|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.owasp.esapi.reference.DefaultSecurityConfiguration
public class DefaultSecurityConfiguration
The reference SecurityConfiguration
manages all the settings used by the ESAPI in a single place. In this reference
implementation, resources can be put in several locations, which are searched in the following order:
1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):
java -Dorg.owasp.esapi.resources="C:\temp\resources"You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the
-D
string above.
3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory
4) The first ".esapi" directory on the classpath
Once the Configuration is initialized with a resource directory, you can edit it to set things like master keys and passwords, logging locations, error thresholds, and allowed file extensions.
WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
Nested Class Summary |
---|
Nested classes/interfaces inherited from interface org.owasp.esapi.SecurityConfiguration |
---|
SecurityConfiguration.Threshold |
Field Summary | |
---|---|
static java.lang.String |
ABSOLUTE_TIMEOUT_DURATION
|
static java.lang.String |
ACCESS_CONTROL_IMPLEMENTATION
|
static java.lang.String |
ADDITIONAL_ALLOWED_CIPHER_MODES
|
static java.lang.String |
ALLOW_MULTIPLE_ENCODING
|
static java.lang.String |
ALLOWED_LOGIN_ATTEMPTS
|
static java.lang.String |
APPLICATION_NAME
|
static java.lang.String |
APPROVED_EXECUTABLES
|
static java.lang.String |
APPROVED_UPLOAD_EXTENSIONS
|
static java.lang.String |
AUTHENTICATION_IMPLEMENTATION
|
static java.lang.String |
CANONICALIZATION_CODECS
|
static java.lang.String |
CHARACTER_ENCODING
|
static java.lang.String |
CIPHER_TRANSFORMATION_IMPLEMENTATION
|
static java.lang.String |
CIPHERTEXT_USE_MAC
|
static java.lang.String |
COMBINED_CIPHER_MODES
|
static java.lang.String |
DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_AUTHENTICATION_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_ENCODER_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_ENCRYPTION_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_EXECUTOR_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_LOG_IMPLEMENTATION
|
static int |
DEFAULT_MAX_LOG_FILE_SIZE
The default max log file size is set to 10,000,000 bytes (10 Meg). |
static java.lang.String |
DEFAULT_RANDOMIZER_IMPLEMENTATION
|
static java.lang.String |
DEFAULT_VALIDATOR_IMPLEMENTATION
|
static java.lang.String |
DIGITAL_SIGNATURE_ALGORITHM
|
static java.lang.String |
DIGITAL_SIGNATURE_KEY_LENGTH
|
static java.lang.String |
DISABLE_INTRUSION_DETECTION
|
static java.lang.String |
ENCODER_IMPLEMENTATION
|
static java.lang.String |
ENCRYPTION_ALGORITHM
|
static java.lang.String |
ENCRYPTION_IMPLEMENTATION
|
static java.lang.String |
EXECUTOR_IMPLEMENTATION
|
static java.lang.String |
FIXED_IV
|
static java.lang.String |
FORCE_HTTPONLYCOOKIES
|
static java.lang.String |
FORCE_HTTPONLYSESSION
|
static java.lang.String |
FORCE_SECURECOOKIES
|
static java.lang.String |
FORCE_SECURESESSION
|
static java.lang.String |
HASH_ALGORITHM
|
static java.lang.String |
HASH_ITERATIONS
|
static java.lang.String |
HTTP_UTILITIES_IMPLEMENTATION
|
static java.lang.String |
IDLE_TIMEOUT_DURATION
|
static java.lang.String |
INTRUSION_DETECTION_IMPLEMENTATION
|
static java.lang.String |
IV_TYPE
|
static java.lang.String |
KEY_LENGTH
|
static java.lang.String |
LOG_APPLICATION_NAME
|
static java.lang.String |
LOG_ENCODING_REQUIRED
|
static java.lang.String |
LOG_FILE_NAME
|
static java.lang.String |
LOG_IMPLEMENTATION
|
static java.lang.String |
LOG_LEVEL
|
static java.lang.String |
LOG_SERVER_IP
|
static java.lang.String |
MASTER_KEY
|
static java.lang.String |
MASTER_SALT
|
protected int |
MAX_FILE_NAME_LENGTH
|
static java.lang.String |
MAX_HTTP_HEADER_SIZE
|
static java.lang.String |
MAX_LOG_FILE_SIZE
|
static java.lang.String |
MAX_OLD_PASSWORD_HASHES
|
protected int |
MAX_REDIRECT_LOCATION
|
static java.lang.String |
MAX_UPLOAD_FILE_BYTES
|
static java.lang.String |
PASSWORD_PARAMETER_NAME
|
static java.lang.String |
PLAINTEXT_OVERWRITE
|
static java.lang.String |
PREFERRED_JCE_PROVIDER
|
static java.lang.String |
PRINT_PROPERTIES_WHEN_LOADED
|
static java.lang.String |
RANDOM_ALGORITHM
|
static java.lang.String |
RANDOMIZER_IMPLEMENTATION
|
static java.lang.String |
REMEMBER_TOKEN_DURATION
|
static java.lang.String |
RESOURCE_FILE
The name of the ESAPI property file |
static java.lang.String |
RESPONSE_CONTENT_TYPE
|
static java.lang.String |
UPLOAD_DIRECTORY
|
static java.lang.String |
UPLOAD_TEMP_DIRECTORY
|
static java.lang.String |
USERNAME_PARAMETER_NAME
|
static java.lang.String |
VALIDATION_PROPERTIES
|
static java.lang.String |
VALIDATOR_IMPLEMENTATION
|
static java.lang.String |
WORKING_DIRECTORY
|
Constructor Summary | |
---|---|
DefaultSecurityConfiguration()
Instantiates a new configuration. |
|
DefaultSecurityConfiguration(java.util.Properties properties)
Instantiates a new configuration with the supplied properties. |
Method Summary | |
---|---|
java.lang.String |
getAccessControlImplementation()
Returns the fully qualified classname of the ESAPI Access Control implementation. |
java.util.List<java.lang.String> |
getAdditionalAllowedCipherModes()
Return List of strings of additional cipher modes that are
permitted (i.e., in addition to those returned by
#getPreferredCipherModes() ) to be used for encryption and
decryption operations. |
java.util.List<java.lang.String> |
getAllowedExecutables()
Gets the allowed executables to run with the Executor. |
java.util.List<java.lang.String> |
getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application. |
int |
getAllowedFileUploadSize()
Gets the maximum allowed file upload size. |
int |
getAllowedLoginAttempts()
Gets the number of login attempts allowed before the user's account is locked. |
boolean |
getAllowMultipleEncoding()
Return true if multiple encoding is allowed |
java.lang.String |
getApplicationName()
Gets the application name, used for logging |
java.lang.String |
getAuthenticationImplementation()
Returns the fully qualified classname of the ESAPI Authentication implementation. |
java.lang.String |
getCharacterEncoding()
Gets the character encoding scheme supported by this application. |
java.lang.String |
getCipherTransformation()
Retrieve the cipher transformation. |
java.util.List<java.lang.String> |
getCombinedCipherModes()
Return a List of strings of combined cipher modes that support
both confidentiality and authenticity. |
java.util.List<java.lang.String> |
getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing data |
java.lang.String |
getDigitalSignatureAlgorithm()
Gets the digital signature algorithm used by ESAPI to generate and verify signatures. |
int |
getDigitalSignatureKeyLength()
Gets the digital signature key length used by ESAPI to generate and verify signatures. |
boolean |
getDisableIntrusionDetection()
Allows for complete disabling of all intrusion detection mechanisms |
java.lang.String |
getEncoderImplementation()
Returns the fully qualified classname of the ESAPI Encoder implementation. |
java.lang.String |
getEncryptionAlgorithm()
Gets the encryption algorithm used by ESAPI to protect data. |
java.lang.String |
getEncryptionImplementation()
Returns the fully qualified classname of the ESAPI Encryption implementation. |
int |
getEncryptionKeyLength()
Gets the key length to use in cryptographic operations declared in the ESAPI properties file. |
protected java.util.Properties |
getESAPIProperties()
|
protected boolean |
getESAPIProperty(java.lang.String key,
boolean def)
|
protected int |
getESAPIProperty(java.lang.String key,
int def)
|
protected java.util.List<java.lang.String> |
getESAPIProperty(java.lang.String key,
java.util.List<java.lang.String> def)
Returns a List representing the parsed, comma-separated property. |
protected java.lang.String |
getESAPIProperty(java.lang.String key,
java.lang.String def)
|
protected byte[] |
getESAPIPropertyEncoded(java.lang.String key,
byte[] def)
|
java.lang.String |
getExecutorImplementation()
Returns the fully qualified classname of the ESAPI OS Execution implementation. |
java.lang.String |
getFixedIV()
If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string. |
boolean |
getForceHttpOnlyCookies()
Forces new cookies to have HttpOnly flag set. |
boolean |
getForceHttpOnlySession()
Forces new cookies to have HttpOnly flag set. |
boolean |
getForceSecureCookies()
Forces new cookies to have Secure flag set. |
boolean |
getForceSecureSession()
Forces session cookies to have Secure flag set. |
java.lang.String |
getHashAlgorithm()
Gets the hashing algorithm used by ESAPI to hash data. |
int |
getHashIterations()
Gets the hash iterations used by ESAPI to hash data. |
java.lang.String |
getHTTPUtilitiesImplementation()
Returns the fully qualified classname of the ESAPI HTTPUtilities implementation. |
static SecurityConfiguration |
getInstance()
|
java.lang.String |
getIntrusionDetectionImplementation()
Returns the fully qualified classname of the ESAPI Intrusion Detection implementation. |
java.lang.String |
getIVType()
Get a string indicating how to compute an Initialization Vector (IV). |
boolean |
getLogApplicationName()
Returns whether ESAPI should log the application name. |
boolean |
getLogEncodingRequired()
Returns whether HTML entity encoding should be applied to log entries. |
java.lang.String |
getLogFileName()
Get the name of the log file specified in the ESAPI configuration properties file. |
java.lang.String |
getLogImplementation()
Returns the fully qualified classname of the ESAPI Logging implementation. |
int |
getLogLevel()
Returns the current log level. |
boolean |
getLogServerIP()
Returns whether ESAPI should log the server IP. |
byte[] |
getMasterKey()
Gets the master key. |
byte[] |
getMasterSalt()
Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed. |
int |
getMaxHttpHeaderSize()
Returns the maximum allowable HTTP header size. |
int |
getMaxLogFileSize()
Get the maximum size of a single log file from the ESAPI configuration properties file. |
int |
getMaxOldPasswordHashes()
Gets the maximum number of old password hashes that should be retained. |
java.lang.String |
getPasswordParameterName()
Gets the name of the password parameter used during user authentication. |
java.lang.String |
getPreferredJCEProvider()
Retrieve the preferred JCE provider for ESAPI and your application. |
SecurityConfiguration.Threshold |
getQuota(java.lang.String eventName)
Gets the intrusion detection quota for the specified event. |
java.lang.String |
getRandomAlgorithm()
Gets the random number generation algorithm used to generate random numbers where needed. |
java.lang.String |
getRandomizerImplementation()
Returns the fully qualified classname of the ESAPI Randomizer implementation. |
long |
getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds). |
java.io.File |
getResourceFile(java.lang.String filename)
Gets a file from the resource directory |
java.io.InputStream |
getResourceStream(java.lang.String filename)
Gets an InputStream to a file in the resource directory |
java.lang.String |
getResponseContentType()
Gets the content type for responses used when setSafeContentType() is called. |
int |
getSessionAbsoluteTimeoutLength()
Gets the absolute timeout length for sessions (in milliseconds). |
int |
getSessionIdleTimeoutLength()
Gets the idle timeout length for sessions (in milliseconds). |
java.io.File |
getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file. |
java.io.File |
getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties. |
java.lang.String |
getUsernameParameterName()
Gets the name of the username parameter used during user authentication. |
java.lang.String |
getValidationImplementation()
Returns the fully qualified classname of the ESAPI Validation implementation. |
java.util.regex.Pattern |
getValidationPattern(java.lang.String key)
getValidationPattern returns a single pattern based upon key |
java.io.File |
getWorkingDirectory()
getWorkingDirectory returns the default directory where processes will be executed by the Executor. |
boolean |
overwritePlainText()
Indicates whether the PlainText objects may be overwritten after
they have been encrypted. |
java.lang.String |
setCipherTransformation(java.lang.String cipherXform)
Set the cipher transformation. |
void |
setResourceDirectory(java.lang.String dir)
Sets the ESAPI resource directory. |
protected boolean |
shouldPrintProperties()
|
boolean |
useMACforCipherText()
Determines whether the CipherText should be used with a Message
Authentication Code (MAC). |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final java.lang.String RESOURCE_FILE
public static final java.lang.String REMEMBER_TOKEN_DURATION
public static final java.lang.String IDLE_TIMEOUT_DURATION
public static final java.lang.String ABSOLUTE_TIMEOUT_DURATION
public static final java.lang.String ALLOWED_LOGIN_ATTEMPTS
public static final java.lang.String USERNAME_PARAMETER_NAME
public static final java.lang.String PASSWORD_PARAMETER_NAME
public static final java.lang.String MAX_OLD_PASSWORD_HASHES
public static final java.lang.String ALLOW_MULTIPLE_ENCODING
public static final java.lang.String CANONICALIZATION_CODECS
public static final java.lang.String DISABLE_INTRUSION_DETECTION
public static final java.lang.String MASTER_KEY
public static final java.lang.String MASTER_SALT
public static final java.lang.String KEY_LENGTH
public static final java.lang.String ENCRYPTION_ALGORITHM
public static final java.lang.String HASH_ALGORITHM
public static final java.lang.String HASH_ITERATIONS
public static final java.lang.String CHARACTER_ENCODING
public static final java.lang.String RANDOM_ALGORITHM
public static final java.lang.String DIGITAL_SIGNATURE_ALGORITHM
public static final java.lang.String DIGITAL_SIGNATURE_KEY_LENGTH
public static final java.lang.String PREFERRED_JCE_PROVIDER
public static final java.lang.String CIPHERTEXT_USE_MAC
public static final java.lang.String PLAINTEXT_OVERWRITE
public static final java.lang.String IV_TYPE
public static final java.lang.String FIXED_IV
public static final java.lang.String COMBINED_CIPHER_MODES
public static final java.lang.String ADDITIONAL_ALLOWED_CIPHER_MODES
public static final java.lang.String WORKING_DIRECTORY
public static final java.lang.String APPROVED_EXECUTABLES
public static final java.lang.String FORCE_HTTPONLYSESSION
public static final java.lang.String FORCE_SECURESESSION
public static final java.lang.String FORCE_HTTPONLYCOOKIES
public static final java.lang.String FORCE_SECURECOOKIES
public static final java.lang.String MAX_HTTP_HEADER_SIZE
public static final java.lang.String UPLOAD_DIRECTORY
public static final java.lang.String UPLOAD_TEMP_DIRECTORY
public static final java.lang.String APPROVED_UPLOAD_EXTENSIONS
public static final java.lang.String MAX_UPLOAD_FILE_BYTES
public static final java.lang.String RESPONSE_CONTENT_TYPE
public static final java.lang.String APPLICATION_NAME
public static final java.lang.String LOG_LEVEL
public static final java.lang.String LOG_FILE_NAME
public static final java.lang.String MAX_LOG_FILE_SIZE
public static final java.lang.String LOG_ENCODING_REQUIRED
public static final java.lang.String LOG_APPLICATION_NAME
public static final java.lang.String LOG_SERVER_IP
public static final java.lang.String VALIDATION_PROPERTIES
public static final int DEFAULT_MAX_LOG_FILE_SIZE
protected final int MAX_REDIRECT_LOCATION
protected final int MAX_FILE_NAME_LENGTH
public static final java.lang.String LOG_IMPLEMENTATION
public static final java.lang.String AUTHENTICATION_IMPLEMENTATION
public static final java.lang.String ENCODER_IMPLEMENTATION
public static final java.lang.String ACCESS_CONTROL_IMPLEMENTATION
public static final java.lang.String ENCRYPTION_IMPLEMENTATION
public static final java.lang.String INTRUSION_DETECTION_IMPLEMENTATION
public static final java.lang.String RANDOMIZER_IMPLEMENTATION
public static final java.lang.String EXECUTOR_IMPLEMENTATION
public static final java.lang.String VALIDATOR_IMPLEMENTATION
public static final java.lang.String HTTP_UTILITIES_IMPLEMENTATION
public static final java.lang.String PRINT_PROPERTIES_WHEN_LOADED
public static final java.lang.String CIPHER_TRANSFORMATION_IMPLEMENTATION
public static final java.lang.String DEFAULT_LOG_IMPLEMENTATION
public static final java.lang.String DEFAULT_AUTHENTICATION_IMPLEMENTATION
public static final java.lang.String DEFAULT_ENCODER_IMPLEMENTATION
public static final java.lang.String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
public static final java.lang.String DEFAULT_ENCRYPTION_IMPLEMENTATION
public static final java.lang.String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
public static final java.lang.String DEFAULT_RANDOMIZER_IMPLEMENTATION
public static final java.lang.String DEFAULT_EXECUTOR_IMPLEMENTATION
public static final java.lang.String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
public static final java.lang.String DEFAULT_VALIDATOR_IMPLEMENTATION
Constructor Detail |
---|
public DefaultSecurityConfiguration()
public DefaultSecurityConfiguration(java.util.Properties properties)
properties
- Method Detail |
---|
public static SecurityConfiguration getInstance()
public java.lang.String getApplicationName()
getApplicationName
in interface SecurityConfiguration
public java.lang.String getLogImplementation()
getLogImplementation
in interface SecurityConfiguration
public java.lang.String getAuthenticationImplementation()
getAuthenticationImplementation
in interface SecurityConfiguration
public java.lang.String getEncoderImplementation()
getEncoderImplementation
in interface SecurityConfiguration
public java.lang.String getAccessControlImplementation()
getAccessControlImplementation
in interface SecurityConfiguration
public java.lang.String getEncryptionImplementation()
getEncryptionImplementation
in interface SecurityConfiguration
public java.lang.String getIntrusionDetectionImplementation()
getIntrusionDetectionImplementation
in interface SecurityConfiguration
public java.lang.String getRandomizerImplementation()
getRandomizerImplementation
in interface SecurityConfiguration
public java.lang.String getExecutorImplementation()
getExecutorImplementation
in interface SecurityConfiguration
public java.lang.String getHTTPUtilitiesImplementation()
getHTTPUtilitiesImplementation
in interface SecurityConfiguration
public java.lang.String getValidationImplementation()
getValidationImplementation
in interface SecurityConfiguration
public byte[] getMasterKey()
getMasterKey
in interface SecurityConfiguration
public void setResourceDirectory(java.lang.String dir)
setResourceDirectory
in interface SecurityConfiguration
dir
- The location of the resource directory.public int getEncryptionKeyLength()
SecurityConfiguration
getEncryptionKeyLength
in interface SecurityConfiguration
public byte[] getMasterSalt()
getMasterSalt
in interface SecurityConfiguration
public java.util.List<java.lang.String> getAllowedExecutables()
getAllowedExecutables
in interface SecurityConfiguration
public java.util.List<java.lang.String> getAllowedFileExtensions()
getAllowedFileExtensions
in interface SecurityConfiguration
public int getAllowedFileUploadSize()
getAllowedFileUploadSize
in interface SecurityConfiguration
public java.io.InputStream getResourceStream(java.lang.String filename) throws java.io.IOException
SecurityConfiguration
getResourceStream
in interface SecurityConfiguration
filename
-
InputStream
associated with the specified file name as
a resource stream.
java.io.IOException
- If the file cannot be found or opened for reading.public java.io.File getResourceFile(java.lang.String filename)
getResourceFile
in interface SecurityConfiguration
filename
- The file name resource.
File
object representing the specified file name or null if not found.public java.lang.String getPasswordParameterName()
getPasswordParameterName
in interface SecurityConfiguration
public java.lang.String getUsernameParameterName()
getUsernameParameterName
in interface SecurityConfiguration
public java.lang.String getEncryptionAlgorithm()
getEncryptionAlgorithm
in interface SecurityConfiguration
public java.lang.String getCipherTransformation()
String
that takes the following form:
cipher_alg/cipher_mode[bits]/padding_schemewhere cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as
CFB
and OFB
. Using modes such as CFB and
OFB, block ciphers can encrypt data in units smaller than the cipher's
actual block size. When requesting such a mode, you may optionally
specify the number of bits to be processed at a time. This generally must
be an integral multiple of 8-bits so that it can specify a whole number
of octets.
Examples are:
"AES/ECB/NoPadding" // Default for ESAPI Java 1.4 (insecure) "AES/CBC/PKCS5Padding" // Default for ESAPI Java 2.0 "DESede/OFB32/PKCS5Padding"NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:
"Blowfish-192/CFB8/PKCS5Padding"in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.
getCipherTransformation
in interface SecurityConfiguration
public java.lang.String setCipherTransformation(java.lang.String cipherXform)
ESAPI.properties
file. For instance
you may normally want to use AES/CBC/PKCS5Padding, but have some legacy
encryption where you have ciphertext that was encrypted using 3DES.
setCipherTransformation
in interface SecurityConfiguration
cipherXform
- The new cipher transformation. See
SecurityConfiguration.getCipherTransformation()
for format. If
null
is passed as the parameter, the cipher
transformation will be set to the the default taken
from the property Encryptor.CipherTransformation
in the ESAPI.properties
file. BEWARE:
there is NO sanity checking here (other than
the empty string, and then, only if Java assertions are
enabled), so if you set this wrong, you will not get
any errors until you later try to use it to encrypt
or decrypt data.
public boolean useMACforCipherText()
CipherText
should be used with a Message
Authentication Code (MAC). Generally this makes for a more robust cryptographic
scheme, but there are some minor performance implications. Controlled by
the ESAPI property Encryptor.CipherText.useMAC.
For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".
useMACforCipherText
in interface SecurityConfiguration
true
if a you want a MAC to be used, otherwise false
.public boolean overwritePlainText()
PlainText
objects may be overwritten after
they have been encrypted. Generally this is a good idea, especially if
your VM is shared by multiple applications (e.g., multiple applications
running in the same J2EE container) or if there is a possibility that
your VM may leave a core dump (say because it is running non-native
Java code.
Controlled by the property Encryptor.PlainText.overwrite
in
the ESAPI.properties
file.
overwritePlainText
in interface SecurityConfiguration
PlainText
objects
after encrypting, false otherwise.public java.lang.String getIVType()
Encryptor.fixedIV
and be of the appropriate length.
getIVType
in interface SecurityConfiguration
SecurityConfiguration.getFixedIV()
public java.lang.String getFixedIV()
getFixedIV
in interface SecurityConfiguration
public java.lang.String getHashAlgorithm()
getHashAlgorithm
in interface SecurityConfiguration
public int getHashIterations()
getHashIterations
in interface SecurityConfiguration
public java.lang.String getCharacterEncoding()
getCharacterEncoding
in interface SecurityConfiguration
public boolean getAllowMultipleEncoding()
getAllowMultipleEncoding
in interface SecurityConfiguration
public java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
getDefaultCanonicalizationCodecs
in interface SecurityConfiguration
public java.lang.String getDigitalSignatureAlgorithm()
getDigitalSignatureAlgorithm
in interface SecurityConfiguration
public int getDigitalSignatureKeyLength()
getDigitalSignatureKeyLength
in interface SecurityConfiguration
public java.lang.String getRandomAlgorithm()
getRandomAlgorithm
in interface SecurityConfiguration
public int getAllowedLoginAttempts()
getAllowedLoginAttempts
in interface SecurityConfiguration
public int getMaxOldPasswordHashes()
getMaxOldPasswordHashes
in interface SecurityConfiguration
public java.io.File getUploadDirectory()
getUploadDirectory
in interface SecurityConfiguration
public java.io.File getUploadTempDirectory()
getUploadTempDirectory
in interface SecurityConfiguration
public boolean getDisableIntrusionDetection()
getDisableIntrusionDetection
in interface SecurityConfiguration
public SecurityConfiguration.Threshold getQuota(java.lang.String eventName)
getQuota
in interface SecurityConfiguration
eventName
- the name of the event whose quota is desired
public int getLogLevel()
getLogLevel
in interface SecurityConfiguration
public java.lang.String getLogFileName()
getLogFileName
in interface SecurityConfiguration
public int getMaxLogFileSize()
getMaxLogFileSize
in interface SecurityConfiguration
public boolean getLogEncodingRequired()
getLogEncodingRequired
in interface SecurityConfiguration
public boolean getLogApplicationName()
getLogApplicationName
in interface SecurityConfiguration
public boolean getLogServerIP()
getLogServerIP
in interface SecurityConfiguration
public boolean getForceHttpOnlySession()
getForceHttpOnlySession
in interface SecurityConfiguration
public boolean getForceSecureSession()
getForceSecureSession
in interface SecurityConfiguration
public boolean getForceHttpOnlyCookies()
getForceHttpOnlyCookies
in interface SecurityConfiguration
public boolean getForceSecureCookies()
getForceSecureCookies
in interface SecurityConfiguration
public int getMaxHttpHeaderSize()
getMaxHttpHeaderSize
in interface SecurityConfiguration
public java.lang.String getResponseContentType()
getResponseContentType
in interface SecurityConfiguration
public long getRememberTokenDuration()
getRememberTokenDuration
in interface SecurityConfiguration
public int getSessionIdleTimeoutLength()
getSessionIdleTimeoutLength
in interface SecurityConfiguration
public int getSessionAbsoluteTimeoutLength()
getSessionAbsoluteTimeoutLength
in interface SecurityConfiguration
public java.util.regex.Pattern getValidationPattern(java.lang.String key)
getValidationPattern
in interface SecurityConfiguration
key
- validation pattern name you'd like
public java.io.File getWorkingDirectory()
getWorkingDirectory
in interface SecurityConfiguration
public java.lang.String getPreferredJCEProvider()
Encryptor.PreferredJCEProvider
in the
ESAPI.properties
file, which will cause the specified JCE
provider to be automatically and dynamically loaded (assuming that
SecurityManager
permissions allow) as the Ii>preferred
JCE provider. (Note this only happens if the JCE provider is not already
loaded.) This method returns the property Encryptor.PreferredJCEProvider
.
By default, this Encryptor.PreferredJCEProvider
property is set
to an empty string, which means that the preferred JCE provider is not
changed.
getPreferredJCEProvider
in interface SecurityConfiguration
Encryptor.PreferredJCEProvider
is returned.org.owasp.esapi.crypto.SecurityProvider
public java.util.List<java.lang.String> getCombinedCipherModes()
List
of strings of combined cipher modes that support
both confidentiality and authenticity. These would be preferred
cipher modes to use if your JCE provider supports them. If such a
cipher mode is used, no explicit separate MAC is calculated as part of
the CipherText
object upon encryption nor is any attempt made
to verify the same on decryption.
The list is taken from the comma-separated list of cipher modes specified
by the ESAPI property
Encryptor.cipher_modes.combined_modes
.
getCombinedCipherModes
in interface SecurityConfiguration
ESAPI.properties
; otherwise the empty list is
returned.public java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
List
of strings of additional cipher modes that are
permitted (i.e., in addition to those returned by
#getPreferredCipherModes()
) to be used for encryption and
decryption operations.
The list is taken from the comma-separated list of cipher modes specified
by the ESAPI property
Encryptor.cipher_modes.additional_allowed
.
getAdditionalAllowedCipherModes
in interface SecurityConfiguration
ESAPI.properties
; otherwise the empty list is
returned.#getPreferredCipherModes()
protected java.lang.String getESAPIProperty(java.lang.String key, java.lang.String def)
protected boolean getESAPIProperty(java.lang.String key, boolean def)
protected byte[] getESAPIPropertyEncoded(java.lang.String key, byte[] def)
protected int getESAPIProperty(java.lang.String key, int def)
protected java.util.List<java.lang.String> getESAPIProperty(java.lang.String key, java.util.List<java.lang.String> def)
List
representing the parsed, comma-separated property.
key
- The specified property namedef
- A default value for the property name to return if the property
is not set.
protected boolean shouldPrintProperties()
protected java.util.Properties getESAPIProperties()
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |