diff --git a/modules/core/distribution/pom.xml b/modules/core/distribution/pom.xml
index 18aebbd8..4e5ada12 100644
--- a/modules/core/distribution/pom.xml
+++ b/modules/core/distribution/pom.xml
@@ -527,6 +527,9 @@
 							<goal>run</goal>
 						</goals>
 					</execution>
+
+
+
 					<execution>
 						<id>clean_target</id>
 						<phase>install</phase>
@@ -566,6 +569,120 @@
                             <goal>run</goal>
                         </goals>
                     </execution>
+
+
+					<execution>
+						<id>replace-web-xmls-in-war-files</id>
+						<phase>prepare-package</phase>
+						<goals>
+							<goal>run</goal>
+						</goals>
+						<configuration>
+							<tasks>
+								<property name="tempdir" value="target/webapp-temp" />
+								<property name="xmldir" value="src/repository/resources/web-apps/web-xml" />
+								<property name="srcdir" value="${basedir}/../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/deployment/server/webapps" />
+
+								<mkdir dir="${tempdir}" />
+								<mkdir dir="${tempdir}/api-application-registration" />
+								<mkdir dir="${tempdir}/api#certificate-mgt#v1.0" />
+								<mkdir dir="${tempdir}/api#identity#entitlement" />
+								<mkdir dir="${tempdir}/api#scep-mgt#v1.0" />
+								<mkdir dir="${tempdir}/authenticationendpoint" />
+								<mkdir dir="${tempdir}/client-registration#v0.11" />
+								<mkdir dir="${tempdir}/oauth2" />
+								<mkdir dir="${tempdir}/secured-websocket" />
+								<mkdir dir="${tempdir}/shindig" />
+
+								<unzip dest="${tempdir}/api-application-registration">
+									<fileset dir="${srcdir}">
+										<include name="api-application-registration.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/api#certificate-mgt#v1.0">
+									<fileset dir="${srcdir}">
+										<include name="api#certificate-mgt#v1.0.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/api#identity#entitlement">
+									<fileset dir="${srcdir}">
+										<include name="api#identity#entitlement.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/api#scep-mgt#v1.0">
+									<fileset dir="${srcdir}">
+										<include name="api#scep-mgt#v1.0.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/authenticationendpoint">
+									<fileset dir="${srcdir}">
+										<include name="authenticationendpoint.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/client-registration#v0.11">
+									<fileset dir="${srcdir}">
+										<include name="client-registration#v0.11.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/oauth2">
+									<fileset dir="${srcdir}">
+										<include name="oauth2.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/secured-websocket">
+									<fileset dir="${srcdir}">
+										<include name="secured-websocket.war" />
+									</fileset>
+								</unzip>
+								<unzip dest="${tempdir}/shindig">
+									<fileset dir="${srcdir}">
+										<include name="shindig.war" />
+									</fileset>
+								</unzip>
+
+								<delete file="${tempdir}/api-application-registration/WEB-INF/web.xml" />
+								<delete file="${tempdir}/api#certificate-mgt#v1.0/WEB-INF/web.xml" />
+								<delete file="${tempdir}/api#identity#entitlement/WEB-INF/web.xml" />
+								<delete file="${tempdir}/api#scep-mgt#v1.0/WEB-INF/web.xml" />
+								<delete file="${tempdir}/authenticationendpoint/WEB-INF/web.xml" />
+								<delete file="${tempdir}/client-registration#v0.11/WEB-INF/web.xml" />
+								<delete file="${tempdir}/oauth2/WEB-INF/web.xml" />
+								<delete file="${tempdir}/secured-websocket/WEB-INF/web.xml" />
+								<delete file="${tempdir}/shindig/WEB-INF/web.xml" />
+
+								<copy file="src/repository/resources/web-apps/web-xml/api-application-registration/web.xml"
+									  tofile="${tempdir}/api-application-registration/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml"
+									  tofile="${tempdir}/api#certificate-mgt#v1.0/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml"
+									  tofile="${tempdir}/api#identity#entitlement/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml"
+									  tofile="${tempdir}/api#scep-mgt#v1.0/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml"
+									  tofile="${tempdir}/authenticationendpoint/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml"
+									  tofile="${tempdir}/client-registration#v0.11/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/oauth2/web.xml"
+									  tofile="${tempdir}/oauth2/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/secured-websocket/web.xml"
+									  tofile="${tempdir}/secured-websocket/WEB-INF/web.xml"/>
+								<copy file="src/repository/resources/web-apps/web-xml/shindig/web.xml"
+									  tofile="${tempdir}/shindig/WEB-INF/web.xml"/>
+
+								<zip destfile="${tempdir}/api-application-registration.war" basedir="${tempdir}/api-application-registration"/>
+								<zip destfile="${tempdir}/api#certificate-mgt#v1.0.war" basedir="${tempdir}/api#certificate-mgt#v1.0"/>
+								<zip destfile="${tempdir}/api#identity#entitlement.war" basedir="${tempdir}/api#identity#entitlement"/>
+								<zip destfile="${tempdir}/api#scep-mgt#v1.0.war" basedir="${tempdir}/api#scep-mgt#v1.0"/>
+								<zip destfile="${tempdir}/authenticationendpoint.war" basedir="${tempdir}/authenticationendpoint"/>
+								<zip destfile="${tempdir}/client-registration#v0.11.war" basedir="${tempdir}/client-registration#v0.11"/>
+								<zip destfile="${tempdir}/oauth2.war" basedir="${tempdir}/oauth2"/>
+								<zip destfile="${tempdir}/secured-websocket.war" basedir="${tempdir}/secured-websocket"/>
+								<zip destfile="${tempdir}/shindig.war" basedir="${tempdir}/shindig"/>
+
+							</tasks>
+						</configuration>
+					</execution>
+
 				</executions>
 			</plugin>
 
diff --git a/modules/core/distribution/src/assembly/bin.xml b/modules/core/distribution/src/assembly/bin.xml
index 989a06b8..2b382f33 100644
--- a/modules/core/distribution/src/assembly/bin.xml
+++ b/modules/core/distribution/src/assembly/bin.xml
@@ -1348,75 +1348,68 @@
             <fileMode>755</fileMode>
         </file>
 
-<!--        <file>
-            <source>src/repository/resources/web-apps/api-application-registration.war</source>
-            <outputDirectory>
-                ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
-            </outputDirectory>
-            <fileMode>755</fileMode>
-        </file>
         <file>
-            <source>src/repository/resources/web-apps/api#device-mgt#v1.0.war</source>
+            <source>target/webapp-temp/api-application-registration.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/api#scep-mgt#v1.0.war</source>
+            <source>target/webapp-temp/api#scep-mgt#v1.0.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/client-registration#v0.11.war</source>
+            <source>target/webapp-temp/client-registration#v0.11.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/secured-websocket.war</source>
+            <source>target/webapp-temp/secured-websocket.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/api#certificate-mgt#v1.0.war</source>
+            <source>target/webapp-temp/api#certificate-mgt#v1.0.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/api#identity#entitlement.war</source>
+            <source>target/webapp-temp/api#identity#entitlement.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/authenticationendpoint.war</source>
+            <source>target/webapp-temp/authenticationendpoint.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/oauth2.war</source>
+            <source>target/webapp-temp/oauth2.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
         </file>
         <file>
-            <source>src/repository/resources/web-apps/shindig.war</source>
+            <source>target/webapp-temp/shindig.war</source>
             <outputDirectory>
                 ${pom.artifactId}-${pom.version}/repository/deployment/server/webapps
             </outputDirectory>
             <fileMode>755</fileMode>
-        </file>-->
+        </file>
     </files>
 </assembly>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml
new file mode 100644
index 00000000..7a8a130a
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied. See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
+    <display-name>Certificate-Webapp</display-name>
+    <servlet>
+        <description>JAX-WS/JAX-RS Certificate Management Endpoint</description>
+        <display-name>JAX-WS/JAX-RS Servlet</display-name>
+        <servlet-name>CXFServlet</servlet-name>
+        <servlet-class>
+            org.apache.cxf.transport.servlet.CXFServlet
+        </servlet-class>
+        <init-param>
+            <param-name>swagger.security.filter</param-name>
+            <param-value>ApiAuthorizationFilterImpl</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>CXFServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+    <session-config>
+        <session-timeout>60</session-timeout>
+    </session-config>
+
+    <context-param>
+        <param-name>isAdminService</param-name>
+        <param-value>false</param-value>
+    </context-param>
+    <context-param>
+        <param-name>doAuthentication</param-name>
+        <param-value>true</param-value>
+    </context-param>
+
+    <!--publish to apim-->
+    <context-param>
+        <param-name>managed-api-enabled</param-name>
+        <param-value>true</param-value>
+    </context-param>
+    <context-param>
+        <param-name>managed-api-owner</param-name>
+        <param-value>admin</param-value>
+    </context-param>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>CertificateMgt-Admin</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <filter>
+        <filter-name>ApiOriginFilter</filter-name>
+        <filter-class>org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.ApiOriginFilter</filter-class>
+    </filter>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ApiOriginFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+
+</web-app>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml
new file mode 100644
index 00000000..86c22b52
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ ~
+ ~ WSO2 Inc. licenses this file to you under the Apache License,
+ ~ Version 2.0 (the "License"); you may not use this file except
+ ~ in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~      http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+         http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+
+    <display-name>Entitlement-Service-Provider</display-name>
+
+    <!-- SWAGGER FILTER -->
+    <filter>
+        <filter-name>ApiOriginFilter</filter-name>
+        <filter-class>org.wso2.carbon.identity.entitlement.endpoint.filter.ApiOriginFilter</filter-class>
+    </filter>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ApiOriginFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <servlet>
+        <servlet-name>EntitlementServlet</servlet-name>
+        <display-name>EntitlementServlet</display-name>
+        <description>Entitlement Endpoints</description>
+        <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+
+        <!-- set the base path for the swagger application -->
+        <init-param>
+            <param-name>swagger.api.basepath</param-name>
+            <param-value>https://localhost:9443/entitlement</param-value>
+        </init-param>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>EntitlementServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <session-config>
+        <session-timeout>60</session-timeout>
+        <cookie-config>
+            <secure>true</secure>
+        </cookie-config>
+    </session-config>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>secured services</web-resource-name>
+            <url-pattern>/decision/*</url-pattern>
+        </web-resource-collection>
+        <!--we take default name for everyone role.If it is changed in user-mgt.xml,this needs to be changed as well.-->
+        <!--<auth-constraint>
+            <role-name>Internal/everyone</role-name>
+        </auth-constraint>-->
+        <user-data-constraint>
+            <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <listener>
+        <listener-class>org.wso2.carbon.identity.entitlement.endpoint.impl.ApplicationInitializer</listener-class>
+    </listener>
+
+    <!--login-config>
+        <auth-method>BASIC</auth-method>
+    </login-config>
+    <context-param>
+        <param-name>carbon.enable.saas</param-name>
+        <param-value>*</param-value>
+    </context-param-->
+
+</web-app>
+
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml
new file mode 100644
index 00000000..36b8b98e
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml
@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied. See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
+    <display-name>Certificate-Webapp</display-name>
+    <servlet>
+        <description>JAX-WS/JAX-RS Certificate Management Endpoint</description>
+        <display-name>JAX-WS/JAX-RS Servlet</display-name>
+        <servlet-name>CXFServlet</servlet-name>
+        <servlet-class>
+            org.apache.cxf.transport.servlet.CXFServlet
+        </servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>CXFServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+    <session-config>
+        <session-timeout>60</session-timeout>
+    </session-config>
+
+    <context-param>
+        <param-name>isAdminService</param-name>
+        <param-value>false</param-value>
+    </context-param>
+    <context-param>
+        <param-name>doAuthentication</param-name>
+        <param-value>true</param-value>
+    </context-param>
+
+    <!--publish to apim-->
+    <context-param>
+        <param-name>managed-api-enabled</param-name>
+        <param-value>true</param-value>
+    </context-param>
+    <context-param>
+        <param-name>managed-api-owner</param-name>
+        <param-value>admin</param-value>
+    </context-param>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+</web-app>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api-application-registration/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api-application-registration/web.xml
new file mode 100644
index 00000000..c4a51a4a
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api-application-registration/web.xml
@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied. See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<web-app version="2.5"
+         xmlns="http://java.sun.com/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+         metadata-complete="true">
+    <display-name>WSO2 IoT Server</display-name>
+    <description>WSO2 IoT Server</description>
+
+    <servlet>
+        <servlet-name>CXFServlet</servlet-name>
+        <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>CXFServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+    <context-param>
+        <param-name>isAdminService</param-name>
+        <param-value>false</param-value>
+    </context-param>
+    <context-param>
+        <param-name>doAuthentication</param-name>
+        <param-value>true</param-value>
+    </context-param>
+
+    <!--publish to apim-->
+    <context-param>
+        <param-name>managed-api-enabled</param-name>
+        <param-value>true</param-value>
+    </context-param>
+    <context-param>
+        <param-name>managed-api-owner</param-name>
+        <param-value>admin</param-value>
+    </context-param>
+
+    <filter>
+        <filter-name>ApiPermissionFilter</filter-name>
+        <filter-class>org.wso2.carbon.apimgt.application.extension.api.filter.ApiPermissionFilter</filter-class>
+    </filter>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ApiPermissionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+</web-app>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml
new file mode 100644
index 00000000..466e8313
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml
@@ -0,0 +1,280 @@
+<?xml version="1.0" encoding="UTF-8"?><!--
+  ~ Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+        "http://java.sun.com/dtd/web-app_2_3.dtd" >
+
+<web-app>
+    <!--  Custom Page configurations -->
+    <!-- *************** Application specific configurations ********************** -->
+    <!--context-param>
+        <param-name>ServiceProviderApp-/samlsso_login.do</param-name>
+        <param-value>http://localhost:8080/customauthenticationendpoint/login.do</param-value>
+    </context-param-->
+    <!--context-param>
+        <param-name>ServiceProviderApp-/oauth2_authz.do</param-name>
+        <param-value>http://localhost:8080/authenticationendpoint/oauth2_authz.do</param-value>
+    </context-param-->
+    <!--context-param>
+        <param-name>ServiceProviderApp-/oauth2_error.do</param-name>
+        <param-value>http://localhost:8080/authenticationendpoint/oauth2_error.do</param-value>
+    </context-param-->
+    <!--context-param>
+        <param-name>ServiceProviderApp-/oauth2_consent.do</param-name>
+        <param-value>http://localhost:8080/authenticationendpoint/oauth2_consent.do</param-value>
+    </context-param-->
+    <!-- **************** End of Application specific configurations ************************* -->
+
+    <!-- *************** Global configurations ********************** -->
+    <!--context-param>
+        <param-name>/retry.do</param-name>
+        <param-value>http://localhost:8080/customauthenticationendpoint/retry.do?type=retry.do</param-value>
+    </context-param-->
+    <!-- *************** End of Global configurations ********************** -->
+
+    <!-- *************** Account Recovery Endpoint Context URL Configuration ********************** -->
+    <!--context-param>
+       <param-name>IdentityManagementEndpointContextURL</param-name>
+       <param-value>https://localhost:9443/accountrecoveryendpoint</param-value>
+   </context-param-->
+    <context-param>
+       <param-name>AccountRecoveryRESTEndpointURL</param-name>
+       <param-value>https://localhost:9443/t/tenant-domain/api/identity/user/v0.9/</param-value>
+   </context-param>
+    <!-- *************** End of Account Recovery Endpoint Context URL Configuration ********************** -->
+
+    <!--Display scopes in the consent page.-->
+    <context-param>
+        <param-name>displayScopes</param-name>
+        <param-value>true</param-value>
+    </context-param>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>*</url-pattern>
+    </filter-mapping>
+
+    <filter>
+        <filter-name>AuthenticationEndpointFilter</filter-name>
+        <filter-class>
+            org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthenticationEndpointFilter
+        </filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>AuthenticationEndpointFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <listener>
+        <listener-class>
+            org.wso2.carbon.identity.application.authentication.endpoint.util.listener.AuthenticationEndpointContextListener
+        </listener-class>
+    </listener>
+
+    <servlet>
+        <servlet-name>retry.do</servlet-name>
+        <jsp-file>/retry.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>claims.do</servlet-name>
+        <jsp-file>/requested-claims.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>oauth2_login.do</servlet-name>
+        <jsp-file>/login.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>oauth2_authz.do</servlet-name>
+        <jsp-file>/oauth2_authz.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>oauth2_consent.do</servlet-name>
+        <jsp-file>/oauth2_consent.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>oauth2_logout_consent.do</servlet-name>
+        <jsp-file>/oauth2_logout_consent.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>oauth2_logout.do</servlet-name>
+        <jsp-file>/logout.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>oauth2_error.do</servlet-name>
+        <jsp-file>/oauth2_error.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>samlsso_login.do</servlet-name>
+        <jsp-file>/login.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>samlsso_logout.do</servlet-name>
+        <jsp-file>/logout.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>samlsso_redirect.do</servlet-name>
+        <jsp-file>/login.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>samlsso_notification.do</servlet-name>
+        <jsp-file>/samlsso_notification.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>openid_login.do</servlet-name>
+        <jsp-file>/login.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>openid_profile.do</servlet-name>
+        <jsp-file>/openid_profile.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>passivests_login.do</servlet-name>
+        <jsp-file>/login.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>tenantlistrefresher.do</servlet-name>
+        <jsp-file>/tenant_refresh_endpoint.jsp</jsp-file>
+    </servlet>
+
+    <servlet>
+        <servlet-name>registration.do</servlet-name>
+        <jsp-file>/registration.jsp</jsp-file>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>retry.do</servlet-name>
+        <url-pattern>/retry.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauth2_login.do</servlet-name>
+        <url-pattern>/oauth2_login.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauth2_authz.do</servlet-name>
+        <url-pattern>/oauth2_authz.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauth2_consent.do</servlet-name>
+        <url-pattern>/oauth2_consent.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauth2_logout_consent.do</servlet-name>
+        <url-pattern>/oauth2_logout_consent.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauth2_logout.do</servlet-name>
+        <url-pattern>/oauth2_logout.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauth2_error.do</servlet-name>
+        <url-pattern>/oauth2_error.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>samlsso_login.do</servlet-name>
+        <url-pattern>/samlsso_login.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>samlsso_logout.do</servlet-name>
+        <url-pattern>/samlsso_logout.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>samlsso_redirect.do</servlet-name>
+        <url-pattern>/samlsso_redirect.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>samlsso_notification.do</servlet-name>
+        <url-pattern>/samlsso_notification.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>openid_login.do</servlet-name>
+        <url-pattern>/openid_login.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>openid_profile.do</servlet-name>
+        <url-pattern>/openid_profile.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>passivests_login.do</servlet-name>
+        <url-pattern>/passivests_login.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>tenantlistrefresher.do</servlet-name>
+        <url-pattern>/tenantlistrefresher.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>registration.do</servlet-name>
+        <url-pattern>/registration.do</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>claims.do</servlet-name>
+        <url-pattern>/claims.do</url-pattern>
+    </servlet-mapping>
+
+    <error-page>
+        <exception-type>java.lang.Throwable</exception-type>
+        <location>/generic-exception-response.jsp</location>
+    </error-page>
+
+    <session-config>
+        <cookie-config>
+            <secure>true</secure>
+        </cookie-config>
+    </session-config>
+
+</web-app>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml
new file mode 100644
index 00000000..0befeb9c
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ /*
+  ~  * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~  *
+  ~  * WSO2 Inc. licenses this file to you under the Apache License,
+  ~  * Version 2.0 (the "License"); you may not use this file except
+  ~  * in compliance with the License.
+  ~  * You may obtain a copy of the License at
+  ~  *
+  ~  * http://www.apache.org/licenses/LICENSE-2.0
+  ~  *
+  ~  * Unless required by applicable law or agreed to in writing,
+  ~  * software distributed under the License is distributed on an
+  ~  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~  * KIND, either express or implied. See the License for the
+  ~  * specific language governing permissions and limitations
+  ~  * under the License.
+  ~  */
+  -->
+<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
+         version="2.4">
+
+<description>JAX-WS/JAX-RS Device Registration Agent Endpoint</description>
+<display-name>JAX-WS/JAX-RS Servlet</display-name>
+<context-param>
+    <param-name>contextConfigLocation</param-name>
+    <param-value>WEB-INF/beans.xml</param-value>
+</context-param>
+<listener>
+    <listener-class>
+        org.springframework.web.context.ContextLoaderListener
+    </listener-class>
+</listener>
+<servlet>
+    <description>JAX-WS/JAX-RS Device Registration Agent Endpoint</description>
+    <display-name>JAX-WS/JAX-RS Servlet</display-name>
+    <servlet-name>CXFServlet</servlet-name>
+    <servlet-class>
+        org.apache.cxf.transport.servlet.CXFServlet
+    </servlet-class>
+    <load-on-startup>1</load-on-startup>
+</servlet>
+<servlet-mapping>
+    <servlet-name>CXFServlet</servlet-name>
+    <url-pattern>/*</url-pattern>
+</servlet-mapping>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+</web-app>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/oauth2/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/oauth2/web.xml
new file mode 100644
index 00000000..d7d02a3d
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/oauth2/web.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2011 WSO2, Inc. (http://wso2.com)
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+         http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+
+    <display-name>OAuth2 Endpoints</display-name>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+
+    <servlet>
+        <servlet-name>OAuth2Endpoints</servlet-name>
+        <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+
+        <!-- Application based page loading configs -->
+
+        <!-- *********** Pages for the SampleApp *************** -->
+        <!--init-param> 
+              <description>Login page for the application SampleApp</description> 
+              <param-name>SampleApp-LoginPage</param-name> 
+              <param-value>https://localhost:9443/mypages/sampleapp-login</param-value> 
+        </init-param>
+        <init-param>
+              <description>Error page for the application SampleApp</description>
+              <param-name>SampleApp-ErrorPage</param-name>
+              <param-value>https://localhost:9443/mypages/sampleapp-error</param-value>
+        </init-param>
+        <init-param>
+              <description>Consent page for the application SampleApp</description>
+              <param-name>SampleApp-ConsentPage</param-name>
+              <param-value>https://localhost:9443/mypages/sampleapp-consent</param-value>
+        </init-param-->
+        <!-- ******************* End of SampleApp configs ***************** -->
+
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>OAuth2Endpoints</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <session-config>
+        <cookie-config>
+            <secure>true</secure>
+        </cookie-config>
+    </session-config>
+
+</web-app>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/secured-websocket/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/secured-websocket/web.xml
new file mode 100644
index 00000000..4e114231
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/secured-websocket/web.xml
@@ -0,0 +1,61 @@
+<!--
+  ~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+<!DOCTYPE web-app PUBLIC
+        "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+        "http://java.sun.com/dtd/web-app_2_3.dtd" >
+
+<web-app>
+    <display-name>Output WebSocket</display-name>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+</web-app>
diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/shindig/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/shindig/web.xml
new file mode 100644
index 00000000..ead0c0d4
--- /dev/null
+++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/shindig/web.xml
@@ -0,0 +1,423 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~      http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+-->
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xmlns="http://java.sun.com/xml/ns/javaee"
+         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+         id="Shindig"
+         version="2.5">
+    <display-name>Shindig</display-name>
+    <!-- configuration -->
+    <!-- If you have your own Guice module(s), put them here as a colon-separated list. -->
+    <!-- Note that any extras modules are optional -->
+    <context-param>
+        <param-name>guice-modules</param-name>
+        <param-value>
+            org.apache.shindig.common.PropertiesModule:
+            org.apache.shindig.gadgets.DefaultGuiceModule:
+            org.apache.shindig.social.core.config.SocialApiGuiceModule:
+            org.apache.shindig.social.sample.SampleModule:
+            org.apache.shindig.gadgets.oauth.OAuthModule:
+            org.apache.shindig.gadgets.oauth2.OAuth2Module:
+            org.apache.shindig.gadgets.oauth2.OAuth2MessageModule:
+            org.apache.shindig.gadgets.oauth2.handler.OAuth2HandlerModule:
+            org.apache.shindig.gadgets.oauth2.persistence.sample.OAuth2PersistenceModule:
+            org.apache.shindig.common.cache.ehcache.EhCacheModule:
+            org.apache.shindig.sample.shiro.ShiroGuiceModule:
+            org.apache.shindig.sample.container.SampleContainerGuiceModule:
+            org.apache.shindig.extras.ShindigExtrasGuiceModule:
+            org.apache.shindig.gadgets.admin.GadgetAdminModule:
+            org.wso2.carbon.dashboard.shindig.features.WSO2ShindigFeaturesModule
+        </param-value>
+    </context-param>
+
+    <!--
+    Syntax: <key>=<value> separated by a newline
+
+    system.properties specifies the environmental variables that will be set to the JVM System Properties at server startup time.
+    Alternatively, you may add these values in your app server (ex: Tomcat) as
+    VM arguments like this: -Dshindig.host="my.production.shindig.server.com".
+
+    Here are a few properties that can be set for Shindig:
+    shindig.host: the server name that Shindig is deployed and running on
+    shindig.port: the port number of shindig.host server
+
+    Make sure you escape all HTML values for the web.xml to be parsed correctly.
+    -->
+    <context-param>
+        <param-name>system.properties</param-name>
+        <param-value>
+            <![CDATA[
+        shindig.host=
+        shindig.port=
+        aKey=/shindig/gadgets/proxy?container=default&url=
+     ]]>
+        </param-value>
+    </context-param>
+
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <init-param>
+            <param-name>antiClickJackingOption</param-name>
+            <param-value>SAMEORIGIN</param-value>
+        </init-param>
+    </filter>
+
+
+    <filter>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter</filter-class>
+        <init-param>
+            <param-name>patterns</param-name>
+            <param-value>"text/html*","application/json*","text/plain*"</param-value>
+        </init-param>
+        <init-param>
+            <param-name>filterAction</param-name>
+            <param-value>enforce</param-value>
+        </init-param>
+        <init-param>
+            <param-name>httpHeaders</param-name>
+            <param-value>Cache-Control: no-store, no-cache, must-revalidate, private</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ContentTypeBasedCachePreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>*</url-pattern>
+    </filter-mapping>
+
+    <filter>
+        <filter-name>hostFilter</filter-name>
+        <filter-class>org.apache.shindig.common.servlet.HostFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>hostFilter</filter-name>
+        <url-pattern>/gadgets/ifr</url-pattern>
+        <url-pattern>/gadgets/js/*</url-pattern>
+        <url-pattern>/gadgets/proxy/*</url-pattern>
+        <url-pattern>/gadgets/concat</url-pattern>
+        <url-pattern>/gadgets/makeRequest</url-pattern>
+        <url-pattern>/rpc/*</url-pattern>
+        <url-pattern>/rest/*</url-pattern>
+    </filter-mapping>
+
+    <filter>
+        <filter-name>ShiroFilter</filter-name>
+        <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
+        <init-param>
+            <param-name>config</param-name>
+            <param-value>
+                <![CDATA[
+                # The ShiroFilter configuration is very powerful and flexible, while still remaining succinct.
+                # Please read the comprehensive example, with full comments and explanations, in the JavaDoc:
+                #
+                # http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
+                [main]
+                shindigSampleRealm = org.apache.shindig.sample.shiro.SampleShiroRealm
+                securityManager.realm = $shindigSampleRealm
+                authc.loginUrl = /login.jsp
+
+                [urls]
+                # The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but
+                # the 'authc' filter must still be specified for it so it can process that url's
+                # login submissions. It is 'smart' enough to allow those requests through as specified by the
+                # shiro.loginUrl above.
+                /login.jsp = authc
+
+                /oauth/authorize/** = authc
+                /oauth2/authorize/** = authc
+            ]]>
+            </param-value>
+        </init-param>
+    </filter>
+
+    <filter>
+        <filter-name>authFilter</filter-name>
+        <filter-class>org.apache.shindig.auth.AuthenticationServletFilter</filter-class>
+    </filter>
+
+    <filter>
+        <filter-name>etagFilter</filter-name>
+        <filter-class>org.apache.shindig.gadgets.servlet.ETagFilter</filter-class>
+    </filter>
+
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>/oauth/authorize</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>/oauth2/authorize</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>*.jsp</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>authFilter</filter-name>
+        <url-pattern>/social/*</url-pattern>
+        <url-pattern>/gadgets/ifr</url-pattern>
+        <url-pattern>/gadgets/makeRequest</url-pattern>
+        <url-pattern>/gadgets/proxy</url-pattern>
+        <url-pattern>/gadgets/api/rpc/*</url-pattern>
+        <url-pattern>/gadgets/api/rest/*</url-pattern>
+        <url-pattern>/rpc/*</url-pattern>
+        <url-pattern>/rest/*</url-pattern>
+    </filter-mapping>
+
+    <filter-mapping>
+        <filter-name>etagFilter</filter-name>
+        <url-pattern>*</url-pattern>
+    </filter-mapping>
+
+    <listener>
+        <listener-class>org.apache.shindig.common.servlet.GuiceServletContextListener</listener-class>
+    </listener>
+
+    <!-- Render a Gadget -->
+    <servlet>
+        <servlet-name>xml-to-html</servlet-name>
+        <servlet-class>
+            org.wso2.carbon.dashboard.shindig.extensions.WSO2GadgetRenderingServlet
+        </servlet-class>
+    </servlet>
+
+    <servlet>
+        <servlet-name>accel</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.HtmlAccelServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- Proxy -->
+    <servlet>
+        <servlet-name>proxy</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.ProxyServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- makeRequest -->
+    <servlet>
+        <servlet-name>makeRequest</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.MakeRequestServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- Concat -->
+    <servlet>
+        <servlet-name>concat</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.ConcatProxyServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- OAuth callback -->
+    <servlet>
+        <servlet-name>oauthCallback</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.OAuthCallbackServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- OAuth2 callback -->
+    <servlet>
+        <servlet-name>oauth2callback</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.OAuth2CallbackServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- Metadata RPC -->
+    <servlet>
+        <servlet-name>metadata</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.RpcServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- javascript serving -->
+    <servlet>
+        <servlet-name>js</servlet-name>
+        <servlet-class>org.apache.shindig.gadgets.servlet.JsServlet</servlet-class>
+    </servlet>
+
+    <servlet>
+        <servlet-name>restapiServlet</servlet-name>
+        <servlet-class>
+            org.apache.shindig.protocol.DataServiceServlet
+        </servlet-class>
+        <init-param>
+            <param-name>handlers</param-name>
+            <param-value>org.apache.shindig.handlers</param-value>
+        </init-param>
+    </servlet>
+
+    <!-- Serve social RPC api -->
+    <servlet>
+        <servlet-name>jsonRpcServlet</servlet-name>
+        <servlet-class>
+            org.apache.shindig.protocol.JsonRpcServlet
+        </servlet-class>
+        <init-param>
+            <param-name>handlers</param-name>
+            <param-value>org.apache.shindig.handlers</param-value>
+        </init-param>
+    </servlet>
+
+    <!-- Serve sample OAuth apis -->
+    <servlet>
+        <servlet-name>sampleOAuth</servlet-name>
+        <servlet-class>
+            org.apache.shindig.social.sample.oauth.SampleOAuthServlet
+        </servlet-class>
+    </servlet>
+
+    <!-- Serve OAuth 2 APIs -->
+    <servlet>
+        <servlet-name>OAuth2Servlet</servlet-name>
+        <servlet-class>
+            org.apache.shindig.social.core.oauth2.OAuth2Servlet
+        </servlet-class>
+    </servlet>
+
+    <servlet>
+        <servlet-name>rpcSwf</servlet-name>
+        <servlet-class>
+            org.apache.shindig.gadgets.servlet.RpcSwfServlet
+        </servlet-class>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>js</servlet-name>
+        <url-pattern>/gadgets/js/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>proxy</servlet-name>
+        <url-pattern>/gadgets/proxy/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>makeRequest</servlet-name>
+        <url-pattern>/gadgets/makeRequest</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>jsonRpcServlet</servlet-name>
+        <url-pattern>/rpc/*</url-pattern>
+        <url-pattern>/gadgets/api/rpc/*</url-pattern>
+        <url-pattern>/social/rpc/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>restapiServlet</servlet-name>
+        <url-pattern>/rest/*</url-pattern>
+        <url-pattern>/gadgets/api/rest/*</url-pattern>
+        <url-pattern>/social/rest/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>concat</servlet-name>
+        <url-pattern>/gadgets/concat</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauthCallback</servlet-name>
+        <url-pattern>/gadgets/oauthcallback</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>oauth2callback</servlet-name>
+        <url-pattern>/gadgets/oauth2callback</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>xml-to-html</servlet-name>
+        <url-pattern>/gadgets/ifr</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>accel</servlet-name>
+        <url-pattern>/gadgets/accel</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>metadata</servlet-name>
+        <url-pattern>/gadgets/metadata</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>sampleOAuth</servlet-name>
+        <url-pattern>/oauth/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>OAuth2Servlet</servlet-name>
+        <url-pattern>/oauth2/*</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+        <servlet-name>rpcSwf</servlet-name>
+        <url-pattern>/xpc*</url-pattern>
+    </servlet-mapping>
+
+    <error-page>
+        <error-code>404</error-code>
+        <location>/error-pages/error404.html</location>
+    </error-page>
+
+    <error-page>
+        <error-code>401</error-code>
+        <location>/error-pages/error401.html</location>
+    </error-page>
+
+    <error-page>
+        <error-code>403</error-code>
+        <location>/error-pages/error403.html</location>
+    </error-page>
+
+    <error-page>
+        <error-code>405</error-code>
+        <location>/error-pages/error405.html</location>
+    </error-page>
+
+    <error-page>
+        <error-code>500</error-code>
+        <location>/error-pages/error500.html</location>
+    </error-page>
+</web-app>