Class DefaultSecurityConfiguration
- java.lang.Object
-
- org.owasp.esapi.reference.DefaultSecurityConfiguration
-
- All Implemented Interfaces:
EsapiPropertyLoader
,SecurityConfiguration
public class DefaultSecurityConfiguration extends java.lang.Object implements SecurityConfiguration
The referenceSecurityConfiguration
manages all the settings used by the ESAPI in a single place. In this reference implementation, resources can be put in several locations, which are searched in the following order:1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):
java -Dorg.owasp.esapi.resources="C:\temp\resources"
You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the-D
string above.3) Inside the
System.getProperty( "user.home" ) + "/.esapi"
directory (supported for backward compatibility) or inside theSystem.getProperty( "user.home" ) + "/esapi"
directory.4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
Once the Configuration is initialized with a resource directory, you can edit it to set things like master keys and passwords, logging locations, error thresholds, and allowed file extensions.
WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
- Author:
- Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Jim Manico (jim .at. manico.net) Manico.net, Kevin Wall (kevin.w.wall .at. gmail.com)
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
DefaultSecurityConfiguration.DefaultSearchPath
-
Nested classes/interfaces inherited from interface org.owasp.esapi.SecurityConfiguration
SecurityConfiguration.Threshold
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
ABSOLUTE_TIMEOUT_DURATION
static java.lang.String
ACCEPT_LENIENT_DATES
static java.lang.String
ACCESS_CONTROL_IMPLEMENTATION
static java.lang.String
ADDITIONAL_ALLOWED_CIPHER_MODES
static java.lang.String
ALLOW_MIXED_ENCODING
static java.lang.String
ALLOW_MULTIPLE_ENCODING
static java.lang.String
ALLOWED_LOGIN_ATTEMPTS
static java.lang.String
APPLICATION_NAME
static java.lang.String
APPROVED_EXECUTABLES
static java.lang.String
APPROVED_UPLOAD_EXTENSIONS
static java.lang.String
AUTHENTICATION_IMPLEMENTATION
static java.lang.String
CANONICALIZATION_CODECS
static java.lang.String
CHARACTER_ENCODING
static java.lang.String
CIPHER_TRANSFORMATION_IMPLEMENTATION
static java.lang.String
CIPHERTEXT_USE_MAC
static java.lang.String
COMBINED_CIPHER_MODES
static java.lang.String
DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
static java.lang.String
DEFAULT_AUTHENTICATION_IMPLEMENTATION
static java.lang.String
DEFAULT_ENCODER_IMPLEMENTATION
static java.lang.String
DEFAULT_ENCRYPTION_IMPLEMENTATION
static java.lang.String
DEFAULT_EXECUTOR_IMPLEMENTATION
static java.lang.String
DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
static java.lang.String
DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
static java.lang.String
DEFAULT_LOG_IMPLEMENTATION
static java.lang.String
DEFAULT_RANDOMIZER_IMPLEMENTATION
static java.lang.String
DEFAULT_RESOURCE_FILE
The name of the ESAPI property filestatic java.lang.String
DEFAULT_VALIDATOR_IMPLEMENTATION
static java.lang.String
DIGITAL_SIGNATURE_ALGORITHM
static java.lang.String
DIGITAL_SIGNATURE_KEY_LENGTH
static java.lang.String
DISABLE_INTRUSION_DETECTION
static java.lang.String
DISCARD_LOGSPECIAL
SpecialSystem
property that, if set totrue
, will disable logging fromDefaultSecurityConfiguration.logToStdout()
methods, which is called from variouslogSpecial()
methods.static java.lang.String
ENCODER_IMPLEMENTATION
static java.lang.String
ENCRYPTION_ALGORITHM
static java.lang.String
ENCRYPTION_IMPLEMENTATION
static java.lang.String
EXECUTOR_IMPLEMENTATION
static java.lang.String
FIXED_IV
Deprecated.static java.lang.String
FORCE_HTTPONLYCOOKIES
static java.lang.String
FORCE_HTTPONLYSESSION
static java.lang.String
FORCE_SECURECOOKIES
static java.lang.String
FORCE_SECURESESSION
static java.lang.String
HASH_ALGORITHM
static java.lang.String
HASH_ITERATIONS
static java.lang.String
HTTP_SESSION_ID_NAME
static java.lang.String
HTTP_UTILITIES_IMPLEMENTATION
static java.lang.String
IDLE_TIMEOUT_DURATION
static java.lang.String
INTRUSION_DETECTION_IMPLEMENTATION
static java.lang.String
IV_TYPE
static java.lang.String
KDF_PRF_ALG
static java.lang.String
KEY_LENGTH
static java.lang.String
LOG_APPLICATION_NAME
static java.lang.String
LOG_CLIENT_INFO
static java.lang.String
LOG_ENCODING_REQUIRED
static java.lang.String
LOG_IMPLEMENTATION
static java.lang.String
LOG_SERVER_IP
static java.lang.String
LOG_USER_INFO
static java.lang.String
MASTER_KEY
static java.lang.String
MASTER_SALT
static java.lang.String
MAX_HTTP_HEADER_SIZE
static java.lang.String
MAX_OLD_PASSWORD_HASHES
protected int
MAX_REDIRECT_LOCATION
static java.lang.String
MAX_UPLOAD_FILE_BYTES
static java.lang.String
PASSWORD_PARAMETER_NAME
static java.lang.String
PLAINTEXT_OVERWRITE
static java.lang.String
PREFERRED_JCE_PROVIDER
static java.lang.String
PRINT_PROPERTIES_WHEN_LOADED
static java.lang.String
RANDOM_ALGORITHM
static java.lang.String
RANDOMIZER_IMPLEMENTATION
static java.lang.String
REMEMBER_TOKEN_DURATION
static java.lang.String
RESPONSE_CONTENT_TYPE
static java.lang.String
UPLOAD_DIRECTORY
static java.lang.String
UPLOAD_TEMP_DIRECTORY
static java.lang.String
USERNAME_PARAMETER_NAME
static java.lang.String
VALIDATION_PROPERTIES
static java.lang.String
VALIDATION_PROPERTIES_MULTIVALUED
static java.lang.String
VALIDATOR_HTML_VALIDATION_ACTION
static java.lang.String
VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE
static java.lang.String
VALIDATOR_IMPLEMENTATION
static java.lang.String
WORKING_DIRECTORY
-
Constructor Summary
Constructors Constructor Description DefaultSecurityConfiguration()
Instantiates a new configuration.DefaultSecurityConfiguration(java.util.Properties properties)
Instantiates a new configuration with the supplied properties.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description java.lang.String
getAccessControlImplementation()
Returns the fully qualified classname of the ESAPI Access Control implementation.java.util.List<java.lang.String>
getAdditionalAllowedCipherModes()
ReturnList
of strings of additional cipher modes that are permitted (i.e., in addition to those returned bySecurityConfiguration.getCombinedCipherModes()
) to be used for encryption and decryption operations.java.util.List<java.lang.String>
getAllowedExecutables()
Gets the allowed executables to run with the Executor.java.util.List<java.lang.String>
getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application.int
getAllowedFileUploadSize()
Gets the maximum allowed file upload size.int
getAllowedLoginAttempts()
Gets the number of login attempts allowed before the user's account is locked.boolean
getAllowMixedEncoding()
Return true if mixed encoding is allowedboolean
getAllowMultipleEncoding()
Return true if multiple encoding is allowedjava.lang.String
getApplicationName()
Gets the application name, used for loggingjava.lang.String
getAuthenticationImplementation()
Returns the fully qualified classname of the ESAPI Authentication implementation.java.lang.Boolean
getBooleanProp(java.lang.String propertyName)
Get any Boolean type property from security configuration.byte[]
getByteArrayProp(java.lang.String propertyName)
Get any byte array type property from security configuration.java.lang.String
getCharacterEncoding()
Gets the character encoding scheme supported by this application.java.lang.String
getCipherTransformation()
Retrieve the cipher transformation.java.util.List<java.lang.String>
getCombinedCipherModes()
Return aList
of strings of combined cipher modes that support both confidentiality and authenticity.java.util.List<java.lang.String>
getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing datajava.lang.String
getDigitalSignatureAlgorithm()
Gets the digital signature algorithm used by ESAPI to generate and verify signatures.int
getDigitalSignatureKeyLength()
Gets the digital signature key length used by ESAPI to generate and verify signatures.boolean
getDisableIntrusionDetection()
Allows for complete disabling of all intrusion detection mechanismsjava.lang.String
getEncoderImplementation()
Returns the fully qualified classname of the ESAPI Encoder implementation.java.lang.String
getEncryptionAlgorithm()
Gets the encryption algorithm used by ESAPI to protect data.java.lang.String
getEncryptionImplementation()
Returns the fully qualified classname of the ESAPI Encryption implementation.int
getEncryptionKeyLength()
Gets the key length to use in cryptographic operations declared in the ESAPI properties file.protected java.util.Properties
getESAPIProperties()
protected boolean
getESAPIProperty(java.lang.String key, boolean def)
protected int
getESAPIProperty(java.lang.String key, int def)
protected java.lang.String
getESAPIProperty(java.lang.String key, java.lang.String def)
protected java.util.List<java.lang.String>
getESAPIProperty(java.lang.String key, java.util.List<java.lang.String> def)
Returns aList
representing the parsed, comma-separated property.protected byte[]
getESAPIPropertyEncoded(java.lang.String key, byte[] def)
java.lang.String
getExecutorImplementation()
Returns the fully qualified classname of the ESAPI OS Execution implementation.java.lang.String
getFixedIV()
Deprecated.boolean
getForceHttpOnlyCookies()
Returns true if new cookies are required to have HttpOnly flag set.boolean
getForceHttpOnlySession()
Returns true if session cookies are required to have HttpOnly flag set.boolean
getForceSecureCookies()
Returns true if new cookies are required to have Secure flag set.boolean
getForceSecureSession()
Returns true if session cookies are required to have Secure flag set.java.lang.String
getHashAlgorithm()
Gets the hashing algorithm used by ESAPI to hash data.int
getHashIterations()
Gets the hash iterations used by ESAPI to hash data.java.lang.String
getHttpSessionIdName()
This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.java.lang.String
getHTTPUtilitiesImplementation()
Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.static SecurityConfiguration
getInstance()
int
getIntProp(java.lang.String propertyName)
Get any int type property from security configuration.java.lang.String
getIntrusionDetectionImplementation()
Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.java.lang.String
getIVType()
Get a string indicating how to compute an Initialization Vector (IV).java.lang.String
getKDFPseudoRandomFunction()
Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).boolean
getLenientDatesAccepted()
Determines whether ESAPI will accept "lenient" dates when attempt to parse dates.boolean
getLogApplicationName()
Returns whether ESAPI should log the application name.boolean
getLogEncodingRequired()
Returns whether HTML entity encoding should be applied to log entries.java.lang.String
getLogImplementation()
Returns the fully qualified classname of the ESAPI Logging implementation.boolean
getLogServerIP()
Returns whether ESAPI should log the server IP.byte[]
getMasterKey()
Gets the master key.byte[]
getMasterSalt()
Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.int
getMaxHttpHeaderSize()
Returns the maximum allowable HTTP header size.int
getMaxOldPasswordHashes()
Gets the maximum number of old password hashes that should be retained.java.lang.String
getPasswordParameterName()
Gets the name of the password parameter used during user authentication.java.lang.String
getPreferredJCEProvider()
Retrieve the preferred JCE provider for ESAPI and your application.SecurityConfiguration.Threshold
getQuota(java.lang.String eventName)
Gets the intrusion detection quota for the specified event.java.lang.String
getRandomAlgorithm()
Gets the random number generation algorithm used to generate random numbers where needed.java.lang.String
getRandomizerImplementation()
Returns the fully qualified classname of the ESAPI Randomizer implementation.long
getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds).java.io.File
getResourceFile(java.lang.String filename)
Gets a file from the resource directoryjava.io.InputStream
getResourceStream(java.lang.String filename)
Gets an InputStream to a file in the resource directoryjava.lang.String
getResponseContentType()
Gets the content type for responses used when setSafeContentType() is called.int
getSessionAbsoluteTimeoutLength()
Gets the absolute timeout length for sessions (in milliseconds).int
getSessionIdleTimeoutLength()
Gets the idle timeout length for sessions (in milliseconds).java.lang.String
getStringProp(java.lang.String propertyName)
Get any property from security configuration.java.io.File
getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file.java.io.File
getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.java.lang.String
getUsernameParameterName()
Gets the name of the username parameter used during user authentication.java.lang.String
getValidationImplementation()
Returns the fully qualified classname of the ESAPI Validation implementation.java.util.regex.Pattern
getValidationPattern(java.lang.String key)
getValidationPattern returns a single pattern based upon keyjava.io.File
getWorkingDirectory()
getWorkingDirectory returns the default directory where processes will be executed by the Executor.protected void
loadConfiguration()
Load configuration.static void
logToStdout(java.lang.String msg, java.lang.Throwable t)
Log to standard output (i.e.,System.out
.boolean
overwritePlainText()
Indicates whether thePlainText
objects may be overwritten after they have been encrypted.java.lang.String
setCipherTransformation(java.lang.String cipherXform)
Set the cipher transformation.void
setResourceDirectory(java.lang.String dir)
Sets the ESAPI resource directory.protected boolean
shouldPrintProperties()
boolean
useMACforCipherText()
Determines whether theCipherText
should be used with a Message Authentication Code (MAC).
-
-
-
Field Detail
-
DEFAULT_RESOURCE_FILE
public static final java.lang.String DEFAULT_RESOURCE_FILE
The name of the ESAPI property file- See Also:
- Constant Field Values
-
REMEMBER_TOKEN_DURATION
public static final java.lang.String REMEMBER_TOKEN_DURATION
- See Also:
- Constant Field Values
-
IDLE_TIMEOUT_DURATION
public static final java.lang.String IDLE_TIMEOUT_DURATION
- See Also:
- Constant Field Values
-
ABSOLUTE_TIMEOUT_DURATION
public static final java.lang.String ABSOLUTE_TIMEOUT_DURATION
- See Also:
- Constant Field Values
-
ALLOWED_LOGIN_ATTEMPTS
public static final java.lang.String ALLOWED_LOGIN_ATTEMPTS
- See Also:
- Constant Field Values
-
USERNAME_PARAMETER_NAME
public static final java.lang.String USERNAME_PARAMETER_NAME
- See Also:
- Constant Field Values
-
PASSWORD_PARAMETER_NAME
public static final java.lang.String PASSWORD_PARAMETER_NAME
- See Also:
- Constant Field Values
-
MAX_OLD_PASSWORD_HASHES
public static final java.lang.String MAX_OLD_PASSWORD_HASHES
- See Also:
- Constant Field Values
-
ALLOW_MULTIPLE_ENCODING
public static final java.lang.String ALLOW_MULTIPLE_ENCODING
- See Also:
- Constant Field Values
-
ALLOW_MIXED_ENCODING
public static final java.lang.String ALLOW_MIXED_ENCODING
- See Also:
- Constant Field Values
-
CANONICALIZATION_CODECS
public static final java.lang.String CANONICALIZATION_CODECS
- See Also:
- Constant Field Values
-
DISABLE_INTRUSION_DETECTION
public static final java.lang.String DISABLE_INTRUSION_DETECTION
- See Also:
- Constant Field Values
-
MASTER_KEY
public static final java.lang.String MASTER_KEY
- See Also:
- Constant Field Values
-
MASTER_SALT
public static final java.lang.String MASTER_SALT
- See Also:
- Constant Field Values
-
KEY_LENGTH
public static final java.lang.String KEY_LENGTH
- See Also:
- Constant Field Values
-
ENCRYPTION_ALGORITHM
public static final java.lang.String ENCRYPTION_ALGORITHM
- See Also:
- Constant Field Values
-
HASH_ALGORITHM
public static final java.lang.String HASH_ALGORITHM
- See Also:
- Constant Field Values
-
HASH_ITERATIONS
public static final java.lang.String HASH_ITERATIONS
- See Also:
- Constant Field Values
-
CHARACTER_ENCODING
public static final java.lang.String CHARACTER_ENCODING
- See Also:
- Constant Field Values
-
RANDOM_ALGORITHM
public static final java.lang.String RANDOM_ALGORITHM
- See Also:
- Constant Field Values
-
DIGITAL_SIGNATURE_ALGORITHM
public static final java.lang.String DIGITAL_SIGNATURE_ALGORITHM
- See Also:
- Constant Field Values
-
DIGITAL_SIGNATURE_KEY_LENGTH
public static final java.lang.String DIGITAL_SIGNATURE_KEY_LENGTH
- See Also:
- Constant Field Values
-
PREFERRED_JCE_PROVIDER
public static final java.lang.String PREFERRED_JCE_PROVIDER
- See Also:
- Constant Field Values
-
CIPHER_TRANSFORMATION_IMPLEMENTATION
public static final java.lang.String CIPHER_TRANSFORMATION_IMPLEMENTATION
- See Also:
- Constant Field Values
-
CIPHERTEXT_USE_MAC
public static final java.lang.String CIPHERTEXT_USE_MAC
- See Also:
- Constant Field Values
-
PLAINTEXT_OVERWRITE
public static final java.lang.String PLAINTEXT_OVERWRITE
- See Also:
- Constant Field Values
-
IV_TYPE
public static final java.lang.String IV_TYPE
- See Also:
- Constant Field Values
-
FIXED_IV
@Deprecated public static final java.lang.String FIXED_IV
Deprecated.- See Also:
- Constant Field Values
-
COMBINED_CIPHER_MODES
public static final java.lang.String COMBINED_CIPHER_MODES
- See Also:
- Constant Field Values
-
ADDITIONAL_ALLOWED_CIPHER_MODES
public static final java.lang.String ADDITIONAL_ALLOWED_CIPHER_MODES
- See Also:
- Constant Field Values
-
KDF_PRF_ALG
public static final java.lang.String KDF_PRF_ALG
- See Also:
- Constant Field Values
-
PRINT_PROPERTIES_WHEN_LOADED
public static final java.lang.String PRINT_PROPERTIES_WHEN_LOADED
- See Also:
- Constant Field Values
-
WORKING_DIRECTORY
public static final java.lang.String WORKING_DIRECTORY
- See Also:
- Constant Field Values
-
APPROVED_EXECUTABLES
public static final java.lang.String APPROVED_EXECUTABLES
- See Also:
- Constant Field Values
-
FORCE_HTTPONLYSESSION
public static final java.lang.String FORCE_HTTPONLYSESSION
- See Also:
- Constant Field Values
-
FORCE_SECURESESSION
public static final java.lang.String FORCE_SECURESESSION
- See Also:
- Constant Field Values
-
FORCE_HTTPONLYCOOKIES
public static final java.lang.String FORCE_HTTPONLYCOOKIES
- See Also:
- Constant Field Values
-
FORCE_SECURECOOKIES
public static final java.lang.String FORCE_SECURECOOKIES
- See Also:
- Constant Field Values
-
MAX_HTTP_HEADER_SIZE
public static final java.lang.String MAX_HTTP_HEADER_SIZE
- See Also:
- Constant Field Values
-
UPLOAD_DIRECTORY
public static final java.lang.String UPLOAD_DIRECTORY
- See Also:
- Constant Field Values
-
UPLOAD_TEMP_DIRECTORY
public static final java.lang.String UPLOAD_TEMP_DIRECTORY
- See Also:
- Constant Field Values
-
APPROVED_UPLOAD_EXTENSIONS
public static final java.lang.String APPROVED_UPLOAD_EXTENSIONS
- See Also:
- Constant Field Values
-
MAX_UPLOAD_FILE_BYTES
public static final java.lang.String MAX_UPLOAD_FILE_BYTES
- See Also:
- Constant Field Values
-
RESPONSE_CONTENT_TYPE
public static final java.lang.String RESPONSE_CONTENT_TYPE
- See Also:
- Constant Field Values
-
HTTP_SESSION_ID_NAME
public static final java.lang.String HTTP_SESSION_ID_NAME
- See Also:
- Constant Field Values
-
APPLICATION_NAME
public static final java.lang.String APPLICATION_NAME
- See Also:
- Constant Field Values
-
LOG_ENCODING_REQUIRED
public static final java.lang.String LOG_ENCODING_REQUIRED
- See Also:
- Constant Field Values
-
LOG_APPLICATION_NAME
public static final java.lang.String LOG_APPLICATION_NAME
- See Also:
- Constant Field Values
-
LOG_SERVER_IP
public static final java.lang.String LOG_SERVER_IP
- See Also:
- Constant Field Values
-
LOG_USER_INFO
public static final java.lang.String LOG_USER_INFO
- See Also:
- Constant Field Values
-
LOG_CLIENT_INFO
public static final java.lang.String LOG_CLIENT_INFO
- See Also:
- Constant Field Values
-
VALIDATION_PROPERTIES
public static final java.lang.String VALIDATION_PROPERTIES
- See Also:
- Constant Field Values
-
VALIDATION_PROPERTIES_MULTIVALUED
public static final java.lang.String VALIDATION_PROPERTIES_MULTIVALUED
- See Also:
- Constant Field Values
-
ACCEPT_LENIENT_DATES
public static final java.lang.String ACCEPT_LENIENT_DATES
- See Also:
- Constant Field Values
-
VALIDATOR_HTML_VALIDATION_ACTION
public static final java.lang.String VALIDATOR_HTML_VALIDATION_ACTION
- See Also:
- Constant Field Values
-
VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE
public static final java.lang.String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE
- See Also:
- Constant Field Values
-
DISCARD_LOGSPECIAL
public static final java.lang.String DISCARD_LOGSPECIAL
SpecialSystem
property that, if set totrue
, will disable logging fromDefaultSecurityConfiguration.logToStdout()
methods, which is called from variouslogSpecial()
methods.
-
MAX_REDIRECT_LOCATION
protected final int MAX_REDIRECT_LOCATION
- See Also:
- Constant Field Values
-
LOG_IMPLEMENTATION
public static final java.lang.String LOG_IMPLEMENTATION
- See Also:
- Constant Field Values
-
AUTHENTICATION_IMPLEMENTATION
public static final java.lang.String AUTHENTICATION_IMPLEMENTATION
- See Also:
- Constant Field Values
-
ENCODER_IMPLEMENTATION
public static final java.lang.String ENCODER_IMPLEMENTATION
- See Also:
- Constant Field Values
-
ACCESS_CONTROL_IMPLEMENTATION
public static final java.lang.String ACCESS_CONTROL_IMPLEMENTATION
- See Also:
- Constant Field Values
-
ENCRYPTION_IMPLEMENTATION
public static final java.lang.String ENCRYPTION_IMPLEMENTATION
- See Also:
- Constant Field Values
-
INTRUSION_DETECTION_IMPLEMENTATION
public static final java.lang.String INTRUSION_DETECTION_IMPLEMENTATION
- See Also:
- Constant Field Values
-
RANDOMIZER_IMPLEMENTATION
public static final java.lang.String RANDOMIZER_IMPLEMENTATION
- See Also:
- Constant Field Values
-
EXECUTOR_IMPLEMENTATION
public static final java.lang.String EXECUTOR_IMPLEMENTATION
- See Also:
- Constant Field Values
-
VALIDATOR_IMPLEMENTATION
public static final java.lang.String VALIDATOR_IMPLEMENTATION
- See Also:
- Constant Field Values
-
HTTP_UTILITIES_IMPLEMENTATION
public static final java.lang.String HTTP_UTILITIES_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_LOG_IMPLEMENTATION
public static final java.lang.String DEFAULT_LOG_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_AUTHENTICATION_IMPLEMENTATION
public static final java.lang.String DEFAULT_AUTHENTICATION_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_ENCODER_IMPLEMENTATION
public static final java.lang.String DEFAULT_ENCODER_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
public static final java.lang.String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_ENCRYPTION_IMPLEMENTATION
public static final java.lang.String DEFAULT_ENCRYPTION_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
public static final java.lang.String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_RANDOMIZER_IMPLEMENTATION
public static final java.lang.String DEFAULT_RANDOMIZER_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_EXECUTOR_IMPLEMENTATION
public static final java.lang.String DEFAULT_EXECUTOR_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
public static final java.lang.String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
- See Also:
- Constant Field Values
-
DEFAULT_VALIDATOR_IMPLEMENTATION
public static final java.lang.String DEFAULT_VALIDATOR_IMPLEMENTATION
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
DefaultSecurityConfiguration
public DefaultSecurityConfiguration(java.util.Properties properties)
Instantiates a new configuration with the supplied properties. Warning - if the setResourceDirectory() method is invoked the properties will be re-loaded, replacing the supplied properties.- Parameters:
properties
-
-
DefaultSecurityConfiguration
public DefaultSecurityConfiguration()
Instantiates a new configuration.
-
-
Method Detail
-
getInstance
public static SecurityConfiguration getInstance()
-
getApplicationName
public java.lang.String getApplicationName()
Gets the application name, used for logging- Specified by:
getApplicationName
in interfaceSecurityConfiguration
- Returns:
- the name of the current application
-
getLogImplementation
public java.lang.String getLogImplementation()
Returns the fully qualified classname of the ESAPI Logging implementation.- Specified by:
getLogImplementation
in interfaceSecurityConfiguration
-
getAuthenticationImplementation
public java.lang.String getAuthenticationImplementation()
Returns the fully qualified classname of the ESAPI Authentication implementation.- Specified by:
getAuthenticationImplementation
in interfaceSecurityConfiguration
-
getEncoderImplementation
public java.lang.String getEncoderImplementation()
Returns the fully qualified classname of the ESAPI Encoder implementation.- Specified by:
getEncoderImplementation
in interfaceSecurityConfiguration
-
getAccessControlImplementation
public java.lang.String getAccessControlImplementation()
Returns the fully qualified classname of the ESAPI Access Control implementation.- Specified by:
getAccessControlImplementation
in interfaceSecurityConfiguration
-
getEncryptionImplementation
public java.lang.String getEncryptionImplementation()
Returns the fully qualified classname of the ESAPI Encryption implementation.- Specified by:
getEncryptionImplementation
in interfaceSecurityConfiguration
-
getIntrusionDetectionImplementation
public java.lang.String getIntrusionDetectionImplementation()
Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.- Specified by:
getIntrusionDetectionImplementation
in interfaceSecurityConfiguration
-
getRandomizerImplementation
public java.lang.String getRandomizerImplementation()
Returns the fully qualified classname of the ESAPI Randomizer implementation.- Specified by:
getRandomizerImplementation
in interfaceSecurityConfiguration
-
getExecutorImplementation
public java.lang.String getExecutorImplementation()
Returns the fully qualified classname of the ESAPI OS Execution implementation.- Specified by:
getExecutorImplementation
in interfaceSecurityConfiguration
-
getHTTPUtilitiesImplementation
public java.lang.String getHTTPUtilitiesImplementation()
Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.- Specified by:
getHTTPUtilitiesImplementation
in interfaceSecurityConfiguration
-
getValidationImplementation
public java.lang.String getValidationImplementation()
Returns the fully qualified classname of the ESAPI Validation implementation.- Specified by:
getValidationImplementation
in interfaceSecurityConfiguration
-
getMasterKey
public byte[] getMasterKey()
Gets the master key. This password is used to encrypt/decrypt other files or types of data that need to be protected by your application.- Specified by:
getMasterKey
in interfaceSecurityConfiguration
- Returns:
- the current master key
-
setResourceDirectory
public void setResourceDirectory(java.lang.String dir)
Sets the ESAPI resource directory.- Specified by:
setResourceDirectory
in interfaceSecurityConfiguration
- Parameters:
dir
- The location of the resource directory.
-
getEncryptionKeyLength
public int getEncryptionKeyLength()
Description copied from interface:SecurityConfiguration
Gets the key length to use in cryptographic operations declared in the ESAPI properties file. Note that this corresponds to the ESAPI property Encryptor.EncryptionKeyLength which is considered the default key size that ESAPI will use for symmetric ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength, which is the minimum key size (in bits) that ESAPI will support for encryption. (There is no miminimum for decryption.)- Specified by:
getEncryptionKeyLength
in interfaceSecurityConfiguration
- Returns:
- the key length (in bits)
-
getMasterSalt
public byte[] getMasterSalt()
Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.- Specified by:
getMasterSalt
in interfaceSecurityConfiguration
- Returns:
- the current master salt
-
getAllowedExecutables
public java.util.List<java.lang.String> getAllowedExecutables()
Gets the allowed executables to run with the Executor.- Specified by:
getAllowedExecutables
in interfaceSecurityConfiguration
- Returns:
- a list of the current allowed file extensions
-
getAllowedFileExtensions
public java.util.List<java.lang.String> getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application.- Specified by:
getAllowedFileExtensions
in interfaceSecurityConfiguration
- Returns:
- a list of the current allowed file extensions
-
getAllowedFileUploadSize
public int getAllowedFileUploadSize()
Gets the maximum allowed file upload size.- Specified by:
getAllowedFileUploadSize
in interfaceSecurityConfiguration
- Returns:
- the current allowed file upload size
-
loadConfiguration
protected void loadConfiguration() throws java.io.IOException
Load configuration. Never prints properties.- Throws:
java.io.IOException
- if the file is inaccessible
-
getResourceStream
public java.io.InputStream getResourceStream(java.lang.String filename) throws java.io.IOException
Description copied from interface:SecurityConfiguration
Gets an InputStream to a file in the resource directory- Specified by:
getResourceStream
in interfaceSecurityConfiguration
- Parameters:
filename
-- Returns:
- An
InputStream
associated with the specified file name as a resource stream. - Throws:
java.io.IOException
- If the file cannot be found or opened for reading.
-
getResourceFile
public java.io.File getResourceFile(java.lang.String filename)
Gets a file from the resource directory- Specified by:
getResourceFile
in interfaceSecurityConfiguration
- Parameters:
filename
- The file name resource.- Returns:
- A
File
object representing the specified file name or null if not found.
-
logToStdout
public static final void logToStdout(java.lang.String msg, java.lang.Throwable t)
Log to standard output (i.e.,System.out
. This method is synchronized to reduce the possibility of interleaving the message output (since theSystem.out
PrintStream
is buffered) it invoked from multiple threads. Output is discarded if theSystem
property "org.owasp.esapi.logSpecial.discard" is set totrue
.- Parameters:
msg
- Message to be logged.t
- Associated exception that was caught. The class name and exception message is also logged.
-
getPasswordParameterName
public java.lang.String getPasswordParameterName()
Gets the name of the password parameter used during user authentication.- Specified by:
getPasswordParameterName
in interfaceSecurityConfiguration
- Returns:
- the name of the password parameter
-
getUsernameParameterName
public java.lang.String getUsernameParameterName()
Gets the name of the username parameter used during user authentication.- Specified by:
getUsernameParameterName
in interfaceSecurityConfiguration
- Returns:
- the name of the username parameter
-
getEncryptionAlgorithm
public java.lang.String getEncryptionAlgorithm()
Gets the encryption algorithm used by ESAPI to protect data. This is mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to use "cipher transformation" since it supports multiple cipher modes and padding schemes.- Specified by:
getEncryptionAlgorithm
in interfaceSecurityConfiguration
- Returns:
- the current encryption algorithm
-
getCipherTransformation
public java.lang.String getCipherTransformation()
Retrieve the cipher transformation. In general, the cipher transformation is a specification of cipher algorithm, cipher mode, and padding scheme and in general, is aString
that takes the following form:cipher_alg/cipher_mode[bits]/padding_scheme
where cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such asCFB
andOFB
. Using modes such as CFB and OFB, block ciphers can encrypt data in units smaller than the cipher's actual block size. When requesting such a mode, you may optionally specify the number of bits to be processed at a time. This generally must be an integral multiple of 8-bits so that it can specify a whole number of octets.Examples are:
"AES/ECB/NoPadding" // Default for ESAPI Java 1.4 (insecure) "AES/CBC/PKCS5Padding" // Default for ESAPI Java 2.0 "DESede/OFB32/PKCS5Padding"
NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:"Blowfish-192/CFB8/PKCS5Padding"
in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.- Specified by:
getCipherTransformation
in interfaceSecurityConfiguration
- Returns:
- The cipher transformation.
-
setCipherTransformation
public java.lang.String setCipherTransformation(java.lang.String cipherXform)
Set the cipher transformation. This allows a different cipher transformation to be used without changing theESAPI.properties
file. For instance you may normally want to use AES/CBC/PKCS5Padding, but have some legacy encryption where you have ciphertext that was encrypted using 3DES.- Specified by:
setCipherTransformation
in interfaceSecurityConfiguration
- Parameters:
cipherXform
- The new cipher transformation. SeeSecurityConfiguration.getCipherTransformation()
for format. Ifnull
is passed as the parameter, the cipher transformation will be set to the the default taken from the propertyEncryptor.CipherTransformation
in theESAPI.properties
file. BEWARE: there is NO sanity checking here (other than the empty string, and then, only if Java assertions are enabled), so if you set this wrong, you will not get any errors until you later try to use it to encrypt or decrypt data.- Returns:
- The previous cipher transformation is returned for convenience, with the assumption that you may wish to restore it once you have completed the encryption / decryption with the new cipher transformation.
-
useMACforCipherText
public boolean useMACforCipherText()
Determines whether theCipherText
should be used with a Message Authentication Code (MAC). Generally this makes for a more robust cryptographic scheme, but there are some minor performance implications. Controlled by the ESAPI property Encryptor.CipherText.useMAC.For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".
- Specified by:
useMACforCipherText
in interfaceSecurityConfiguration
- Returns:
true
if a you want a MAC to be used, otherwisefalse
.
-
overwritePlainText
public boolean overwritePlainText()
Indicates whether thePlainText
objects may be overwritten after they have been encrypted. Generally this is a good idea, especially if your VM is shared by multiple applications (e.g., multiple applications running in the same J2EE container) or if there is a possibility that your VM may leave a core dump (say because it is running non-native Java code.Controlled by the property
Encryptor.PlainText.overwrite
in theESAPI.properties
file.- Specified by:
overwritePlainText
in interfaceSecurityConfiguration
- Returns:
- True if it is OK to overwrite the
PlainText
objects after encrypting, false otherwise.
-
getIVType
public java.lang.String getIVType()
Get a string indicating how to compute an Initialization Vector (IV). Currently supported modes are "random" to generate a random IV or "fixed" to use a fixed (static) IV. WARNING: 'fixed' was only intended to support legacy applications with fixed IVs, but the use of non-random IVs is inherently insecure, especially for any supported cipher mode that is considered a streaming mode (which is basically anything except CBC for modes that support require an IV). For this reason, 'fixed' is considered deprecated and will be removed during the next ESAPI point release (tentatively, 2.3). However, note that if a "fixed" IV is chosen, then the the value of this fixed IV must be specified as the propertyEncryptor.fixedIV
and be of the appropriate length.- Specified by:
getIVType
in interfaceSecurityConfiguration
- Returns:
- A string specifying the IV type. Should be "random" or "fixed" (dereprected).
- See Also:
SecurityConfiguration.getFixedIV()
-
getFixedIV
@Deprecated public java.lang.String getFixedIV()
Deprecated.If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string.- Specified by:
getFixedIV
in interfaceSecurityConfiguration
- Returns:
- The fixed IV as a hex-encoded string.
-
getHashAlgorithm
public java.lang.String getHashAlgorithm()
Gets the hashing algorithm used by ESAPI to hash data.- Specified by:
getHashAlgorithm
in interfaceSecurityConfiguration
- Returns:
- the current hashing algorithm
-
getHashIterations
public int getHashIterations()
Gets the hash iterations used by ESAPI to hash data.- Specified by:
getHashIterations
in interfaceSecurityConfiguration
- Returns:
- the current hashing algorithm
-
getKDFPseudoRandomFunction
public java.lang.String getKDFPseudoRandomFunction()
Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).- Specified by:
getKDFPseudoRandomFunction
in interfaceSecurityConfiguration
- Returns:
- The KDF PRF algorithm name.
-
getCharacterEncoding
public java.lang.String getCharacterEncoding()
Gets the character encoding scheme supported by this application. This is used to set the character encoding scheme on requests and responses when setCharacterEncoding() is called on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs and any other place where the current encoding scheme needs to be known.
Note: This does not get the configured response content type. That is accessed by calling getResponseContentType().- Specified by:
getCharacterEncoding
in interfaceSecurityConfiguration
- Returns:
- the current character encoding scheme
-
getAllowMultipleEncoding
public boolean getAllowMultipleEncoding()
Return true if multiple encoding is allowed- Specified by:
getAllowMultipleEncoding
in interfaceSecurityConfiguration
- Returns:
- whether multiple encoding is allowed when canonicalizing data
-
getAllowMixedEncoding
public boolean getAllowMixedEncoding()
Return true if mixed encoding is allowed- Specified by:
getAllowMixedEncoding
in interfaceSecurityConfiguration
- Returns:
- whether mixed encoding is allowed when canonicalizing data
-
getDefaultCanonicalizationCodecs
public java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing data- Specified by:
getDefaultCanonicalizationCodecs
in interfaceSecurityConfiguration
- Returns:
- the codec list
-
getDigitalSignatureAlgorithm
public java.lang.String getDigitalSignatureAlgorithm()
Gets the digital signature algorithm used by ESAPI to generate and verify signatures.- Specified by:
getDigitalSignatureAlgorithm
in interfaceSecurityConfiguration
- Returns:
- the current digital signature algorithm
-
getDigitalSignatureKeyLength
public int getDigitalSignatureKeyLength()
Gets the digital signature key length used by ESAPI to generate and verify signatures.- Specified by:
getDigitalSignatureKeyLength
in interfaceSecurityConfiguration
- Returns:
- the current digital signature key length
-
getRandomAlgorithm
public java.lang.String getRandomAlgorithm()
Gets the random number generation algorithm used to generate random numbers where needed.- Specified by:
getRandomAlgorithm
in interfaceSecurityConfiguration
- Returns:
- the current random number generation algorithm
-
getAllowedLoginAttempts
public int getAllowedLoginAttempts()
Gets the number of login attempts allowed before the user's account is locked. If this many failures are detected within the alloted time period, the user's account will be locked.- Specified by:
getAllowedLoginAttempts
in interfaceSecurityConfiguration
- Returns:
- the number of failed login attempts that cause an account to be locked
-
getMaxOldPasswordHashes
public int getMaxOldPasswordHashes()
Gets the maximum number of old password hashes that should be retained. These hashes can be used to ensure that the user doesn't reuse the specified number of previous passwords when they change their password.- Specified by:
getMaxOldPasswordHashes
in interfaceSecurityConfiguration
- Returns:
- the number of old hashed passwords to retain
-
getUploadDirectory
public java.io.File getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file.- Specified by:
getUploadDirectory
in interfaceSecurityConfiguration
- Returns:
- the upload directory
-
getUploadTempDirectory
public java.io.File getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.- Specified by:
getUploadTempDirectory
in interfaceSecurityConfiguration
- Returns:
- the temp directory
-
getDisableIntrusionDetection
public boolean getDisableIntrusionDetection()
Allows for complete disabling of all intrusion detection mechanisms- Specified by:
getDisableIntrusionDetection
in interfaceSecurityConfiguration
- Returns:
- true if intrusion detection should be disabled
-
getQuota
public SecurityConfiguration.Threshold getQuota(java.lang.String eventName)
Gets the intrusion detection quota for the specified event.- Specified by:
getQuota
in interfaceSecurityConfiguration
- Parameters:
eventName
- the name of the event whose quota is desired- Returns:
- the Quota that has been configured for the specified type of event
-
getLogEncodingRequired
public boolean getLogEncodingRequired()
Returns whether HTML entity encoding should be applied to log entries.- Specified by:
getLogEncodingRequired
in interfaceSecurityConfiguration
- Returns:
- True if log entries are to be HTML Entity encoded. False otherwise.
-
getLogApplicationName
public boolean getLogApplicationName()
Returns whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.- Specified by:
getLogApplicationName
in interfaceSecurityConfiguration
- Returns:
- True if ESAPI should log the application name, False otherwise
-
getLogServerIP
public boolean getLogServerIP()
Returns whether ESAPI should log the server IP. This might be clutter in some single-server environments.- Specified by:
getLogServerIP
in interfaceSecurityConfiguration
- Returns:
- True if ESAPI should log the server IP and port, False otherwise
-
getForceHttpOnlySession
public boolean getForceHttpOnlySession()
Returns true if session cookies are required to have HttpOnly flag set.- Specified by:
getForceHttpOnlySession
in interfaceSecurityConfiguration
-
getForceSecureSession
public boolean getForceSecureSession()
Returns true if session cookies are required to have Secure flag set.- Specified by:
getForceSecureSession
in interfaceSecurityConfiguration
-
getForceHttpOnlyCookies
public boolean getForceHttpOnlyCookies()
Returns true if new cookies are required to have HttpOnly flag set.- Specified by:
getForceHttpOnlyCookies
in interfaceSecurityConfiguration
-
getForceSecureCookies
public boolean getForceSecureCookies()
Returns true if new cookies are required to have Secure flag set.- Specified by:
getForceSecureCookies
in interfaceSecurityConfiguration
-
getMaxHttpHeaderSize
public int getMaxHttpHeaderSize()
Returns the maximum allowable HTTP header size.- Specified by:
getMaxHttpHeaderSize
in interfaceSecurityConfiguration
-
getResponseContentType
public java.lang.String getResponseContentType()
Gets the content type for responses used when setSafeContentType() is called.
Note: This does not get the configured character encoding scheme. That is accessed by calling getCharacterEncoding().- Specified by:
getResponseContentType
in interfaceSecurityConfiguration
- Returns:
- The current content-type set for responses.
-
getHttpSessionIdName
public java.lang.String getHttpSessionIdName()
This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.- Specified by:
getHttpSessionIdName
in interfaceSecurityConfiguration
- Returns:
- The name of the session identifier, like "JSESSIONID"
-
getRememberTokenDuration
public long getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds).- Specified by:
getRememberTokenDuration
in interfaceSecurityConfiguration
- Returns:
- The time to live length for generated "remember me" tokens.
-
getSessionIdleTimeoutLength
public int getSessionIdleTimeoutLength()
Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.- Specified by:
getSessionIdleTimeoutLength
in interfaceSecurityConfiguration
- Returns:
- The session idle timeout length.
-
getSessionAbsoluteTimeoutLength
public int getSessionAbsoluteTimeoutLength()
Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires regardless of the amount of user activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.- Specified by:
getSessionAbsoluteTimeoutLength
in interfaceSecurityConfiguration
- Returns:
- The session absolute timeout length.
-
getValidationPattern
public java.util.regex.Pattern getValidationPattern(java.lang.String key)
getValidationPattern returns a single pattern based upon key- Specified by:
getValidationPattern
in interfaceSecurityConfiguration
- Parameters:
key
- validation pattern name you'd like- Returns:
- if key exists, the associated validation pattern, null otherwise
-
getWorkingDirectory
public java.io.File getWorkingDirectory()
getWorkingDirectory returns the default directory where processes will be executed by the Executor.- Specified by:
getWorkingDirectory
in interfaceSecurityConfiguration
-
getPreferredJCEProvider
public java.lang.String getPreferredJCEProvider()
Retrieve the preferred JCE provider for ESAPI and your application. ESAPI 2.0 now allows setting the propertyEncryptor.PreferredJCEProvider
in theESAPI.properties
file, which will cause the specified JCE provider to be automatically and dynamically loaded (assuming thatSecurityManager
permissions allow) as the Ii>preferred JCE provider. (Note this only happens if the JCE provider is not already loaded.) This method returns the propertyEncryptor.PreferredJCEProvider
. By default, thisEncryptor.PreferredJCEProvider
property is set to an empty string, which means that the preferred JCE provider is not changed.- Specified by:
getPreferredJCEProvider
in interfaceSecurityConfiguration
- Returns:
- The property
Encryptor.PreferredJCEProvider
is returned. - See Also:
SecurityProviderLoader
-
getCombinedCipherModes
public java.util.List<java.lang.String> getCombinedCipherModes()
Return aList
of strings of combined cipher modes that support both confidentiality and authenticity. These would be preferred cipher modes to use if your JCE provider supports them. If such a cipher mode is used, no explicit separate MAC is calculated as part of theCipherText
object upon encryption nor is any attempt made to verify the same on decryption.The list is taken from the comma-separated list of cipher modes specified by the ESAPI property
Encryptor.cipher_modes.combined_modes
.- Specified by:
getCombinedCipherModes
in interfaceSecurityConfiguration
- Returns:
- The parsed list of comma-separated cipher modes if the property
was specified in
ESAPI.properties
; otherwise the empty list is returned.
-
getAdditionalAllowedCipherModes
public java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
ReturnList
of strings of additional cipher modes that are permitted (i.e., in addition to those returned bySecurityConfiguration.getCombinedCipherModes()
) to be used for encryption and decryption operations.The list is taken from the comma-separated list of cipher modes specified by the ESAPI property
Encryptor.cipher_modes.additional_allowed
.- Specified by:
getAdditionalAllowedCipherModes
in interfaceSecurityConfiguration
- Returns:
- The parsed list of comma-separated cipher modes if the property
was specified in
ESAPI.properties
; otherwise the empty list is returned. - See Also:
SecurityConfiguration.getCombinedCipherModes()
-
getLenientDatesAccepted
public boolean getLenientDatesAccepted()
Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. Controlled by ESAPI propertyValidator.AcceptLenientDates
, which defaults tofalse
if unset.- Specified by:
getLenientDatesAccepted
in interfaceSecurityConfiguration
- Returns:
- True if lenient dates are accepted; false otherwise.
- See Also:
DateFormat.setLenient(boolean)
-
getESAPIProperty
protected java.lang.String getESAPIProperty(java.lang.String key, java.lang.String def)
-
getESAPIProperty
protected boolean getESAPIProperty(java.lang.String key, boolean def)
-
getESAPIPropertyEncoded
protected byte[] getESAPIPropertyEncoded(java.lang.String key, byte[] def)
-
getESAPIProperty
protected int getESAPIProperty(java.lang.String key, int def)
-
getESAPIProperty
protected java.util.List<java.lang.String> getESAPIProperty(java.lang.String key, java.util.List<java.lang.String> def)
Returns aList
representing the parsed, comma-separated property.- Parameters:
key
- The specified property namedef
- A default value for the property name to return if the property is not set.- Returns:
- A list of strings.
-
getIntProp
public int getIntProp(java.lang.String propertyName) throws ConfigurationException
Get any int type property from security configuration. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties*- Specified by:
getIntProp
in interfaceEsapiPropertyLoader
- Returns:
- property value.
- Throws:
ConfigurationException
- when property does not exist in configuration or has incorrect type.
-
getByteArrayProp
public byte[] getByteArrayProp(java.lang.String propertyName) throws ConfigurationException
Get any byte array type property from security configuration. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties- Specified by:
getByteArrayProp
in interfaceEsapiPropertyLoader
- Returns:
- property value.
- Throws:
ConfigurationException
- when property does not exist in configuration or has incorrect type.
-
getBooleanProp
public java.lang.Boolean getBooleanProp(java.lang.String propertyName) throws ConfigurationException
Get any Boolean type property from security configuration. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties- Specified by:
getBooleanProp
in interfaceEsapiPropertyLoader
- Returns:
- property value.
- Throws:
ConfigurationException
- when property does not exist in configuration or has incorrect type.
-
getStringProp
public java.lang.String getStringProp(java.lang.String propertyName) throws ConfigurationException
Get any property from security configuration. As every property can be returned as string, this method throws exception only when property does not exist. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties- Specified by:
getStringProp
in interfaceEsapiPropertyLoader
- Returns:
- property value.
- Throws:
ConfigurationException
- when property does not exist in configuration.
-
shouldPrintProperties
protected boolean shouldPrintProperties()
-
getESAPIProperties
protected java.util.Properties getESAPIProperties()
-
-