public class DefaultSecurityConfiguration extends Object implements SecurityConfiguration
SecurityConfiguration
manages all the settings used by the ESAPI in a single place. In this reference
implementation, resources can be put in several locations, which are searched in the following order:
1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):
java -Dorg.owasp.esapi.resources="C:\temp\resources"You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the
-D
string above.
3) Inside the System.getProperty( "user.home" ) + "/.esapi"
directory (supported for backward compatibility) or
inside the System.getProperty( "user.home" ) + "/esapi"
directory.
4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
Once the Configuration is initialized with a resource directory, you can edit it to set things like master keys and passwords, logging locations, error thresholds, and allowed file extensions.
WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
DEPRECATION WARNING: All of the variables of the type 'public static final String
'
are now declared and defined in the org.owasp.esapi.PropNames
. These public fields
representing property names and values in this class will be eventually deleted and
no longer available, so please migrate to the corresponding names in PropNames
. Removal of these
public fields from this class will likely occur sometime in 2Q2024.
SecurityConfiguration.Threshold
Modifier and Type | Field and Description |
---|---|
static String |
ABSOLUTE_TIMEOUT_DURATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ACCEPT_LENIENT_DATES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ACCESS_CONTROL_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ADDITIONAL_ALLOWED_CIPHER_MODES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ALLOW_MIXED_ENCODING
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ALLOW_MULTIPLE_ENCODING
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ALLOWED_LOGIN_ATTEMPTS
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
APPLICATION_NAME
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
APPROVED_EXECUTABLES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
APPROVED_UPLOAD_EXTENSIONS
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
AUTHENTICATION_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
CANONICALIZATION_CODECS
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
CHARACTER_ENCODING
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
CIPHER_TRANSFORMATION_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
CIPHERTEXT_USE_MAC
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
COMBINED_CIPHER_MODES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_AUTHENTICATION_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_ENCODER_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_ENCRYPTION_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_EXECUTOR_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_LOG_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_RANDOMIZER_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_RESOURCE_FILE
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DEFAULT_VALIDATOR_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DIGITAL_SIGNATURE_ALGORITHM
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DIGITAL_SIGNATURE_KEY_LENGTH
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DISABLE_INTRUSION_DETECTION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
DISCARD_LOGSPECIAL
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ENCODER_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ENCRYPTION_ALGORITHM
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
ENCRYPTION_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
EXECUTOR_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
FORCE_HTTPONLYCOOKIES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
FORCE_HTTPONLYSESSION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
FORCE_SECURECOOKIES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
FORCE_SECURESESSION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
HASH_ALGORITHM
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
HASH_ITERATIONS
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
HTTP_SESSION_ID_NAME
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
HTTP_UTILITIES_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
IDLE_TIMEOUT_DURATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
INTRUSION_DETECTION_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
IV_TYPE
Deprecated.
|
static String |
KDF_PRF_ALG
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
KEY_LENGTH
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
LOG_APPLICATION_NAME
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
LOG_CLIENT_INFO
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
LOG_ENCODING_REQUIRED
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
LOG_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
LOG_SERVER_IP
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
LOG_USER_INFO
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
MASTER_KEY
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
MASTER_SALT
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
MAX_HTTP_HEADER_SIZE
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
MAX_OLD_PASSWORD_HASHES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
protected int |
MAX_REDIRECT_LOCATION |
static String |
MAX_UPLOAD_FILE_BYTES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
PASSWORD_PARAMETER_NAME
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
PLAINTEXT_OVERWRITE
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
PREFERRED_JCE_PROVIDER
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
PRINT_PROPERTIES_WHEN_LOADED
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
RANDOM_ALGORITHM
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
RANDOMIZER_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
REMEMBER_TOKEN_DURATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
RESPONSE_CONTENT_TYPE
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
UPLOAD_DIRECTORY
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
UPLOAD_TEMP_DIRECTORY
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
USERNAME_PARAMETER_NAME
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
VALIDATION_PROPERTIES
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
VALIDATION_PROPERTIES_MULTIVALUED
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
VALIDATOR_HTML_VALIDATION_ACTION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
VALIDATOR_IMPLEMENTATION
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
static String |
WORKING_DIRECTORY
Deprecated.
Use same field name, but from
org.owasp.esapi.PropNames instead. |
Constructor and Description |
---|
DefaultSecurityConfiguration()
Instantiates a new configuration.
|
DefaultSecurityConfiguration(Properties properties)
Instantiates a new configuration with the supplied properties.
|
Modifier and Type | Method and Description |
---|---|
String |
getAccessControlImplementation()
Returns the fully qualified classname of the ESAPI Access Control implementation.
|
List<String> |
getAdditionalAllowedCipherModes()
Return
List of strings of additional cipher modes that are
permitted (i.e., in addition to those returned by
SecurityConfiguration.getCombinedCipherModes() ) to be used for encryption and
decryption operations. |
List<String> |
getAllowedExecutables()
Gets the allowed executables to run with the Executor.
|
List<String> |
getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application.
|
int |
getAllowedFileUploadSize()
Gets the maximum allowed file upload size.
|
int |
getAllowedLoginAttempts()
Gets the number of login attempts allowed before the user's account is locked.
|
boolean |
getAllowMixedEncoding()
Return true if mixed encoding is allowed
|
boolean |
getAllowMultipleEncoding()
Return true if multiple encoding is allowed
|
String |
getApplicationName()
Gets the application name, used for logging
|
String |
getAuthenticationImplementation()
Returns the fully qualified classname of the ESAPI Authentication implementation.
|
Boolean |
getBooleanProp(String propertyName)
Get any Boolean type property from security configuration.
|
byte[] |
getByteArrayProp(String propertyName)
Get any byte array type property from security configuration.
|
String |
getCharacterEncoding()
Gets the character encoding scheme supported by this application.
|
String |
getCipherTransformation()
Retrieve the cipher transformation.
|
List<String> |
getCombinedCipherModes()
Return a
List of strings of combined cipher modes that support
both confidentiality and authenticity. |
List<String> |
getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing data
|
String |
getDigitalSignatureAlgorithm()
Gets the digital signature algorithm used by ESAPI to generate and verify signatures.
|
int |
getDigitalSignatureKeyLength()
Gets the digital signature key length used by ESAPI to generate and verify signatures.
|
boolean |
getDisableIntrusionDetection()
Allows for complete disabling of all intrusion detection mechanisms
|
String |
getEncoderImplementation()
Returns the fully qualified classname of the ESAPI Encoder implementation.
|
String |
getEncryptionAlgorithm()
Gets the encryption algorithm used by ESAPI to protect data.
|
String |
getEncryptionImplementation()
Returns the fully qualified classname of the ESAPI Encryption implementation.
|
int |
getEncryptionKeyLength()
Gets the key length to use in cryptographic operations declared in the ESAPI properties file.
|
protected Properties |
getESAPIProperties() |
protected boolean |
getESAPIProperty(String key,
boolean def) |
protected int |
getESAPIProperty(String key,
int def) |
protected List<String> |
getESAPIProperty(String key,
List<String> def)
Returns a
List representing the parsed, comma-separated property. |
protected String |
getESAPIProperty(String key,
String def) |
protected byte[] |
getESAPIPropertyEncoded(String key,
byte[] def) |
String |
getExecutorImplementation()
Returns the fully qualified classname of the ESAPI OS Execution implementation.
|
boolean |
getForceHttpOnlyCookies()
Returns true if new cookies are required to have HttpOnly flag set.
|
boolean |
getForceHttpOnlySession()
Returns true if session cookies are required to have HttpOnly flag set.
|
boolean |
getForceSecureCookies()
Returns true if new cookies are required to have Secure flag set.
|
boolean |
getForceSecureSession()
Returns true if session cookies are required to have Secure flag set.
|
String |
getHashAlgorithm()
Gets the hashing algorithm used by ESAPI to hash data.
|
int |
getHashIterations()
Gets the hash iterations used by ESAPI to hash data.
|
String |
getHttpSessionIdName()
This method returns the configured name of the session identifier,
likely "JSESSIONID" though this can be overridden.
|
String |
getHTTPUtilitiesImplementation()
Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.
|
static SecurityConfiguration |
getInstance() |
int |
getIntProp(String propertyName)
Get any int type property from security configuration.
|
String |
getIntrusionDetectionImplementation()
Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.
|
String |
getIVType()
Deprecated.
|
String |
getKDFPseudoRandomFunction()
Retrieve the Pseudo Random Function (PRF) used by the ESAPI
Key Derivation Function (KDF).
|
boolean |
getLenientDatesAccepted()
Determines whether ESAPI will accept "lenient" dates when attempt
to parse dates.
|
boolean |
getLogApplicationName()
Returns whether ESAPI should log the application name.
|
boolean |
getLogEncodingRequired()
Returns whether HTML entity encoding should be applied to log entries.
|
String |
getLogImplementation()
Returns the fully qualified classname of the ESAPI Logging implementation.
|
boolean |
getLogServerIP()
Returns whether ESAPI should log the server IP.
|
byte[] |
getMasterKey()
Gets the master key.
|
byte[] |
getMasterSalt()
Gets the master salt that is used to salt stored password hashes and any other location
where a salt is needed.
|
int |
getMaxHttpHeaderSize()
Returns the maximum allowable HTTP header size.
|
int |
getMaxOldPasswordHashes()
Gets the maximum number of old password hashes that should be retained.
|
String |
getPasswordParameterName()
Gets the name of the password parameter used during user authentication.
|
String |
getPreferredJCEProvider()
Retrieve the preferred JCE provider for ESAPI and your application.
|
SecurityConfiguration.Threshold |
getQuota(String eventName)
Gets the intrusion detection quota for the specified event.
|
String |
getRandomAlgorithm()
Gets the random number generation algorithm used to generate random numbers where needed.
|
String |
getRandomizerImplementation()
Returns the fully qualified classname of the ESAPI Randomizer implementation.
|
long |
getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds).
|
File |
getResourceFile(String filename)
Gets a file from the resource directory
|
InputStream |
getResourceStream(String filename)
Gets an InputStream to a file in the resource directory
|
String |
getResponseContentType()
Gets the content type for responses used when setSafeContentType() is called.
|
int |
getSessionAbsoluteTimeoutLength()
Gets the absolute timeout length for sessions (in milliseconds).
|
int |
getSessionIdleTimeoutLength()
Gets the idle timeout length for sessions (in milliseconds).
|
String |
getStringProp(String propertyName)
Get any property from security configuration.
|
File |
getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file.
|
File |
getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
|
String |
getUsernameParameterName()
Gets the name of the username parameter used during user authentication.
|
String |
getValidationImplementation()
Returns the fully qualified classname of the ESAPI Validation implementation.
|
Pattern |
getValidationPattern(String key)
getValidationPattern returns a single pattern based upon key
|
File |
getWorkingDirectory()
getWorkingDirectory returns the default directory where processes will be executed
by the Executor.
|
protected void |
loadConfiguration()
Load configuration.
|
static void |
logToStdout(String msg,
Throwable t)
Log to standard output (i.e.,
System.out . |
boolean |
overwritePlainText()
Indicates whether the
PlainText objects may be overwritten after
they have been encrypted. |
String |
setCipherTransformation(String cipherXform)
Set the cipher transformation.
|
void |
setResourceDirectory(String dir)
Sets the ESAPI resource directory.
|
protected boolean |
shouldPrintProperties() |
boolean |
useMACforCipherText()
Determines whether the
CipherText should be used with a Message
Authentication Code (MAC). |
@Deprecated public static final String DEFAULT_RESOURCE_FILE
org.owasp.esapi.PropNames
instead.@Deprecated public static final String REMEMBER_TOKEN_DURATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String IDLE_TIMEOUT_DURATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ABSOLUTE_TIMEOUT_DURATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ALLOWED_LOGIN_ATTEMPTS
org.owasp.esapi.PropNames
instead.@Deprecated public static final String USERNAME_PARAMETER_NAME
org.owasp.esapi.PropNames
instead.@Deprecated public static final String PASSWORD_PARAMETER_NAME
org.owasp.esapi.PropNames
instead.@Deprecated public static final String MAX_OLD_PASSWORD_HASHES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ALLOW_MULTIPLE_ENCODING
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ALLOW_MIXED_ENCODING
org.owasp.esapi.PropNames
instead.@Deprecated public static final String CANONICALIZATION_CODECS
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DISABLE_INTRUSION_DETECTION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String MASTER_KEY
org.owasp.esapi.PropNames
instead.@Deprecated public static final String MASTER_SALT
org.owasp.esapi.PropNames
instead.@Deprecated public static final String KEY_LENGTH
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ENCRYPTION_ALGORITHM
org.owasp.esapi.PropNames
instead.@Deprecated public static final String HASH_ALGORITHM
org.owasp.esapi.PropNames
instead.@Deprecated public static final String HASH_ITERATIONS
org.owasp.esapi.PropNames
instead.@Deprecated public static final String CHARACTER_ENCODING
org.owasp.esapi.PropNames
instead.@Deprecated public static final String RANDOM_ALGORITHM
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DIGITAL_SIGNATURE_ALGORITHM
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DIGITAL_SIGNATURE_KEY_LENGTH
org.owasp.esapi.PropNames
instead.@Deprecated public static final String PREFERRED_JCE_PROVIDER
org.owasp.esapi.PropNames
instead.@Deprecated public static final String CIPHER_TRANSFORMATION_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String CIPHERTEXT_USE_MAC
org.owasp.esapi.PropNames
instead.@Deprecated public static final String PLAINTEXT_OVERWRITE
org.owasp.esapi.PropNames
instead.@Deprecated public static final String IV_TYPE
@Deprecated public static final String COMBINED_CIPHER_MODES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ADDITIONAL_ALLOWED_CIPHER_MODES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String KDF_PRF_ALG
org.owasp.esapi.PropNames
instead.@Deprecated public static final String PRINT_PROPERTIES_WHEN_LOADED
org.owasp.esapi.PropNames
instead.@Deprecated public static final String WORKING_DIRECTORY
org.owasp.esapi.PropNames
instead.@Deprecated public static final String APPROVED_EXECUTABLES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String FORCE_HTTPONLYSESSION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String FORCE_SECURESESSION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String FORCE_HTTPONLYCOOKIES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String FORCE_SECURECOOKIES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String MAX_HTTP_HEADER_SIZE
org.owasp.esapi.PropNames
instead.@Deprecated public static final String UPLOAD_DIRECTORY
org.owasp.esapi.PropNames
instead.@Deprecated public static final String UPLOAD_TEMP_DIRECTORY
org.owasp.esapi.PropNames
instead.@Deprecated public static final String APPROVED_UPLOAD_EXTENSIONS
org.owasp.esapi.PropNames
instead.@Deprecated public static final String MAX_UPLOAD_FILE_BYTES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String RESPONSE_CONTENT_TYPE
org.owasp.esapi.PropNames
instead.@Deprecated public static final String HTTP_SESSION_ID_NAME
org.owasp.esapi.PropNames
instead.@Deprecated public static final String APPLICATION_NAME
org.owasp.esapi.PropNames
instead.@Deprecated public static final String LOG_ENCODING_REQUIRED
org.owasp.esapi.PropNames
instead.@Deprecated public static final String LOG_APPLICATION_NAME
org.owasp.esapi.PropNames
instead.@Deprecated public static final String LOG_SERVER_IP
org.owasp.esapi.PropNames
instead.@Deprecated public static final String LOG_USER_INFO
org.owasp.esapi.PropNames
instead.@Deprecated public static final String LOG_CLIENT_INFO
org.owasp.esapi.PropNames
instead.@Deprecated public static final String VALIDATION_PROPERTIES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String VALIDATION_PROPERTIES_MULTIVALUED
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ACCEPT_LENIENT_DATES
org.owasp.esapi.PropNames
instead.@Deprecated public static final String VALIDATOR_HTML_VALIDATION_ACTION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DISCARD_LOGSPECIAL
org.owasp.esapi.PropNames
instead.java.lang.System
property that, if set to true
, will
disable logging from DefaultSecurityConfiguration.logToStdout()
methods, which is called from various logSpecial()
methods.protected final int MAX_REDIRECT_LOCATION
@Deprecated public static final String LOG_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String AUTHENTICATION_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ENCODER_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ACCESS_CONTROL_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String ENCRYPTION_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String INTRUSION_DETECTION_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String RANDOMIZER_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String EXECUTOR_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String VALIDATOR_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String HTTP_UTILITIES_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_LOG_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_AUTHENTICATION_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_ENCODER_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_ENCRYPTION_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_RANDOMIZER_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_EXECUTOR_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.@Deprecated public static final String DEFAULT_VALIDATOR_IMPLEMENTATION
org.owasp.esapi.PropNames
instead.public DefaultSecurityConfiguration(Properties properties)
properties
- public DefaultSecurityConfiguration()
public static SecurityConfiguration getInstance()
public String getApplicationName()
getApplicationName
in interface SecurityConfiguration
public String getLogImplementation()
getLogImplementation
in interface SecurityConfiguration
public String getAuthenticationImplementation()
getAuthenticationImplementation
in interface SecurityConfiguration
public String getEncoderImplementation()
getEncoderImplementation
in interface SecurityConfiguration
public String getAccessControlImplementation()
getAccessControlImplementation
in interface SecurityConfiguration
public String getEncryptionImplementation()
getEncryptionImplementation
in interface SecurityConfiguration
public String getIntrusionDetectionImplementation()
getIntrusionDetectionImplementation
in interface SecurityConfiguration
public String getRandomizerImplementation()
getRandomizerImplementation
in interface SecurityConfiguration
public String getExecutorImplementation()
getExecutorImplementation
in interface SecurityConfiguration
public String getHTTPUtilitiesImplementation()
getHTTPUtilitiesImplementation
in interface SecurityConfiguration
public String getValidationImplementation()
getValidationImplementation
in interface SecurityConfiguration
public byte[] getMasterKey()
getMasterKey
in interface SecurityConfiguration
public void setResourceDirectory(String dir)
setResourceDirectory
in interface SecurityConfiguration
dir
- The location of the resource directory.public int getEncryptionKeyLength()
SecurityConfiguration
getEncryptionKeyLength
in interface SecurityConfiguration
public byte[] getMasterSalt()
getMasterSalt
in interface SecurityConfiguration
public List<String> getAllowedExecutables()
getAllowedExecutables
in interface SecurityConfiguration
public List<String> getAllowedFileExtensions()
getAllowedFileExtensions
in interface SecurityConfiguration
public int getAllowedFileUploadSize()
getAllowedFileUploadSize
in interface SecurityConfiguration
protected void loadConfiguration() throws IOException
IOException
- if the file is inaccessiblepublic InputStream getResourceStream(String filename) throws IOException
SecurityConfiguration
getResourceStream
in interface SecurityConfiguration
filename
- InputStream
associated with the specified file name as
a resource stream.IOException
- If the file cannot be found or opened for reading.public File getResourceFile(String filename)
getResourceFile
in interface SecurityConfiguration
filename
- The file name resource.File
object representing the specified file name or null if not found.public static final void logToStdout(String msg, Throwable t)
System.out
. This method is
synchronized to reduce the possibility of interleaving the message
output (since the System.out
PrintStream
is buffered)
it invoked from multiple threads. Output is discarded if the
System
property "org.owasp.esapi.logSpecial.discard" is set to
true
.msg
- Message to be logged.t
- Associated exception that was caught. The class name and
exception message is also logged.public String getPasswordParameterName()
getPasswordParameterName
in interface SecurityConfiguration
public String getUsernameParameterName()
getUsernameParameterName
in interface SecurityConfiguration
public String getEncryptionAlgorithm()
getEncryptionAlgorithm
in interface SecurityConfiguration
public String getCipherTransformation()
String
that takes the following form:
cipher_alg/cipher_mode[bits]/padding_schemewhere cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as
CFB
and OFB
. Using modes such as CFB and
OFB, block ciphers can encrypt data in units smaller than the cipher's
actual block size. When requesting such a mode, you may optionally
specify the number of bits to be processed at a time. This generally must
be an integral multiple of 8-bits so that it can specify a whole number
of octets.
Examples are:
"AES/ECB/NoPadding" // Default for ESAPI Java 1.4 (insecure) "AES/CBC/PKCS5Padding" // Default for ESAPI Java 2.0 "DESede/OFB32/PKCS5Padding"NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:
"Blowfish-192/CFB8/PKCS5Padding"in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.
getCipherTransformation
in interface SecurityConfiguration
public String setCipherTransformation(String cipherXform)
ESAPI.properties
file. For instance
you may normally want to use AES/CBC/PKCS5Padding, but have some legacy
encryption where you have ciphertext that was encrypted using 3DES.setCipherTransformation
in interface SecurityConfiguration
cipherXform
- The new cipher transformation. See
SecurityConfiguration.getCipherTransformation()
for format. If
null
is passed as the parameter, the cipher
transformation will be set to the the default taken
from the property Encryptor.CipherTransformation
in the ESAPI.properties
file. BEWARE:
there is NO sanity checking here (other than
the empty string, and then, only if Java assertions are
enabled), so if you set this wrong, you will not get
any errors until you later try to use it to encrypt
or decrypt data.public boolean useMACforCipherText()
CipherText
should be used with a Message
Authentication Code (MAC). Generally this makes for a more robust cryptographic
scheme, but there are some minor performance implications. Controlled by
the ESAPI property Encryptor.CipherText.useMAC.
For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".
useMACforCipherText
in interface SecurityConfiguration
true
if a you want a MAC to be used, otherwise false
.public boolean overwritePlainText()
PlainText
objects may be overwritten after
they have been encrypted. Generally this is a good idea, especially if
your VM is shared by multiple applications (e.g., multiple applications
running in the same J2EE container) or if there is a possibility that
your VM may leave a core dump (say because it is running non-native
Java code.
Controlled by the property Encryptor.PlainText.overwrite
in
the ESAPI.properties
file.
overwritePlainText
in interface SecurityConfiguration
PlainText
objects
after encrypting, false otherwise.@Deprecated public String getIVType()
fixed
for the property
Encryptor.ChooseIVMethod
will now result in a ConfigurationException
being thrown.getIVType
in interface SecurityConfiguration
ConfigurationException
being thrown.public String getHashAlgorithm()
getHashAlgorithm
in interface SecurityConfiguration
public int getHashIterations()
getHashIterations
in interface SecurityConfiguration
public String getKDFPseudoRandomFunction()
getKDFPseudoRandomFunction
in interface SecurityConfiguration
public String getCharacterEncoding()
getCharacterEncoding
in interface SecurityConfiguration
public boolean getAllowMultipleEncoding()
getAllowMultipleEncoding
in interface SecurityConfiguration
public boolean getAllowMixedEncoding()
getAllowMixedEncoding
in interface SecurityConfiguration
public List<String> getDefaultCanonicalizationCodecs()
getDefaultCanonicalizationCodecs
in interface SecurityConfiguration
public String getDigitalSignatureAlgorithm()
getDigitalSignatureAlgorithm
in interface SecurityConfiguration
public int getDigitalSignatureKeyLength()
getDigitalSignatureKeyLength
in interface SecurityConfiguration
public String getRandomAlgorithm()
getRandomAlgorithm
in interface SecurityConfiguration
public int getAllowedLoginAttempts()
getAllowedLoginAttempts
in interface SecurityConfiguration
public int getMaxOldPasswordHashes()
getMaxOldPasswordHashes
in interface SecurityConfiguration
public File getUploadDirectory()
getUploadDirectory
in interface SecurityConfiguration
public File getUploadTempDirectory()
getUploadTempDirectory
in interface SecurityConfiguration
public boolean getDisableIntrusionDetection()
getDisableIntrusionDetection
in interface SecurityConfiguration
public SecurityConfiguration.Threshold getQuota(String eventName)
getQuota
in interface SecurityConfiguration
eventName
- the name of the event whose quota is desiredpublic boolean getLogEncodingRequired()
getLogEncodingRequired
in interface SecurityConfiguration
public boolean getLogApplicationName()
getLogApplicationName
in interface SecurityConfiguration
public boolean getLogServerIP()
getLogServerIP
in interface SecurityConfiguration
public boolean getForceHttpOnlySession()
getForceHttpOnlySession
in interface SecurityConfiguration
public boolean getForceSecureSession()
getForceSecureSession
in interface SecurityConfiguration
public boolean getForceHttpOnlyCookies()
getForceHttpOnlyCookies
in interface SecurityConfiguration
public boolean getForceSecureCookies()
getForceSecureCookies
in interface SecurityConfiguration
public int getMaxHttpHeaderSize()
getMaxHttpHeaderSize
in interface SecurityConfiguration
public String getResponseContentType()
getResponseContentType
in interface SecurityConfiguration
public String getHttpSessionIdName()
getHttpSessionIdName
in interface SecurityConfiguration
public long getRememberTokenDuration()
getRememberTokenDuration
in interface SecurityConfiguration
public int getSessionIdleTimeoutLength()
getSessionIdleTimeoutLength
in interface SecurityConfiguration
public int getSessionAbsoluteTimeoutLength()
getSessionAbsoluteTimeoutLength
in interface SecurityConfiguration
public Pattern getValidationPattern(String key)
getValidationPattern
in interface SecurityConfiguration
key
- validation pattern name you'd likepublic File getWorkingDirectory()
getWorkingDirectory
in interface SecurityConfiguration
public String getPreferredJCEProvider()
Encryptor.PreferredJCEProvider
in the
ESAPI.properties
file, which will cause the specified JCE
provider to be automatically and dynamically loaded (assuming that
SecurityManager
permissions allow) as the Ii>preferred
JCE provider. (Note this only happens if the JCE provider is not already
loaded.) This method returns the property Encryptor.PreferredJCEProvider
.
By default, this Encryptor.PreferredJCEProvider
property is set
to an empty string, which means that the preferred JCE provider is not
changed.getPreferredJCEProvider
in interface SecurityConfiguration
Encryptor.PreferredJCEProvider
is returned.SecurityProviderLoader
public List<String> getCombinedCipherModes()
List
of strings of combined cipher modes that support
both confidentiality and authenticity. These would be preferred
cipher modes to use if your JCE provider supports them. If such a
cipher mode is used, no explicit separate MAC is calculated as part of
the CipherText
object upon encryption nor is any attempt made
to verify the same on decryption.
The list is taken from the comma-separated list of cipher modes specified
by the ESAPI property
Encryptor.cipher_modes.combined_modes
.
getCombinedCipherModes
in interface SecurityConfiguration
ESAPI.properties
; otherwise the empty list is
returned.public List<String> getAdditionalAllowedCipherModes()
List
of strings of additional cipher modes that are
permitted (i.e., in addition to those returned by
SecurityConfiguration.getCombinedCipherModes()
) to be used for encryption and
decryption operations.
The list is taken from the comma-separated list of cipher modes specified
by the ESAPI property
Encryptor.cipher_modes.additional_allowed
.
getAdditionalAllowedCipherModes
in interface SecurityConfiguration
ESAPI.properties
; otherwise the empty list is
returned.SecurityConfiguration.getCombinedCipherModes()
public boolean getLenientDatesAccepted()
Validator.AcceptLenientDates
, which defaults to false
if unset.getLenientDatesAccepted
in interface SecurityConfiguration
DateFormat.setLenient(boolean)
protected boolean getESAPIProperty(String key, boolean def)
protected byte[] getESAPIPropertyEncoded(String key, byte[] def)
protected int getESAPIProperty(String key, int def)
protected List<String> getESAPIProperty(String key, List<String> def)
List
representing the parsed, comma-separated property.key
- The specified property namedef
- A default value for the property name to return if the property
is not set.public int getIntProp(String propertyName) throws ConfigurationException
getIntProp
in interface EsapiPropertyLoader
ConfigurationException
- when property does not exist in configuration or has incorrect type.public byte[] getByteArrayProp(String propertyName) throws ConfigurationException
getByteArrayProp
in interface EsapiPropertyLoader
ConfigurationException
- when property does not exist in configuration or has incorrect type.public Boolean getBooleanProp(String propertyName) throws ConfigurationException
getBooleanProp
in interface EsapiPropertyLoader
ConfigurationException
- when property does not exist in configuration or has incorrect type.public String getStringProp(String propertyName) throws ConfigurationException
getStringProp
in interface EsapiPropertyLoader
ConfigurationException
- when property does not exist in configuration.protected boolean shouldPrintProperties()
protected Properties getESAPIProperties()
Copyright © 2022 The Open Web Application Security Project (OWASP). All rights reserved.