled Whether SSL is enabled
application.https.port HTTPS port the Structr server will listen on (if SSL is enabled)
application.keystore.password The password for the JKS keystore
application.keystore.path The path to the JKS keystore containing the SSL certificate. Default value is ‘domain.key.keystore’ which fits with the default value for letsencrypt.domain.key.filename which is ‘domain.key’.
application.rest.path Defines the URL path of the Structr REST server. Should not be changed because it is hard-coded in many parts of the application.
application.root.path Root path of the application, e.g. in case Structr is being run behind a reverse proxy with additional path prefix in URI. If set, the value must start with a ‘/’ and have no trailing ‘/’. A valid value would be /xyz
application.session.clear.onshutdown Clear all sessions on shutdown if set to true.
application.session.clear.onstartup Clear all sessions on startup if set to true.
application.session.max.number The maximum number of active sessions per user. Default is -1 (unlimited).
application.session.timeout The session timeout for inactive HTTP sessions in seconds. Default is 1800. Values lower or equal than 0 indicate that sessions never time out.
application.ssh.port SSH port the Structr server will listen on (if SSHService is enabled)
html.indentation Whether the page source should be indented (beautified) or compacted. Note: Does not work for template/content nodes which contain raw HTML
httpservice.async Whether the HttpServices uses asynchronous request handling. Disable this option if you encounter problems with HTTP responses.
httpservice.connection.ratelimit Defines the rate limit of HTTP/2 frames per connection for the HTTP Service.
httpservice.cookies.httponly Set HttpOnly to true for cookies. Please note that this will disable backend access!
httpservice.cookies.samesite Sets the SameSite attribute for the JSESSIONID cookie. For SameSite=None the Secure flag must also be set, otherwise the cookie will be rejected by the browser!
httpservice.cookies.secure Sets the secure flag for the JSESSIONID cookie.
httpservice.force.https Enables redirecting HTTP requests from the configured HTTP port to the configured HTTPS port (only works if HTTPS is active).
httpservice.gzip.enabled Use GZIP compression for HTTP transfers
httpservice.httpbasicauth.enabled Enables HTTP Basic Auth support for pages and files
httpservice.sni.hostcheck Enables SNI host check.
httpservice.sni.required Enables strict SNI check for the http service.
httpservice.uricompliance Configures the URI compliance for the Jetty server. This is simply passed down and is Jetty’s own specification. Show details
json.indentation Whether JSON output should be indented (beautified) or compacted
maintenance.application.ftp.port FTP port the Structr server will listen on (if FtpService is enabled) in maintenance mode
maintenance.application.http.port HTTP port the Structr server will listen on in maintenance mode
maintenance.application.https.port HTTPS port the Structr server will listen on (if SSL is enabled) in maintenance mode
maintenance.application.ssh.port SSH port the Structr server will listen on (if SSHService is enabled) in maintenance mode
maintenance.enabled Enables maintenance mode where all ports can be changed to prevent users from accessing the application during maintenance.
maintenance.message Text for default maintenance page (HTML is allowed)
maintenance.resource.path The local folder for static resources served in maintenance mode. If no path is provided the a default maintenance page with customizable text is shown in maintenance mode.
ws.indentation Prettyprints websocket responses if set to true.

Markdown Rendering Hint: Children of Topic(Server Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Servlet Settings

Name Description
configservlet.enabled Enables the config servlet (available under http(s)://<your-server>/structr/config)
configservlet.sessionfixation.protection Regenerates the HTTP session ID on successful login to the ConfigServlet to prevent session fixation attacks. Disabled by default because it can cause issues with certain reverse proxy or load balancer configurations.
csvservlet.authenticator FQCN of Authenticator class to use for CSV output. Do not change unless you know what you are doing.
csvservlet.class Servlet class to use for CSV output. Do not change unless you know what you are doing.
csvservlet.defaultview Default view to use when no view is given in the URL
csvservlet.frontendaccess Unused
csvservlet.outputdepth Maximum nesting depth of JSON output
csvservlet.path URL pattern for CSV output. Do not change unless you know what you are doing.
csvservlet.resourceprovider FQCN of resource provider class to use in the REST server. Do not change unless you know what you are doing.
csvservlet.user.autocreate Unused
csvservlet.user.autologin Unused
deploymentservlet.filegroup.name For unix based file systems only. Adds the group ownership to the created deployment files.
flowservlet.defaultview Default view to use when no view is given in the URL.
flowservlet.outputdepth Maximum nesting depth of JSON output.
flowservlet.path The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end.
healthcheckservlet.whitelist IP addresses in this list are allowed to access the health check endpoint at /structr/health.
histogramservlet.whitelist IP addresses in this list are allowed to access the query histogram endpoint at /structr/histogram.
htmlservlet.authenticator FQCN of authenticator class to use for HTTP requests. Do not change unless you know what you are doing.
htmlservlet.class FQCN of servlet class to use for HTTP requests. Do not change unless you know what you are doing.
htmlservlet.customresponseheaders List of custom response headers that will be added to every HTTP response
htmlservlet.defaultview Not used for HtmlServlet
htmlservlet.outputdepth Not used for HtmlServlet
htmlservlet.path URL pattern for HTTP server. Do not change unless you know what you are doing.
htmlservlet.resolveproperties Space-separated list of properties that are tried to find the ‘current’ object (restart of HttpService required).
htmlservlet.resourceprovider FQCN of resource provider class to use in the HTTP server. Do not change unless you know what you are doing.
httpservice.servlets Servlets that are listed in this configuration key will be available in the HttpService. Changes to this setting require a restart of the HttpService in the ‘Services’ tab.
jsonrestservlet.authenticator FQCN of authenticator class to use in the REST server. Do not change unless you know what you are doing.
jsonrestservlet.class FQCN of servlet class to use in the REST server. Do not change unless you know what you are doing.
jsonrestservlet.defaultview Default view to use when no view is given in the URL
jsonrestservlet.outputdepth Maximum nesting depth of JSON output
jsonrestservlet.path URL pattern for REST server. Do not change unless you know what you are doing.
jsonrestservlet.resourceprovider FQCN of resource provider class to use in the REST server. Do not change unless you know what you are doing.
jsonrestservlet.unknowninput.validation.mode Controls how Structr reacts to unknown keys in JSON input. accept allows the unknown key to be written. ignore removes the key. reject rejects the complete request. The warn options behave identical but also log a warning.
jsonrestservlet.user.autocreate Enable this to support user self registration
jsonrestservlet.user.autologin Only works in conjunction with the jsonrestservlet.user.autocreate key. Will log in user after self registration.
jsonrestservlet.user.class User class that is instantiated when new users are created via the servlet
loginservlet.defaultview Default view to use when no view is given in the URL.
loginservlet.outputdepth Maximum nesting depth of JSON output.
loginservlet.path The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end.
logoutservlet.defaultview Default view to use when no view is given in the URL.
logoutservlet.outputdepth Maximum nesting depth of JSON output.
logoutservlet.path The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end.
metricsservlet.whitelist Comma-separated list of IP addresses that are allowed to access the health check endpoint at /structr/metrics.
openapiservlet.server.title The main title of the OpenAPI server definition.
openapiservlet.server.version The version number of the OpenAPI definition
pdfservlet.customresponseheaders List of custom response headers that will be added to every HTTP response
pdfservlet.defaultview Default view to use when no view is given in the URL.
pdfservlet.outputdepth Maximum nesting depth of JSON output.
pdfservlet.path The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end.
pdfservlet.resolveproperties Space-separated list of properties that are tried to find the ‘current’ object (restart of HttpService required).
tokenservlet.defaultview Default view to use when no view is given in the URL.
tokenservlet.outputdepth Maximum nesting depth of JSON output.
tokenservlet.path The URI under which requests are accepted by the servlet. Needs to include a wildcard at the end.
uploadservlet.allowanonymousuploads Allows anonymous users to upload files.
uploadservlet.authenticator FQCN of authenticator class to use for file upload. Do not change unless you know what you are doing.
uploadservlet.class FQCN of servlet class to use for file upload. Do not change unless you know what you are doing.
uploadservlet.defaultview Default view to use when no view is given in the URL
uploadservlet.maxfilesize Maximum allowed file size for single file uploads. Unit is Megabytes
uploadservlet.maxrequestsize Maximum allowed request size for single file uploads. Unit is Megabytes
uploadservlet.outputdepth Maximum nesting depth of JSON output
uploadservlet.path URL pattern for file upload. Do not change unless you know what you are doing.
uploadservlet.resourceprovider FQCN of resource provider class to use for file upload. Do not change unless you know what you are doing.
uploadservlet.user.autocreate Unused
uploadservlet.user.autologin Unused
websocketservlet.authenticator FQCN of authenticator class to use for WebSockets. Do not change unless you know what you are doing.
websocketservlet.class FQCN of servlet class to use for WebSockets. Do not change unless you know what you are doing.
websocketservlet.defaultview Unused
websocketservlet.outputdepth Maximum nesting depth of JSON output
websocketservlet.path URL pattern for WebSockets. Do not change unless you know what you are doing.
websocketservlet.resourceprovider FQCN of resource provider class to use with WebSockets. Do not change unless you know what you are doing.
websocketservlet.user.autocreate Unused
websocketservlet.user.autologin Unused

Markdown Rendering Hint: Children of Topic(Servlet Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.

Mail Configuration Settings

Name Description
mail.attachmentbasepath The
mail.maxemails The number of mails which are checked
mail.updateinterval The interval in which the mailbox is checked. Unit is milliseconds
smtp.host Address of the SMTP server used to send e-mails
smtp.port SMTP server port to use when sending e-mails
smtp.tls.enabled Whether to use TLS when sending e-mails
smtp.tls.required Whether TLS is required when sending e-mails

Markdown Rendering Hint: Children of Topic(Mail Configuration Settings) not rendered because MarkdownTableWithDetailsFormatter prevents rendering of children.