org.owasp.esapi.reference

Class DefaultSecurityConfiguration

java.lang.Object

org.owasp.esapi.reference.DefaultSecurityConfiguration

All Implemented Interfaces:

SecurityConfiguration

public class DefaultSecurityConfiguration
extends java.lang.Object
implements SecurityConfiguration

The reference SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference implementation, resources can be put in several locations, which are searched in the following order:

1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).

2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):

                java -Dorg.owasp.esapi.resources="C:\temp\resources"
 

You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.

3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory (supported for backward compatibility) or inside the System.getProperty( "user.home" ) + "/esapi" directory.

4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)

Once the Configuration is initialized with a resource directory, you can edit it to set things like master keys and passwords, logging locations, error thresholds, and allowed file extensions.

WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.

Author:

Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Jim Manico (jim .at. manico.net) Manico.net, Kevin Wall (kevin.w.wall .at. gmail.com)

Nested Class Summary

Nested classes/interfaces inherited from interface org.owasp.esapi.SecurityConfiguration

SecurityConfiguration.Threshold

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	ABSOLUTE_TIMEOUT_DURATION
static java.lang.String	ACCEPT_LENIENT_DATES
static java.lang.String	ACCESS_CONTROL_IMPLEMENTATION
static java.lang.String	ADDITIONAL_ALLOWED_CIPHER_MODES
static java.lang.String	ALLOW_MIXED_ENCODING
static java.lang.String	ALLOW_MULTIPLE_ENCODING
static java.lang.String	ALLOWED_LOGIN_ATTEMPTS
static java.lang.String	APPLICATION_NAME
static java.lang.String	APPROVED_EXECUTABLES
static java.lang.String	APPROVED_UPLOAD_EXTENSIONS
static java.lang.String	AUTHENTICATION_IMPLEMENTATION
static java.lang.String	CANONICALIZATION_CODECS
static java.lang.String	CHARACTER_ENCODING
static java.lang.String	CIPHER_TRANSFORMATION_IMPLEMENTATION
static java.lang.String	CIPHERTEXT_USE_MAC
static java.lang.String	COMBINED_CIPHER_MODES
static java.lang.String	DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
static java.lang.String	DEFAULT_AUTHENTICATION_IMPLEMENTATION
static java.lang.String	DEFAULT_ENCODER_IMPLEMENTATION
static java.lang.String	DEFAULT_ENCRYPTION_IMPLEMENTATION
static java.lang.String	DEFAULT_EXECUTOR_IMPLEMENTATION
static java.lang.String	DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
static java.lang.String	DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
static java.lang.String	DEFAULT_LOG_IMPLEMENTATION
static int	DEFAULT_MAX_LOG_FILE_SIZE The default max log file size is set to 10,000,000 bytes (10 Meg).
static java.lang.String	DEFAULT_RANDOMIZER_IMPLEMENTATION
static java.lang.String	DEFAULT_VALIDATOR_IMPLEMENTATION
static java.lang.String	DIGITAL_SIGNATURE_ALGORITHM
static java.lang.String	DIGITAL_SIGNATURE_KEY_LENGTH
static java.lang.String	DISABLE_INTRUSION_DETECTION
static java.lang.String	ENCODER_IMPLEMENTATION
static java.lang.String	ENCRYPTION_ALGORITHM
static java.lang.String	ENCRYPTION_IMPLEMENTATION
static java.lang.String	EXECUTOR_IMPLEMENTATION
static java.lang.String	FIXED_IV
static java.lang.String	FORCE_HTTPONLYCOOKIES
static java.lang.String	FORCE_HTTPONLYSESSION
static java.lang.String	FORCE_SECURECOOKIES
static java.lang.String	FORCE_SECURESESSION
static java.lang.String	HASH_ALGORITHM
static java.lang.String	HASH_ITERATIONS
static java.lang.String	HTTP_SESSION_ID_NAME
static java.lang.String	HTTP_UTILITIES_IMPLEMENTATION
static java.lang.String	IDLE_TIMEOUT_DURATION
static java.lang.String	INTRUSION_DETECTION_IMPLEMENTATION
static java.lang.String	IV_TYPE
static java.lang.String	KDF_PRF_ALG
static java.lang.String	KEY_LENGTH
static java.lang.String	LOG_APPLICATION_NAME
static java.lang.String	LOG_ENCODING_REQUIRED
static java.lang.String	LOG_FILE_NAME
static java.lang.String	LOG_IMPLEMENTATION
static java.lang.String	LOG_LEVEL
static java.lang.String	LOG_SERVER_IP
static java.lang.String	MASTER_KEY
static java.lang.String	MASTER_SALT
protected int	MAX_FILE_NAME_LENGTH Deprecated. It is not clear whether this is intended to be the max file name length for the basename(1) of a file or the max full path name length of a canonical full path name. Since it is not used anywhere in the ESAPI code it is being deprecated and scheduled to be removed in release 2.1.
static java.lang.String	MAX_HTTP_HEADER_SIZE
static java.lang.String	MAX_LOG_FILE_SIZE
static java.lang.String	MAX_OLD_PASSWORD_HASHES
protected int	MAX_REDIRECT_LOCATION
static java.lang.String	MAX_UPLOAD_FILE_BYTES
static java.lang.String	PASSWORD_PARAMETER_NAME
static java.lang.String	PLAINTEXT_OVERWRITE
static java.lang.String	PREFERRED_JCE_PROVIDER
static java.lang.String	PRINT_PROPERTIES_WHEN_LOADED
static java.lang.String	RANDOM_ALGORITHM
static java.lang.String	RANDOMIZER_IMPLEMENTATION
static java.lang.String	REMEMBER_TOKEN_DURATION
static java.lang.String	RESOURCE_FILE The name of the ESAPI property file
static java.lang.String	RESPONSE_CONTENT_TYPE
static java.lang.String	UPLOAD_DIRECTORY
static java.lang.String	UPLOAD_TEMP_DIRECTORY
static java.lang.String	USERNAME_PARAMETER_NAME
static java.lang.String	VALIDATION_PROPERTIES
static java.lang.String	VALIDATOR_IMPLEMENTATION
static java.lang.String	WORKING_DIRECTORY

Constructor Summary

Constructors

Constructor and Description
DefaultSecurityConfiguration() Instantiates a new configuration.
DefaultSecurityConfiguration(java.util.Properties properties) Instantiates a new configuration with the supplied properties.

Method Summary

Methods

Modifier and Type	Method and Description
java.lang.String	getAccessControlImplementation() Returns the fully qualified classname of the ESAPI Access Control implementation.
java.util.List<java.lang.String>	getAdditionalAllowedCipherModes() Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by #getPreferredCipherModes()) to be used for encryption and decryption operations.
java.util.List<java.lang.String>	getAllowedExecutables() Gets the allowed executables to run with the Executor.
java.util.List<java.lang.String>	getAllowedFileExtensions() Gets the allowed file extensions for files that are uploaded to this application.
int	getAllowedFileUploadSize() Gets the maximum allowed file upload size.
int	getAllowedLoginAttempts() Gets the number of login attempts allowed before the user's account is locked.
boolean	getAllowMixedEncoding() Return true if mixed encoding is allowed
boolean	getAllowMultipleEncoding() Return true if multiple encoding is allowed
java.lang.String	getApplicationName() Gets the application name, used for logging
java.lang.String	getAuthenticationImplementation() Returns the fully qualified classname of the ESAPI Authentication implementation.
java.lang.String	getCharacterEncoding() Gets the character encoding scheme supported by this application.
java.lang.String	getCipherTransformation() Retrieve the cipher transformation.
java.util.List<java.lang.String>	getCombinedCipherModes() Return a List of strings of combined cipher modes that support both confidentiality and authenticity.
java.util.List<java.lang.String>	getDefaultCanonicalizationCodecs() Returns the List of Codecs to use when canonicalizing data
java.lang.String	getDigitalSignatureAlgorithm() Gets the digital signature algorithm used by ESAPI to generate and verify signatures.
int	getDigitalSignatureKeyLength() Gets the digital signature key length used by ESAPI to generate and verify signatures.
boolean	getDisableIntrusionDetection() Allows for complete disabling of all intrusion detection mechanisms
java.lang.String	getEncoderImplementation() Returns the fully qualified classname of the ESAPI Encoder implementation.
java.lang.String	getEncryptionAlgorithm() Gets the encryption algorithm used by ESAPI to protect data.
java.lang.String	getEncryptionImplementation() Returns the fully qualified classname of the ESAPI Encryption implementation.
int	getEncryptionKeyLength() Gets the key length to use in cryptographic operations declared in the ESAPI properties file.
protected java.util.Properties	getESAPIProperties()
protected boolean	getESAPIProperty(java.lang.String key, boolean def)
protected int	getESAPIProperty(java.lang.String key, int def)
protected java.util.List<java.lang.String>	getESAPIProperty(java.lang.String key, java.util.List<java.lang.String> def) Returns a List representing the parsed, comma-separated property.
protected java.lang.String	getESAPIProperty(java.lang.String key, java.lang.String def)
protected byte[]	getESAPIPropertyEncoded(java.lang.String key, byte[] def)
java.lang.String	getExecutorImplementation() Returns the fully qualified classname of the ESAPI OS Execution implementation.
java.lang.String	getFixedIV() If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string.
boolean	getForceHttpOnlyCookies() Forces new cookies to have HttpOnly flag set.
boolean	getForceHttpOnlySession() Forces new cookies to have HttpOnly flag set.
boolean	getForceSecureCookies() Forces new cookies to have Secure flag set.
boolean	getForceSecureSession() Forces session cookies to have Secure flag set.
java.lang.String	getHashAlgorithm() Gets the hashing algorithm used by ESAPI to hash data.
int	getHashIterations() Gets the hash iterations used by ESAPI to hash data.
java.lang.String	getHttpSessionIdName() This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.
java.lang.String	getHTTPUtilitiesImplementation() Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.
static SecurityConfiguration	getInstance()
java.lang.String	getIntrusionDetectionImplementation() Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.
java.lang.String	getIVType() Get a string indicating how to compute an Initialization Vector (IV).
java.lang.String	getKDFPseudoRandomFunction() Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).
boolean	getLenientDatesAccepted() Determines whether ESAPI will accept "lenient" dates when attempt to parse dates.
boolean	getLogApplicationName() Returns whether ESAPI should log the application name.
boolean	getLogEncodingRequired() Returns whether HTML entity encoding should be applied to log entries.
java.lang.String	getLogFileName() Get the name of the log file specified in the ESAPI configuration properties file.
java.lang.String	getLogImplementation() Returns the fully qualified classname of the ESAPI Logging implementation.
int	getLogLevel() Returns the current log level.
boolean	getLogServerIP() Returns whether ESAPI should log the server IP.
byte[]	getMasterKey() Gets the master key.
byte[]	getMasterSalt() Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.
int	getMaxHttpHeaderSize() Returns the maximum allowable HTTP header size.
int	getMaxLogFileSize() Get the maximum size of a single log file from the ESAPI configuration properties file.
int	getMaxOldPasswordHashes() Gets the maximum number of old password hashes that should be retained.
java.lang.String	getPasswordParameterName() Gets the name of the password parameter used during user authentication.
java.lang.String	getPreferredJCEProvider() Retrieve the preferred JCE provider for ESAPI and your application.
SecurityConfiguration.Threshold	getQuota(java.lang.String eventName) Gets the intrusion detection quota for the specified event.
java.lang.String	getRandomAlgorithm() Gets the random number generation algorithm used to generate random numbers where needed.
java.lang.String	getRandomizerImplementation() Returns the fully qualified classname of the ESAPI Randomizer implementation.
long	getRememberTokenDuration() Gets the length of the time to live window for remember me tokens (in milliseconds).
java.io.File	getResourceFile(java.lang.String filename) Gets a file from the resource directory
java.io.InputStream	getResourceStream(java.lang.String filename) Gets an InputStream to a file in the resource directory
java.lang.String	getResponseContentType() Gets the content type for responses used when setSafeContentType() is called.
int	getSessionAbsoluteTimeoutLength() Gets the absolute timeout length for sessions (in milliseconds).
int	getSessionIdleTimeoutLength() Gets the idle timeout length for sessions (in milliseconds).
java.io.File	getUploadDirectory() Retrieves the upload directory as specified in the ESAPI.properties file.
java.io.File	getUploadTempDirectory() Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
java.lang.String	getUsernameParameterName() Gets the name of the username parameter used during user authentication.
java.lang.String	getValidationImplementation() Returns the fully qualified classname of the ESAPI Validation implementation.
java.util.regex.Pattern	getValidationPattern(java.lang.String key) getValidationPattern returns a single pattern based upon key
java.io.File	getWorkingDirectory() getWorkingDirectory returns the default directory where processes will be executed by the Executor.
protected void	loadConfiguration() Load configuration.
boolean	overwritePlainText() Indicates whether the PlainText objects may be overwritten after they have been encrypted.
java.lang.String	setCipherTransformation(java.lang.String cipherXform) Set the cipher transformation.
void	setResourceDirectory(java.lang.String dir) Sets the ESAPI resource directory.
protected boolean	shouldPrintProperties()
boolean	useMACforCipherText() Determines whether the CipherText should be used with a Message Authentication Code (MAC).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

RESOURCE_FILE

public static final java.lang.String RESOURCE_FILE

The name of the ESAPI property file

See Also:

Constant Field Values

REMEMBER_TOKEN_DURATION

public static final java.lang.String REMEMBER_TOKEN_DURATION

See Also:

Constant Field Values

IDLE_TIMEOUT_DURATION

public static final java.lang.String IDLE_TIMEOUT_DURATION

See Also:

Constant Field Values

ABSOLUTE_TIMEOUT_DURATION

public static final java.lang.String ABSOLUTE_TIMEOUT_DURATION

See Also:

Constant Field Values

ALLOWED_LOGIN_ATTEMPTS

public static final java.lang.String ALLOWED_LOGIN_ATTEMPTS

See Also:

Constant Field Values

USERNAME_PARAMETER_NAME

public static final java.lang.String USERNAME_PARAMETER_NAME

See Also:

Constant Field Values

PASSWORD_PARAMETER_NAME

public static final java.lang.String PASSWORD_PARAMETER_NAME

See Also:

Constant Field Values

MAX_OLD_PASSWORD_HASHES

public static final java.lang.String MAX_OLD_PASSWORD_HASHES

See Also:

Constant Field Values

ALLOW_MULTIPLE_ENCODING

public static final java.lang.String ALLOW_MULTIPLE_ENCODING

See Also:

Constant Field Values

ALLOW_MIXED_ENCODING

public static final java.lang.String ALLOW_MIXED_ENCODING

See Also:

Constant Field Values

CANONICALIZATION_CODECS

public static final java.lang.String CANONICALIZATION_CODECS

See Also:

Constant Field Values

DISABLE_INTRUSION_DETECTION

public static final java.lang.String DISABLE_INTRUSION_DETECTION

See Also:

Constant Field Values

MASTER_KEY

public static final java.lang.String MASTER_KEY

See Also:

Constant Field Values

MASTER_SALT

public static final java.lang.String MASTER_SALT

See Also:

Constant Field Values

KEY_LENGTH

public static final java.lang.String KEY_LENGTH

See Also:

Constant Field Values

ENCRYPTION_ALGORITHM

public static final java.lang.String ENCRYPTION_ALGORITHM

See Also:

Constant Field Values

HASH_ALGORITHM

public static final java.lang.String HASH_ALGORITHM

See Also:

Constant Field Values

HASH_ITERATIONS

public static final java.lang.String HASH_ITERATIONS

See Also:

Constant Field Values

CHARACTER_ENCODING

public static final java.lang.String CHARACTER_ENCODING

See Also:

Constant Field Values

RANDOM_ALGORITHM

public static final java.lang.String RANDOM_ALGORITHM

See Also:

Constant Field Values

DIGITAL_SIGNATURE_ALGORITHM

public static final java.lang.String DIGITAL_SIGNATURE_ALGORITHM

See Also:

Constant Field Values

DIGITAL_SIGNATURE_KEY_LENGTH

public static final java.lang.String DIGITAL_SIGNATURE_KEY_LENGTH

See Also:

Constant Field Values

PREFERRED_JCE_PROVIDER

public static final java.lang.String PREFERRED_JCE_PROVIDER

See Also:

Constant Field Values

CIPHER_TRANSFORMATION_IMPLEMENTATION

public static final java.lang.String CIPHER_TRANSFORMATION_IMPLEMENTATION

See Also:

Constant Field Values

CIPHERTEXT_USE_MAC

public static final java.lang.String CIPHERTEXT_USE_MAC

See Also:

Constant Field Values

PLAINTEXT_OVERWRITE

public static final java.lang.String PLAINTEXT_OVERWRITE

See Also:

Constant Field Values

IV_TYPE

public static final java.lang.String IV_TYPE

See Also:

Constant Field Values

FIXED_IV

public static final java.lang.String FIXED_IV

See Also:

Constant Field Values

COMBINED_CIPHER_MODES

public static final java.lang.String COMBINED_CIPHER_MODES

See Also:

Constant Field Values

ADDITIONAL_ALLOWED_CIPHER_MODES

public static final java.lang.String ADDITIONAL_ALLOWED_CIPHER_MODES

See Also:

Constant Field Values

KDF_PRF_ALG

public static final java.lang.String KDF_PRF_ALG

See Also:

Constant Field Values

PRINT_PROPERTIES_WHEN_LOADED

public static final java.lang.String PRINT_PROPERTIES_WHEN_LOADED

See Also:

Constant Field Values

WORKING_DIRECTORY

public static final java.lang.String WORKING_DIRECTORY

See Also:

Constant Field Values

APPROVED_EXECUTABLES

public static final java.lang.String APPROVED_EXECUTABLES

See Also:

Constant Field Values

FORCE_HTTPONLYSESSION

public static final java.lang.String FORCE_HTTPONLYSESSION

See Also:

Constant Field Values

FORCE_SECURESESSION

public static final java.lang.String FORCE_SECURESESSION

See Also:

Constant Field Values

FORCE_HTTPONLYCOOKIES

public static final java.lang.String FORCE_HTTPONLYCOOKIES

See Also:

Constant Field Values

FORCE_SECURECOOKIES

public static final java.lang.String FORCE_SECURECOOKIES

See Also:

Constant Field Values

MAX_HTTP_HEADER_SIZE

public static final java.lang.String MAX_HTTP_HEADER_SIZE

See Also:

Constant Field Values

UPLOAD_DIRECTORY

public static final java.lang.String UPLOAD_DIRECTORY

See Also:

Constant Field Values

UPLOAD_TEMP_DIRECTORY

public static final java.lang.String UPLOAD_TEMP_DIRECTORY

See Also:

Constant Field Values

APPROVED_UPLOAD_EXTENSIONS

public static final java.lang.String APPROVED_UPLOAD_EXTENSIONS

See Also:

Constant Field Values

MAX_UPLOAD_FILE_BYTES

public static final java.lang.String MAX_UPLOAD_FILE_BYTES

See Also:

Constant Field Values

RESPONSE_CONTENT_TYPE

public static final java.lang.String RESPONSE_CONTENT_TYPE

See Also:

Constant Field Values

HTTP_SESSION_ID_NAME

public static final java.lang.String HTTP_SESSION_ID_NAME

See Also:

Constant Field Values

APPLICATION_NAME

public static final java.lang.String APPLICATION_NAME

See Also:

Constant Field Values

LOG_LEVEL

public static final java.lang.String LOG_LEVEL

See Also:

Constant Field Values

LOG_FILE_NAME

public static final java.lang.String LOG_FILE_NAME

See Also:

Constant Field Values

MAX_LOG_FILE_SIZE

public static final java.lang.String MAX_LOG_FILE_SIZE

See Also:

Constant Field Values

LOG_ENCODING_REQUIRED

public static final java.lang.String LOG_ENCODING_REQUIRED

See Also:

Constant Field Values

LOG_APPLICATION_NAME

public static final java.lang.String LOG_APPLICATION_NAME

See Also:

Constant Field Values

LOG_SERVER_IP

public static final java.lang.String LOG_SERVER_IP

See Also:

Constant Field Values

VALIDATION_PROPERTIES

public static final java.lang.String VALIDATION_PROPERTIES

See Also:

Constant Field Values

ACCEPT_LENIENT_DATES

public static final java.lang.String ACCEPT_LENIENT_DATES

See Also:

Constant Field Values

DEFAULT_MAX_LOG_FILE_SIZE

public static final int DEFAULT_MAX_LOG_FILE_SIZE

The default max log file size is set to 10,000,000 bytes (10 Meg). If the current log file exceeds the current max log file size, the logger will move the old log data into another log file. There currently is a max of 1000 log files of the same name. If that is exceeded it will presumably start discarding the oldest logs.

See Also:

Constant Field Values

MAX_REDIRECT_LOCATION

protected final int MAX_REDIRECT_LOCATION

See Also:

Constant Field Values

MAX_FILE_NAME_LENGTH

protected final int MAX_FILE_NAME_LENGTH

Deprecated. It is not clear whether this is intended to be the max file name length for the basename(1) of a file or the max full path name length of a canonical full path name. Since it is not used anywhere in the ESAPI code it is being deprecated and scheduled to be removed in release 2.1.

See Also:

Constant Field Values

LOG_IMPLEMENTATION

public static final java.lang.String LOG_IMPLEMENTATION

See Also:

Constant Field Values

AUTHENTICATION_IMPLEMENTATION

public static final java.lang.String AUTHENTICATION_IMPLEMENTATION

See Also:

Constant Field Values

ENCODER_IMPLEMENTATION

public static final java.lang.String ENCODER_IMPLEMENTATION

See Also:

Constant Field Values

ACCESS_CONTROL_IMPLEMENTATION

public static final java.lang.String ACCESS_CONTROL_IMPLEMENTATION

See Also:

Constant Field Values

ENCRYPTION_IMPLEMENTATION

public static final java.lang.String ENCRYPTION_IMPLEMENTATION

See Also:

Constant Field Values

INTRUSION_DETECTION_IMPLEMENTATION

public static final java.lang.String INTRUSION_DETECTION_IMPLEMENTATION

See Also:

Constant Field Values

RANDOMIZER_IMPLEMENTATION

public static final java.lang.String RANDOMIZER_IMPLEMENTATION

See Also:

Constant Field Values

EXECUTOR_IMPLEMENTATION

public static final java.lang.String EXECUTOR_IMPLEMENTATION

See Also:

Constant Field Values

VALIDATOR_IMPLEMENTATION

public static final java.lang.String VALIDATOR_IMPLEMENTATION

See Also:

Constant Field Values

HTTP_UTILITIES_IMPLEMENTATION

public static final java.lang.String HTTP_UTILITIES_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_LOG_IMPLEMENTATION

public static final java.lang.String DEFAULT_LOG_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_AUTHENTICATION_IMPLEMENTATION

public static final java.lang.String DEFAULT_AUTHENTICATION_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_ENCODER_IMPLEMENTATION

public static final java.lang.String DEFAULT_ENCODER_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_ACCESS_CONTROL_IMPLEMENTATION

public static final java.lang.String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_ENCRYPTION_IMPLEMENTATION

public static final java.lang.String DEFAULT_ENCRYPTION_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION

public static final java.lang.String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_RANDOMIZER_IMPLEMENTATION

public static final java.lang.String DEFAULT_RANDOMIZER_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_EXECUTOR_IMPLEMENTATION

public static final java.lang.String DEFAULT_EXECUTOR_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_HTTP_UTILITIES_IMPLEMENTATION

public static final java.lang.String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION

See Also:

Constant Field Values

DEFAULT_VALIDATOR_IMPLEMENTATION

public static final java.lang.String DEFAULT_VALIDATOR_IMPLEMENTATION

See Also:

Constant Field Values

Constructor Detail

DefaultSecurityConfiguration

public DefaultSecurityConfiguration()

Instantiates a new configuration.

DefaultSecurityConfiguration

public DefaultSecurityConfiguration(java.util.Properties properties)

Instantiates a new configuration with the supplied properties. Warning - if the setResourceDirectory() method is invoked the properties will be re-loaded, replacing the supplied properties.

Parameters:

properties -

Method Detail

getInstance

public static SecurityConfiguration getInstance()

getApplicationName

public java.lang.String getApplicationName()

Gets the application name, used for logging

Specified by:

getApplicationName in interface SecurityConfiguration

Returns:

the name of the current application

getLogImplementation

public java.lang.String getLogImplementation()

Returns the fully qualified classname of the ESAPI Logging implementation.

Specified by:

getLogImplementation in interface SecurityConfiguration

getAuthenticationImplementation

public java.lang.String getAuthenticationImplementation()

Returns the fully qualified classname of the ESAPI Authentication implementation.

Specified by:

getAuthenticationImplementation in interface SecurityConfiguration

getEncoderImplementation

public java.lang.String getEncoderImplementation()

Returns the fully qualified classname of the ESAPI Encoder implementation.

Specified by:

getEncoderImplementation in interface SecurityConfiguration

getAccessControlImplementation

public java.lang.String getAccessControlImplementation()

Returns the fully qualified classname of the ESAPI Access Control implementation.

Specified by:

getAccessControlImplementation in interface SecurityConfiguration

getEncryptionImplementation

public java.lang.String getEncryptionImplementation()

Returns the fully qualified classname of the ESAPI Encryption implementation.

Specified by:

getEncryptionImplementation in interface SecurityConfiguration

getIntrusionDetectionImplementation

public java.lang.String getIntrusionDetectionImplementation()

Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.

Specified by:

getIntrusionDetectionImplementation in interface SecurityConfiguration

getRandomizerImplementation

public java.lang.String getRandomizerImplementation()

Returns the fully qualified classname of the ESAPI Randomizer implementation.

Specified by:

getRandomizerImplementation in interface SecurityConfiguration

getExecutorImplementation

public java.lang.String getExecutorImplementation()

Returns the fully qualified classname of the ESAPI OS Execution implementation.

Specified by:

getExecutorImplementation in interface SecurityConfiguration

getHTTPUtilitiesImplementation

public java.lang.String getHTTPUtilitiesImplementation()

Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.

Specified by:

getHTTPUtilitiesImplementation in interface SecurityConfiguration

getValidationImplementation

public java.lang.String getValidationImplementation()

Returns the fully qualified classname of the ESAPI Validation implementation.

Specified by:

getValidationImplementation in interface SecurityConfiguration

getMasterKey

public byte[] getMasterKey()

Gets the master key. This password is used to encrypt/decrypt other files or types of data that need to be protected by your application.

Specified by:

getMasterKey in interface SecurityConfiguration

Returns:

the current master key

setResourceDirectory

public void setResourceDirectory(java.lang.String dir)

Sets the ESAPI resource directory.

Specified by:

setResourceDirectory in interface SecurityConfiguration

Parameters:

dir - The location of the resource directory.

getEncryptionKeyLength

public int getEncryptionKeyLength()

Description copied from interface: SecurityConfiguration

Gets the key length to use in cryptographic operations declared in the ESAPI properties file.

Specified by:

getEncryptionKeyLength in interface SecurityConfiguration

Returns:

the key length.

getMasterSalt

public byte[] getMasterSalt()

Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.

Specified by:

getMasterSalt in interface SecurityConfiguration

Returns:

the current master salt

getAllowedExecutables

public java.util.List<java.lang.String> getAllowedExecutables()

Gets the allowed executables to run with the Executor.

Specified by:

getAllowedExecutables in interface SecurityConfiguration

Returns:

a list of the current allowed file extensions

getAllowedFileExtensions

public java.util.List<java.lang.String> getAllowedFileExtensions()

Gets the allowed file extensions for files that are uploaded to this application.

Specified by:

getAllowedFileExtensions in interface SecurityConfiguration

Returns:

a list of the current allowed file extensions

getAllowedFileUploadSize

public int getAllowedFileUploadSize()

Gets the maximum allowed file upload size.

Specified by:

getAllowedFileUploadSize in interface SecurityConfiguration

Returns:

the current allowed file upload size

loadConfiguration

protected void loadConfiguration()
                          throws java.io.IOException

Load configuration. Never prints properties.

Throws:

java.io.IOException - if the file is inaccessible

getResourceStream

public java.io.InputStream getResourceStream(java.lang.String filename)
                                      throws java.io.IOException

Description copied from interface: SecurityConfiguration

Gets an InputStream to a file in the resource directory

Specified by:

getResourceStream in interface SecurityConfiguration

Parameters:

filename -

Returns:

An InputStream associated with the specified file name as a resource stream.

Throws:

java.io.IOException - If the file cannot be found or opened for reading.

getResourceFile

public java.io.File getResourceFile(java.lang.String filename)

Gets a file from the resource directory

Specified by:

getResourceFile in interface SecurityConfiguration

Parameters:

filename - The file name resource.

Returns:

A File object representing the specified file name or null if not found.

getPasswordParameterName

public java.lang.String getPasswordParameterName()

Gets the name of the password parameter used during user authentication.

Specified by:

getPasswordParameterName in interface SecurityConfiguration

Returns:

the name of the password parameter

getUsernameParameterName

public java.lang.String getUsernameParameterName()

Gets the name of the username parameter used during user authentication.

Specified by:

getUsernameParameterName in interface SecurityConfiguration

Returns:

the name of the username parameter

getEncryptionAlgorithm

public java.lang.String getEncryptionAlgorithm()

Gets the encryption algorithm used by ESAPI to protect data. This is mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to use "cipher transformation" since it supports multiple cipher modes and padding schemes.

Specified by:

getEncryptionAlgorithm in interface SecurityConfiguration

Returns:

the current encryption algorithm

getCipherTransformation

public java.lang.String getCipherTransformation()

Retrieve the cipher transformation. In general, the cipher transformation is a specification of cipher algorithm, cipher mode, and padding scheme and in general, is a String that takes the following form:

                cipher_alg/cipher_mode[bits]/padding_scheme
 

where cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as CFB and OFB. Using modes such as CFB and OFB, block ciphers can encrypt data in units smaller than the cipher's actual block size. When requesting such a mode, you may optionally specify the number of bits to be processed at a time. This generally must be an integral multiple of 8-bits so that it can specify a whole number of octets.

Examples are:

                "AES/ECB/NoPadding"             // Default for ESAPI Java 1.4 (insecure)
                "AES/CBC/PKCS5Padding"  // Default for ESAPI Java 2.0
                "DESede/OFB32/PKCS5Padding"
 

NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:

                "Blowfish-192/CFB8/PKCS5Padding"
 

in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.

Specified by:

getCipherTransformation in interface SecurityConfiguration

Returns:

The cipher transformation.

setCipherTransformation

public java.lang.String setCipherTransformation(java.lang.String cipherXform)

Set the cipher transformation. This allows a different cipher transformation to be used without changing the ESAPI.properties file. For instance you may normally want to use AES/CBC/PKCS5Padding, but have some legacy encryption where you have ciphertext that was encrypted using 3DES.

Specified by:

setCipherTransformation in interface SecurityConfiguration

Parameters:

cipherXform - The new cipher transformation. See SecurityConfiguration.getCipherTransformation() for format. If null is passed as the parameter, the cipher transformation will be set to the the default taken from the property Encryptor.CipherTransformation in the ESAPI.properties file. BEWARE: there is NO sanity checking here (other than the empty string, and then, only if Java assertions are enabled), so if you set this wrong, you will not get any errors until you later try to use it to encrypt or decrypt data.

Returns:

The previous cipher transformation is returned for convenience, with the assumption that you may wish to restore it once you have completed the encryption / decryption with the new cipher transformation.

useMACforCipherText

public boolean useMACforCipherText()

Determines whether the CipherText should be used with a Message Authentication Code (MAC). Generally this makes for a more robust cryptographic scheme, but there are some minor performance implications. Controlled by the ESAPI property Encryptor.CipherText.useMAC.

For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".

Specified by:

useMACforCipherText in interface SecurityConfiguration

Returns:

true if a you want a MAC to be used, otherwise false.

overwritePlainText

public boolean overwritePlainText()

Indicates whether the PlainText objects may be overwritten after they have been encrypted. Generally this is a good idea, especially if your VM is shared by multiple applications (e.g., multiple applications running in the same J2EE container) or if there is a possibility that your VM may leave a core dump (say because it is running non-native Java code.

Controlled by the property Encryptor.PlainText.overwrite in the ESAPI.properties file.

Specified by:

overwritePlainText in interface SecurityConfiguration

Returns:

True if it is OK to overwrite the PlainText objects after encrypting, false otherwise.

getIVType

public java.lang.String getIVType()

Get a string indicating how to compute an Initialization Vector (IV). Currently supported modes are "random" to generate a random IV or "fixed" to use a fixed (static) IV. If a "fixed" IV is chosen, then the the value of this fixed IV must be specified as the property Encryptor.fixedIV and be of the appropriate length.

Specified by:

getIVType in interface SecurityConfiguration

Returns:

A string specifying the IV type. Should be "random" or "fixed".

See Also:

SecurityConfiguration.getFixedIV()

getFixedIV

public java.lang.String getFixedIV()

If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string.

Specified by:

getFixedIV in interface SecurityConfiguration

Returns:

The fixed IV as a hex-encoded string.

getHashAlgorithm

public java.lang.String getHashAlgorithm()

Gets the hashing algorithm used by ESAPI to hash data.

Specified by:

getHashAlgorithm in interface SecurityConfiguration

Returns:

the current hashing algorithm

getHashIterations

public int getHashIterations()

Gets the hash iterations used by ESAPI to hash data.

Specified by:

getHashIterations in interface SecurityConfiguration

Returns:

the current hashing algorithm

getKDFPseudoRandomFunction

public java.lang.String getKDFPseudoRandomFunction()

Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).

Specified by:

getKDFPseudoRandomFunction in interface SecurityConfiguration

Returns:

The KDF PRF algorithm name.

getCharacterEncoding

public java.lang.String getCharacterEncoding()

Gets the character encoding scheme supported by this application. This is used to set the character encoding scheme on requests and responses when setCharacterEncoding() is called on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs and any other place where the current encoding scheme needs to be known.

Note: This does not get the configured response content type. That is accessed by calling getResponseContentType().

Specified by:

getCharacterEncoding in interface SecurityConfiguration

Returns:

the current character encoding scheme

getAllowMultipleEncoding

public boolean getAllowMultipleEncoding()

Return true if multiple encoding is allowed

Specified by:

getAllowMultipleEncoding in interface SecurityConfiguration

Returns:

whether multiple encoding is allowed when canonicalizing data

getAllowMixedEncoding

public boolean getAllowMixedEncoding()

Return true if mixed encoding is allowed

Specified by:

getAllowMixedEncoding in interface SecurityConfiguration

Returns:

whether mixed encoding is allowed when canonicalizing data

getDefaultCanonicalizationCodecs

public java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()

Returns the List of Codecs to use when canonicalizing data

Specified by:

getDefaultCanonicalizationCodecs in interface SecurityConfiguration

Returns:

the codec list

getDigitalSignatureAlgorithm

public java.lang.String getDigitalSignatureAlgorithm()

Gets the digital signature algorithm used by ESAPI to generate and verify signatures.

Specified by:

getDigitalSignatureAlgorithm in interface SecurityConfiguration

Returns:

the current digital signature algorithm

getDigitalSignatureKeyLength

public int getDigitalSignatureKeyLength()

Gets the digital signature key length used by ESAPI to generate and verify signatures.

Specified by:

getDigitalSignatureKeyLength in interface SecurityConfiguration

Returns:

the current digital signature key length

getRandomAlgorithm

public java.lang.String getRandomAlgorithm()

Gets the random number generation algorithm used to generate random numbers where needed.

Specified by:

getRandomAlgorithm in interface SecurityConfiguration

Returns:

the current random number generation algorithm

getAllowedLoginAttempts

public int getAllowedLoginAttempts()

Gets the number of login attempts allowed before the user's account is locked. If this many failures are detected within the alloted time period, the user's account will be locked.

Specified by:

getAllowedLoginAttempts in interface SecurityConfiguration

Returns:

the number of failed login attempts that cause an account to be locked

getMaxOldPasswordHashes

public int getMaxOldPasswordHashes()

Gets the maximum number of old password hashes that should be retained. These hashes can be used to ensure that the user doesn't reuse the specified number of previous passwords when they change their password.

Specified by:

getMaxOldPasswordHashes in interface SecurityConfiguration

Returns:

the number of old hashed passwords to retain

getUploadDirectory

public java.io.File getUploadDirectory()

Retrieves the upload directory as specified in the ESAPI.properties file.

Specified by:

getUploadDirectory in interface SecurityConfiguration

Returns:

the upload directory

getUploadTempDirectory

public java.io.File getUploadTempDirectory()

Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.

Specified by:

getUploadTempDirectory in interface SecurityConfiguration

Returns:

the temp directory

getDisableIntrusionDetection

public boolean getDisableIntrusionDetection()

Allows for complete disabling of all intrusion detection mechanisms

Specified by:

getDisableIntrusionDetection in interface SecurityConfiguration

Returns:

true if intrusion detection should be disabled

getQuota

public SecurityConfiguration.Threshold getQuota(java.lang.String eventName)

Gets the intrusion detection quota for the specified event.

Specified by:

getQuota in interface SecurityConfiguration

Parameters:

eventName - the name of the event whose quota is desired

Returns:

the Quota that has been configured for the specified type of event

getLogLevel

public int getLogLevel()

Returns the current log level.

Specified by:

getLogLevel in interface SecurityConfiguration

Returns:

An integer representing the current log level.

getLogFileName

public java.lang.String getLogFileName()

Get the name of the log file specified in the ESAPI configuration properties file. Return a default value if it is not specified.

Specified by:

getLogFileName in interface SecurityConfiguration

Returns:

the log file name defined in the properties file.

getMaxLogFileSize

public int getMaxLogFileSize()

Get the maximum size of a single log file from the ESAPI configuration properties file. Return a default value if it is not specified. Once the log hits this file size, it will roll over into a new log.

Specified by:

getMaxLogFileSize in interface SecurityConfiguration

Returns:

the maximum size of a single log file (in bytes).

getLogEncodingRequired

public boolean getLogEncodingRequired()

Returns whether HTML entity encoding should be applied to log entries.

Specified by:

getLogEncodingRequired in interface SecurityConfiguration

Returns:

True if log entries are to be HTML Entity encoded. False otherwise.

getLogApplicationName

public boolean getLogApplicationName()

Returns whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.

Specified by:

getLogApplicationName in interface SecurityConfiguration

Returns:

True if ESAPI should log the application name, False otherwise

getLogServerIP

public boolean getLogServerIP()

Returns whether ESAPI should log the server IP. This might be clutter in some single-server environments.

Specified by:

getLogServerIP in interface SecurityConfiguration

Returns:

True if ESAPI should log the server IP and port, False otherwise

getForceHttpOnlySession

public boolean getForceHttpOnlySession()

Forces new cookies to have HttpOnly flag set.

Specified by:

getForceHttpOnlySession in interface SecurityConfiguration

getForceSecureSession

public boolean getForceSecureSession()

Forces session cookies to have Secure flag set.

Specified by:

getForceSecureSession in interface SecurityConfiguration

getForceHttpOnlyCookies

public boolean getForceHttpOnlyCookies()

Forces new cookies to have HttpOnly flag set.

Specified by:

getForceHttpOnlyCookies in interface SecurityConfiguration

getForceSecureCookies

public boolean getForceSecureCookies()

Forces new cookies to have Secure flag set.

Specified by:

getForceSecureCookies in interface SecurityConfiguration

getMaxHttpHeaderSize

public int getMaxHttpHeaderSize()

Returns the maximum allowable HTTP header size.

Specified by:

getMaxHttpHeaderSize in interface SecurityConfiguration

getResponseContentType

public java.lang.String getResponseContentType()

Gets the content type for responses used when setSafeContentType() is called.

Note: This does not get the configured character encoding scheme. That is accessed by calling getCharacterEncoding().

Specified by:

getResponseContentType in interface SecurityConfiguration

Returns:

The current content-type set for responses.

getHttpSessionIdName

public java.lang.String getHttpSessionIdName()

This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.

Specified by:

getHttpSessionIdName in interface SecurityConfiguration

Returns:

The name of the session identifier, like "JSESSIONID"

getRememberTokenDuration

public long getRememberTokenDuration()

Gets the length of the time to live window for remember me tokens (in milliseconds).

Specified by:

getRememberTokenDuration in interface SecurityConfiguration

Returns:

The time to live length for generated remember me tokens.

getSessionIdleTimeoutLength

public int getSessionIdleTimeoutLength()

Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.

Specified by:

getSessionIdleTimeoutLength in interface SecurityConfiguration

Returns:

The session idle timeout length.

getSessionAbsoluteTimeoutLength

public int getSessionAbsoluteTimeoutLength()

Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires regardless of the amount of user activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.

Specified by:

getSessionAbsoluteTimeoutLength in interface SecurityConfiguration

Returns:

The session absolute timeout length.

getValidationPattern

public java.util.regex.Pattern getValidationPattern(java.lang.String key)

getValidationPattern returns a single pattern based upon key

Specified by:

getValidationPattern in interface SecurityConfiguration

Parameters:

key - validation pattern name you'd like

Returns:

if key exists, the associated validation pattern, null otherwise

getWorkingDirectory

public java.io.File getWorkingDirectory()

getWorkingDirectory returns the default directory where processes will be executed by the Executor.

Specified by:

getWorkingDirectory in interface SecurityConfiguration

getPreferredJCEProvider

public java.lang.String getPreferredJCEProvider()

Retrieve the preferred JCE provider for ESAPI and your application. ESAPI 2.0 now allows setting the property Encryptor.PreferredJCEProvider in the ESAPI.properties file, which will cause the specified JCE provider to be automatically and dynamically loaded (assuming that SecurityManager permissions allow) as the Ii>preferred JCE provider. (Note this only happens if the JCE provider is not already loaded.) This method returns the property Encryptor.PreferredJCEProvider. By default, this Encryptor.PreferredJCEProvider property is set to an empty string, which means that the preferred JCE provider is not changed.

Specified by:

getPreferredJCEProvider in interface SecurityConfiguration

Returns:

The property Encryptor.PreferredJCEProvider is returned.

See Also:

SecurityProviderLoader

getCombinedCipherModes

public java.util.List<java.lang.String> getCombinedCipherModes()

Return a List of strings of combined cipher modes that support both confidentiality and authenticity. These would be preferred cipher modes to use if your JCE provider supports them. If such a cipher mode is used, no explicit separate MAC is calculated as part of the CipherText object upon encryption nor is any attempt made to verify the same on decryption.

The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.combined_modes.

Specified by:

getCombinedCipherModes in interface SecurityConfiguration

Returns:

The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.

getAdditionalAllowedCipherModes

public java.util.List<java.lang.String> getAdditionalAllowedCipherModes()

Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by #getPreferredCipherModes()) to be used for encryption and decryption operations.

The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.additional_allowed.

Specified by:

getAdditionalAllowedCipherModes in interface SecurityConfiguration

Returns:

The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.

See Also:

#getPreferredCipherModes()

getLenientDatesAccepted

public boolean getLenientDatesAccepted()

Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. Controlled by ESAPI property Validator.AcceptLenientDates, which defaults to false if unset.

Specified by:

getLenientDatesAccepted in interface SecurityConfiguration

Returns:

True if lenient dates are accepted; false otherwise.

See Also:

DateFormat.setLenient(boolean)

getESAPIProperty

protected java.lang.String getESAPIProperty(java.lang.String key,
                                java.lang.String def)

getESAPIProperty

protected boolean getESAPIProperty(java.lang.String key,
                       boolean def)

getESAPIPropertyEncoded

protected byte[] getESAPIPropertyEncoded(java.lang.String key,
                             byte[] def)

getESAPIProperty

protected int getESAPIProperty(java.lang.String key,
                   int def)

getESAPIProperty

protected java.util.List<java.lang.String> getESAPIProperty(java.lang.String key,
                                                java.util.List<java.lang.String> def)

Returns a List representing the parsed, comma-separated property.

Parameters:

key - The specified property name

def - A default value for the property name to return if the property is not set.

Returns:

A list of strings.

shouldPrintProperties

protected boolean shouldPrintProperties()

getESAPIProperties

protected java.util.Properties getESAPIProperties()