2016/04/10 - Apache Wookie has been retired.

For more information, please explore the Attic.

This is the admin documentation for Wookie 0.9.x. For information on later versions of Wookie see the current Server Administration Guide.

NOTE: This documentation is still in the process of being written. If you have an questions about the Wookie administration interface, please ask on the mailing list.

Downloading and installing Wookie

See Downloading and Installing Wookie

Using the Administration web interface

To access the administrators interface in the development server, go to

[http://]{your server}/wookie/admin

By default, and when Wookie is running in "standalone" mode, the Wookie server admin username and password are both "java".

Adding and removing widgets

Adding widgets using the admin interface

On the admin page, click "add new widget". A page containing an upload form will be displayed. Select the widget file you wish to deploy and click the "publish" button to upload it.

Adding widgets using a watched folder

Wookie supports the "hot deployment" of widgets by adding .wgt files to a watched folder. The location of the folder is determined by the widget.deployfolder property. Hot-deploy functionality is enabled by default; you can disable it if desired by setting widget.hot_deploy=false. Note that only widgets that have a .wgt file extension will be deployed automatically.

Removing widgets

To remove a widget, from the admin page click "Remove widget from system". This will show a list of all widgets currently deployed with a link to delete widgets.

Note that deleting a widget also deletes all instances and data associated with the widget by all users.

Widget services (categories)

Services are deprecated.

Whitelist and Access Policies

When a Widget tries to access a third-party website or service, this is usually prevented by the browser's same-origin policy. This is to prevent cross-site scripting hacks and unauthorized sharing of personal data. However, there are many instances where a Widget may legitimately want to make a call to a third party service or site using AJAX, and to support this Wookie provides a server-side proxy that the Widget can use to tunnel requests through Wookie.

To use the proxy, the widget author simply needs to call "widget.proxify(myurl)" to change their service URL to one that makes use of the proxy. However, Wookie will not make the HTTP request to take place unless the requested URL is permitted using either the global whitelist or by an enabled Widget Access Request Policy.

Global Whitelist

The global whitelist is accessed from the White list section of the Administrator Menu page. From here you can view the white list, and add and remove entries. Each whitelist entry allows ANY widget to invoke the URL you've added.

Widget Access Request Policies

Widget Access Request Policies (also known as W3C WARP; see http://www.w3.org/TR/widgets-access/) is a W3C specification that allows Widgets to specify origins they wish to access in the Widget's config.xml file.

When you add a Widget to Wookie, any <access> elements are turned into access policies that can be viewed in the Admininstrator interface.

To manage WARPs, go to the White list section of the Administrator Menu page, and select Manage widget access request policies. From this page you can view a table of policies that have been created; the format of the table is (from left to right): the name of the widget the policy applies to, the origin to allow, and whether the policy is granted or not granted. Finally, there is a button to toggle the state of the policy.

By default, Wookie automatically grants WARPs when installing a new Widget, and notifies the Administrator with a message in the Admin interface and in the Wookie log file.

Server configuration

User management

The Wookie server comes with a built-in user called "java" linked to the "widgetadmin" role. These are defined in the roles.properties and users.properties files located in WEB-INF/classes. These can be removed in a standard application server environment, and another user added to "widgetadmin" role, for example in tomcat-users.xml in a Tomcat installation.

Login configuration settings can be found in the web.xml file located in wookie/WEB-INF.

Integration with Shindig

See Integrating Wookie With Shindig

Proxy configuration

In order for widgets running in Wookie to communicate with external web services using Ajax, requests must be redirected through a server-side proxy. The proxy configuration is located in WEB-INF/classes/widgetserver.properties.

The following parameters can be set:


Set this to true to enable a whitelist; this only works with the Wookie built-in proxy service.


If this is set to true, the Wookie built-in proxy will only handle requests where the requesting domain is the same as the proxy server domain.


These allow you to set a custom proxy server location. To use the Wookie built-in proxy service, you only need to set widget.proxy.path=/wookie/proxy. To use instead the proxy service bundled with Apache Shindig, you need to set widget.proxy.path=/gadgets/proxy


Use these settings to configure access control for the proxy. By default no authentication is set.

Mail setup

Wookie enables users to request API keys for their applications; these are then sent to their email address. The email service is configured as follows:


Username and password are optional. You can use localhost if your server is set up to send email, e.g. using PostFix.

Virtual host configuration

See Running Wookie