|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface SecurityConfiguration
The SecurityConfiguration
interface stores all configuration information
that directs the behavior of the ESAPI implementation.
Protection of this configuration information is critical to the secure
operation of the application using the ESAPI. You should use operating system
access controls to limit access to wherever the configuration information is
stored.
Please note that adding another layer of encryption does not make the
attackers job much more difficult. Somewhere there must be a master "secret"
that is stored unencrypted on the application platform (unless you are
willing to prompt for some passphrase when you application starts or insert
a USB thumb drive or an HSM card, etc., in which case this master "secret"
it would only be in memory). Creating another layer of indirection provides
additional obfuscation, but doesn't provide any real additional security.
It's up to the reference implementation to decide whether this file should
be encrypted or not.
The ESAPI reference implementation (DefaultSecurityConfiguration.java) does
not encrypt its properties file.
Nested Class Summary | |
---|---|
static class |
SecurityConfiguration.Threshold
Models a simple threshold as a count and an interval, along with a set of actions to take if the threshold is exceeded. |
Method Summary | |
---|---|
java.lang.String |
getAccessControlImplementation()
Returns the fully qualified classname of the ESAPI Access Control implementation. |
java.util.List<java.lang.String> |
getAdditionalAllowedCipherModes()
Return List of strings of additional cipher modes that are
permitted (i.e., in addition to those returned by
#getPreferredCipherModes() ) to be used for encryption and
decryption operations. |
java.util.List<java.lang.String> |
getAllowedExecutables()
Gets the allowed executables to run with the Executor. |
java.util.List<java.lang.String> |
getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application. |
int |
getAllowedFileUploadSize()
Gets the maximum allowed file upload size. |
int |
getAllowedLoginAttempts()
Gets the number of login attempts allowed before the user's account is locked. |
boolean |
getAllowMixedEncoding()
Return true if mixed encoding is allowed |
boolean |
getAllowMultipleEncoding()
Return true if multiple encoding is allowed |
java.lang.String |
getApplicationName()
Gets the application name, used for logging |
java.lang.String |
getAuthenticationImplementation()
Returns the fully qualified classname of the ESAPI Authentication implementation. |
java.lang.String |
getCharacterEncoding()
Gets the character encoding scheme supported by this application. |
java.lang.String |
getCipherTransformation()
Retrieve the cipher transformation. |
java.util.List<java.lang.String> |
getCombinedCipherModes()
Return a List of strings of combined cipher modes that support
both confidentiality and authenticity. |
java.util.List<java.lang.String> |
getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing data |
java.lang.String |
getDigitalSignatureAlgorithm()
Gets the digital signature algorithm used by ESAPI to generate and verify signatures. |
int |
getDigitalSignatureKeyLength()
Gets the digital signature key length used by ESAPI to generate and verify signatures. |
boolean |
getDisableIntrusionDetection()
Allows for complete disabling of all intrusion detection mechanisms |
java.lang.String |
getEncoderImplementation()
Returns the fully qualified classname of the ESAPI Encoder implementation. |
java.lang.String |
getEncryptionAlgorithm()
Gets the encryption algorithm used by ESAPI to protect data. |
java.lang.String |
getEncryptionImplementation()
Returns the fully qualified classname of the ESAPI Encryption implementation. |
int |
getEncryptionKeyLength()
Gets the key length to use in cryptographic operations declared in the ESAPI properties file. |
java.lang.String |
getExecutorImplementation()
Returns the fully qualified classname of the ESAPI OS Execution implementation. |
java.lang.String |
getFixedIV()
If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string. |
boolean |
getForceHttpOnlyCookies()
Forces new cookies to have HttpOnly flag set. |
boolean |
getForceHttpOnlySession()
Forces new cookies to have HttpOnly flag set. |
boolean |
getForceSecureCookies()
Forces new cookies to have Secure flag set. |
boolean |
getForceSecureSession()
Forces session cookies to have Secure flag set. |
java.lang.String |
getHashAlgorithm()
Gets the hashing algorithm used by ESAPI to hash data. |
int |
getHashIterations()
Gets the hash iterations used by ESAPI to hash data. |
java.lang.String |
getHttpSessionIdName()
This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden. |
java.lang.String |
getHTTPUtilitiesImplementation()
Returns the fully qualified classname of the ESAPI HTTPUtilities implementation. |
java.lang.String |
getIntrusionDetectionImplementation()
Returns the fully qualified classname of the ESAPI Intrusion Detection implementation. |
java.lang.String |
getIVType()
Get a string indicating how to compute an Initialization Vector (IV). |
java.lang.String |
getKDFPseudoRandomFunction()
Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF). |
boolean |
getLenientDatesAccepted()
Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. |
boolean |
getLogApplicationName()
Returns whether ESAPI should log the application name. |
boolean |
getLogEncodingRequired()
Returns whether HTML entity encoding should be applied to log entries. |
java.lang.String |
getLogFileName()
Get the name of the log file specified in the ESAPI configuration properties file. |
java.lang.String |
getLogImplementation()
Returns the fully qualified classname of the ESAPI Logging implementation. |
int |
getLogLevel()
Returns the current log level. |
boolean |
getLogServerIP()
Returns whether ESAPI should log the server IP. |
byte[] |
getMasterKey()
Gets the master key. |
byte[] |
getMasterSalt()
Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed. |
int |
getMaxHttpHeaderSize()
Returns the maximum allowable HTTP header size. |
int |
getMaxLogFileSize()
Get the maximum size of a single log file from the ESAPI configuration properties file. |
int |
getMaxOldPasswordHashes()
Gets the maximum number of old password hashes that should be retained. |
java.lang.String |
getPasswordParameterName()
Gets the name of the password parameter used during user authentication. |
java.lang.String |
getPreferredJCEProvider()
Retrieve the preferred JCE provider for ESAPI and your application. |
SecurityConfiguration.Threshold |
getQuota(java.lang.String eventName)
Gets the intrusion detection quota for the specified event. |
java.lang.String |
getRandomAlgorithm()
Gets the random number generation algorithm used to generate random numbers where needed. |
java.lang.String |
getRandomizerImplementation()
Returns the fully qualified classname of the ESAPI Randomizer implementation. |
long |
getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds). |
java.io.File |
getResourceFile(java.lang.String filename)
Gets a file from the resource directory |
java.io.InputStream |
getResourceStream(java.lang.String filename)
Gets an InputStream to a file in the resource directory |
java.lang.String |
getResponseContentType()
Gets the content type for responses used when setSafeContentType() is called. |
int |
getSessionAbsoluteTimeoutLength()
Gets the absolute timeout length for sessions (in milliseconds). |
int |
getSessionIdleTimeoutLength()
Gets the idle timeout length for sessions (in milliseconds). |
java.io.File |
getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file. |
java.io.File |
getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties. |
java.lang.String |
getUsernameParameterName()
Gets the name of the username parameter used during user authentication. |
java.lang.String |
getValidationImplementation()
Returns the fully qualified classname of the ESAPI Validation implementation. |
java.util.regex.Pattern |
getValidationPattern(java.lang.String typeName)
Returns the validation pattern for a particular type |
java.io.File |
getWorkingDirectory()
Returns the default working directory for executing native processes with Runtime.exec(). |
boolean |
overwritePlainText()
Indicates whether the PlainText objects may be overwritten after
they have been encrypted. |
java.lang.String |
setCipherTransformation(java.lang.String cipherXform)
Deprecated. To be replaced by new class in ESAPI 2.1, but here if you need it until then. Details of replacement forthcoming to ESAPI-Dev list. |
void |
setResourceDirectory(java.lang.String dir)
Sets the ESAPI resource directory. |
boolean |
useMACforCipherText()
Determines whether the CipherText should be used with a Message
Authentication Code (MAC). |
Method Detail |
---|
java.lang.String getApplicationName()
java.lang.String getLogImplementation()
java.lang.String getAuthenticationImplementation()
java.lang.String getEncoderImplementation()
java.lang.String getAccessControlImplementation()
java.lang.String getIntrusionDetectionImplementation()
java.lang.String getRandomizerImplementation()
java.lang.String getEncryptionImplementation()
java.lang.String getValidationImplementation()
java.util.regex.Pattern getValidationPattern(java.lang.String typeName)
typeName
-
boolean getLenientDatesAccepted()
Validator.AcceptLenientDates
, which defaults to false
if unset.
DateFormat.setLenient(boolean)
java.lang.String getExecutorImplementation()
java.lang.String getHTTPUtilitiesImplementation()
byte[] getMasterKey()
java.io.File getUploadDirectory()
java.io.File getUploadTempDirectory()
int getEncryptionKeyLength()
byte[] getMasterSalt()
java.util.List<java.lang.String> getAllowedExecutables()
java.util.List<java.lang.String> getAllowedFileExtensions()
int getAllowedFileUploadSize()
java.lang.String getPasswordParameterName()
java.lang.String getUsernameParameterName()
java.lang.String getEncryptionAlgorithm()
java.lang.String getCipherTransformation()
String
that takes the following form:
cipher_alg/cipher_mode[bits]/padding_schemewhere cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as
CFB
and OFB
. Using modes such as CFB and
OFB, block ciphers can encrypt data in units smaller than the cipher's
actual block size. When requesting such a mode, you may optionally
specify the number of bits to be processed at a time. This generally must
be an integral multiple of 8-bits so that it can specify a whole number
of octets.
Examples are:
"AES/ECB/NoPadding" // Default for ESAPI Java 1.4 (insecure) "AES/CBC/PKCS5Padding" // Default for ESAPI Java 2.0 "DESede/OFB32/PKCS5Padding"NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:
"Blowfish-192/CFB8/PKCS5Padding"in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.
@Deprecated java.lang.String setCipherTransformation(java.lang.String cipherXform)
ESAPI.properties
file. For instance
you may normally want to use AES/CBC/PKCS5Padding, but have some legacy
encryption where you have ciphertext that was encrypted using 3DES.
cipherXform
- The new cipher transformation. See
getCipherTransformation()
for format. If
null
is passed as the parameter, the cipher
transformation will be set to the the default taken
from the property Encryptor.CipherTransformation
in the ESAPI.properties
file. BEWARE:
there is NO sanity checking here (other than
the empty string, and then, only if Java assertions are
enabled), so if you set this wrong, you will not get
any errors until you later try to use it to encrypt
or decrypt data.
java.lang.String getPreferredJCEProvider()
Encryptor.PreferredJCEProvider
in the
ESAPI.properties
file, which will cause the specified JCE
provider to be automatically and dynamically loaded (assuming that
SecurityManager
permissions allow) as the Ii>preferred
JCE provider. (Note this only happens if the JCE provider is not already
loaded.) This method returns the property Encryptor.PreferredJCEProvider
.
By default, this Encryptor.PreferredJCEProvider
property is set
to an empty string, which means that the preferred JCE provider is not
changed.
Encryptor.PreferredJCEProvider
is returned.org.owasp.esapi.crypto.SecurityProvider
boolean useMACforCipherText()
CipherText
should be used with a Message
Authentication Code (MAC). Generally this makes for a more robust cryptographic
scheme, but there are some minor performance implications. Controlled by
the ESAPI property Encryptor.CipherText.useMAC.
For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".
true
if a you want a MAC to be used, otherwise false
.boolean overwritePlainText()
PlainText
objects may be overwritten after
they have been encrypted. Generally this is a good idea, especially if
your VM is shared by multiple applications (e.g., multiple applications
running in the same J2EE container) or if there is a possibility that
your VM may leave a core dump (say because it is running non-native
Java code.
Controlled by the property Encryptor.PlainText.overwrite
in
the ESAPI.properties
file.
PlainText
objects
after encrypting, false otherwise.java.lang.String getIVType()
Encryptor.fixedIV
and be of the appropriate length.
getFixedIV()
java.lang.String getFixedIV()
java.util.List<java.lang.String> getCombinedCipherModes()
List
of strings of combined cipher modes that support
both confidentiality and authenticity. These would be preferred
cipher modes to use if your JCE provider supports them. If such a
cipher mode is used, no explicit separate MAC is calculated as part of
the CipherText
object upon encryption nor is any attempt made
to verify the same on decryption.
The list is taken from the comma-separated list of cipher modes specified
by the ESAPI property
Encryptor.cipher_modes.combined_modes
.
ESAPI.properties
; otherwise the empty list is
returned.java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
List
of strings of additional cipher modes that are
permitted (i.e., in addition to those returned by
#getPreferredCipherModes()
) to be used for encryption and
decryption operations.
The list is taken from the comma-separated list of cipher modes specified
by the ESAPI property
Encryptor.cipher_modes.additional_allowed
.
ESAPI.properties
; otherwise the empty list is
returned.#getPreferredCipherModes()
java.lang.String getHashAlgorithm()
int getHashIterations()
java.lang.String getKDFPseudoRandomFunction()
java.lang.String getCharacterEncoding()
boolean getAllowMultipleEncoding()
boolean getAllowMixedEncoding()
java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
java.lang.String getDigitalSignatureAlgorithm()
int getDigitalSignatureKeyLength()
java.lang.String getRandomAlgorithm()
int getAllowedLoginAttempts()
int getMaxOldPasswordHashes()
boolean getDisableIntrusionDetection()
SecurityConfiguration.Threshold getQuota(java.lang.String eventName)
eventName
- the name of the event whose quota is desired
java.io.File getResourceFile(java.lang.String filename)
filename
- The file name resource.
File
object representing the specified file name or null if not found.boolean getForceHttpOnlySession()
boolean getForceSecureSession()
boolean getForceHttpOnlyCookies()
boolean getForceSecureCookies()
int getMaxHttpHeaderSize()
java.io.InputStream getResourceStream(java.lang.String filename) throws java.io.IOException
filename
- A file name in the resource directory.
InputStream
to the specified file name in the resource directory.
java.io.IOException
- If the specified file name cannot be found or opened for reading.void setResourceDirectory(java.lang.String dir)
dir
- The location of the resource directory.java.lang.String getResponseContentType()
java.lang.String getHttpSessionIdName()
long getRememberTokenDuration()
int getSessionIdleTimeoutLength()
int getSessionAbsoluteTimeoutLength()
boolean getLogEncodingRequired()
boolean getLogApplicationName()
boolean getLogServerIP()
int getLogLevel()
java.lang.String getLogFileName()
int getMaxLogFileSize()
java.io.File getWorkingDirectory()
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |