diff --git a/modules/core/distribution/src/assembly/bin.xml b/modules/core/distribution/src/assembly/bin.xml
index a1851be3..7c006567 100644
--- a/modules/core/distribution/src/assembly/bin.xml
+++ b/modules/core/distribution/src/assembly/bin.xml
@@ -113,6 +113,7 @@
**/conf/log4j.properties
**/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
**/repository/components/plugins/httpclient_4.3.2.wso2v1.jar
+ **/conf/tomcat/carbon/WEB-INF/web.xml
@@ -701,6 +702,11 @@
+
+ src/repository/conf/tomcat/carbon/WEB-INF/web.xml
+ ${pom.artifactId}-${pom.version}/repository/conf/tomcat/carbon/WEB-INF
+ 755
+
src/repository/bin/wso2server.sh
${pom.artifactId}-${pom.version}/bin
diff --git a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
index 4daf5c71..2b65f620 100644
--- a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
+++ b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
@@ -450,15 +450,15 @@ org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
org.owasp.csrfguard.unprotected.Services=%servletContext%/services/*
org.owasp.csrfguard.unprotected.oauth=%servletContext%/commonauth/*
org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/*
-org.owasp.csrfguard.unprotected.authenticationendpoint=%servletContext%/authenticationendpoint/*
+org.owasp.csrfguard.unprotected.authenticationEndpoint=%servletContext%/authenticationendpoint/*
org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/*
org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/*
-org.owasp.csrfguard.unprotected.openid=%servletContext%/openid/*
-org.owasp.csrfguard.unprotected.openidserver=%servletContext%/openidserver/*
+org.owasp.csrfguard.unprotected.openId=%servletContext%/openid/*
+org.owasp.csrfguard.unprotected.openIdServer=%servletContext%/openidserver/*
org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/*
org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/*
-org.owasp.csrfguard.unprotected.publisher.rest.api=%servletContext%/api/appm/publisher/*
-org.owasp.csrfguard.unprotected.store.rest.api=%servletContext%/api/appm/store/*
-org.owasp.csrfguard.unprotected.certificate.mgt.rest.api=%servletContext%/api/certificate-mgt/*
-org.owasp.csrfguard.unprotected.device.mgt.rest.api=%servletContext%/api/device-mgt/*
-org.owasp.csrfguard.unprotected.dcr.rest.api=%servletContext%/dynamic-client-web/*
\ No newline at end of file
+org.owasp.csrfguard.unprotected.publisherRestApi=%servletContext%/api/appm/publisher/*
+org.owasp.csrfguard.unprotected.storeRestApi=%servletContext%/api/appm/store/*
+org.owasp.csrfguard.unprotected.certificateMgtRestApi=%servletContext%/api/certificate-mgt/*
+org.owasp.csrfguard.unprotected.deviceMgtRestApi=%servletContext%/api/device-mgt/*
+org.owasp.csrfguard.unprotected.dcrRestApi=%servletContext%/dynamic-client-web/*
\ No newline at end of file
diff --git a/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml b/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml
new file mode 100755
index 00000000..fffa6b5c
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml
@@ -0,0 +1,185 @@
+
+
+
+
+
+
+
+ Owasp.CsrfGuard.Config
+ repository/conf/security/Owasp.CsrfGuard.Carbon.properties
+
+
+ bridgeservlet
+ Carbon Bridge Servlet
+ Carbon Bridge Servlet
+ org.wso2.carbon.tomcat.ext.servlet.DelegationServlet
+ 1
+
+
+
+ JavaScriptServlet
+ org.owasp.csrfguard.servlet.JavaScriptServlet
+
+
+ bridgeservlet
+ /*
+
+
+
+ bridgeservlet
+ *.jsp
+
+
+ JavaScriptServlet
+ /carbon/admin/js/csrfPrevention.js
+
+
+
+ CharsetFilter
+ org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter
+
+ requestEncoding
+ UTF-8
+
+
+
+
+ CSRFGuard
+ org.owasp.csrfguard.CsrfGuardFilter
+
+
+
+ HttpHeaderSecurityFilter
+ org.apache.catalina.filters.HttpHeaderSecurityFilter
+
+ hstsEnabled
+ false
+
+
+
+ HttpHeaderSecurityFilter
+ *
+
+
+ HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL
+ org.apache.catalina.filters.HttpHeaderSecurityFilter
+
+
+ hstsEnabled
+ false
+
+
+ blockContentTypeSniffingEnabled
+ false
+
+
+ xssProtectionEnabled
+ false
+
+
+ antiClickJackingOption
+ SAMEORIGIN
+
+
+
+ URLBasedCachePreventionFilter
+ org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter
+
+
+ HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL
+ /samlsso
+
+
+ CharsetFilter
+ /*
+
+
+ CSRFGuard
+ /*
+
+
+ URLBasedCachePreventionFilter
+ *.jsp
+
+
+
+ org.owasp.csrfguard.CsrfGuardServletContextListener
+
+
+
+ org.owasp.csrfguard.CsrfGuardHttpSessionListener
+
+
+ 15
+
+ true
+
+
+
+
+ 400
+ /carbon/errors/error_400.html
+
+
+ 401
+ /carbon/errors/error_401.html
+
+
+ 403
+ /carbon/errors/error_403.html
+
+
+ 404
+ /carbon/errors/error_404.html
+
+
+ 405
+ /carbon/errors/error_405.html
+
+
+ 408
+ /carbon/errors/error_408.html
+
+
+ 410
+ /carbon/errors/error_410.html
+
+
+ 500
+ /carbon/errors/error_500.html
+
+
+ 502
+ /carbon/errors/error_502.html
+
+
+ 503
+ /carbon/errors/error_503.html
+
+
+ 504
+ /carbon/errors/error_504.html
+
+
+ /carbon/errors/error.html
+
+