Package org.owasp.esapi.reference

Class DefaultSecurityConfiguration

  • All Implemented Interfaces:
    EsapiPropertyLoader, SecurityConfiguration
    public class DefaultSecurityConfiguration
extends java.lang.Object
implements SecurityConfiguration
    The reference SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference implementation, resources can be put in several locations, which are searched in the following order:

    1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).

    2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example): 

                    java -Dorg.owasp.esapi.resources="C:\temp\resources"
    You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.

    3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory (supported for backward compatibility) or inside the System.getProperty( "user.home" ) + "/esapi" directory.

    4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)

    Once the Configuration is initialized with a resource directory, you can edit it to set things like master keys and passwords, logging locations, error thresholds, and allowed file extensions.

    WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.

    Author:
    Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Jim Manico (jim .at. manico.net) Manico.net, Kevin Wall (kevin.w.wall .at. gmail.com)

    • Field Detail

      • DEFAULT_RESOURCE_FILE

        public static final java.lang.String DEFAULT_RESOURCE_FILE
        The name of the ESAPI property file
        See Also:
        Constant Field Values

      • REMEMBER_TOKEN_DURATION

        public static final java.lang.String REMEMBER_TOKEN_DURATION
        See Also:
        Constant Field Values

      • IDLE_TIMEOUT_DURATION

        public static final java.lang.String IDLE_TIMEOUT_DURATION
        See Also:
        Constant Field Values

      • ABSOLUTE_TIMEOUT_DURATION

        public static final java.lang.String ABSOLUTE_TIMEOUT_DURATION
        See Also:
        Constant Field Values

      • ALLOWED_LOGIN_ATTEMPTS

        public static final java.lang.String ALLOWED_LOGIN_ATTEMPTS
        See Also:
        Constant Field Values

      • USERNAME_PARAMETER_NAME

        public static final java.lang.String USERNAME_PARAMETER_NAME
        See Also:
        Constant Field Values

      • PASSWORD_PARAMETER_NAME

        public static final java.lang.String PASSWORD_PARAMETER_NAME
        See Also:
        Constant Field Values

      • MAX_OLD_PASSWORD_HASHES

        public static final java.lang.String MAX_OLD_PASSWORD_HASHES
        See Also:
        Constant Field Values

      • ALLOW_MULTIPLE_ENCODING

        public static final java.lang.String ALLOW_MULTIPLE_ENCODING
        See Also:
        Constant Field Values

      • ALLOW_MIXED_ENCODING

        public static final java.lang.String ALLOW_MIXED_ENCODING
        See Also:
        Constant Field Values

      • CANONICALIZATION_CODECS

        public static final java.lang.String CANONICALIZATION_CODECS
        See Also:
        Constant Field Values

      • DISABLE_INTRUSION_DETECTION

        public static final java.lang.String DISABLE_INTRUSION_DETECTION
        See Also:
        Constant Field Values

      • ENCRYPTION_ALGORITHM

        public static final java.lang.String ENCRYPTION_ALGORITHM
        See Also:
        Constant Field Values

      • CHARACTER_ENCODING

        public static final java.lang.String CHARACTER_ENCODING
        See Also:
        Constant Field Values

      • RANDOM_ALGORITHM

        public static final java.lang.String RANDOM_ALGORITHM
        See Also:
        Constant Field Values

      • DIGITAL_SIGNATURE_ALGORITHM

        public static final java.lang.String DIGITAL_SIGNATURE_ALGORITHM
        See Also:
        Constant Field Values

      • DIGITAL_SIGNATURE_KEY_LENGTH

        public static final java.lang.String DIGITAL_SIGNATURE_KEY_LENGTH
        See Also:
        Constant Field Values

      • PREFERRED_JCE_PROVIDER

        public static final java.lang.String PREFERRED_JCE_PROVIDER
        See Also:
        Constant Field Values

      • CIPHER_TRANSFORMATION_IMPLEMENTATION

        public static final java.lang.String CIPHER_TRANSFORMATION_IMPLEMENTATION
        See Also:
        Constant Field Values

      • CIPHERTEXT_USE_MAC

        public static final java.lang.String CIPHERTEXT_USE_MAC
        See Also:
        Constant Field Values

      • PLAINTEXT_OVERWRITE

        public static final java.lang.String PLAINTEXT_OVERWRITE
        See Also:
        Constant Field Values

      • FIXED_IV

        @Deprecated
public static final java.lang.String FIXED_IV
        Deprecated.
        See Also:
        Constant Field Values

      • COMBINED_CIPHER_MODES

        public static final java.lang.String COMBINED_CIPHER_MODES
        See Also:
        Constant Field Values

      • ADDITIONAL_ALLOWED_CIPHER_MODES

        public static final java.lang.String ADDITIONAL_ALLOWED_CIPHER_MODES
        See Also:
        Constant Field Values

      • PRINT_PROPERTIES_WHEN_LOADED

        public static final java.lang.String PRINT_PROPERTIES_WHEN_LOADED
        See Also:
        Constant Field Values

      • WORKING_DIRECTORY

        public static final java.lang.String WORKING_DIRECTORY
        See Also:
        Constant Field Values

      • APPROVED_EXECUTABLES

        public static final java.lang.String APPROVED_EXECUTABLES
        See Also:
        Constant Field Values

      • FORCE_HTTPONLYSESSION

        public static final java.lang.String FORCE_HTTPONLYSESSION
        See Also:
        Constant Field Values

      • FORCE_SECURESESSION

        public static final java.lang.String FORCE_SECURESESSION
        See Also:
        Constant Field Values

      • FORCE_HTTPONLYCOOKIES

        public static final java.lang.String FORCE_HTTPONLYCOOKIES
        See Also:
        Constant Field Values

      • FORCE_SECURECOOKIES

        public static final java.lang.String FORCE_SECURECOOKIES
        See Also:
        Constant Field Values

      • MAX_HTTP_HEADER_SIZE

        public static final java.lang.String MAX_HTTP_HEADER_SIZE
        See Also:
        Constant Field Values

      • UPLOAD_DIRECTORY

        public static final java.lang.String UPLOAD_DIRECTORY
        See Also:
        Constant Field Values

      • UPLOAD_TEMP_DIRECTORY

        public static final java.lang.String UPLOAD_TEMP_DIRECTORY
        See Also:
        Constant Field Values

      • APPROVED_UPLOAD_EXTENSIONS

        public static final java.lang.String APPROVED_UPLOAD_EXTENSIONS
        See Also:
        Constant Field Values

      • MAX_UPLOAD_FILE_BYTES

        public static final java.lang.String MAX_UPLOAD_FILE_BYTES
        See Also:
        Constant Field Values

      • RESPONSE_CONTENT_TYPE

        public static final java.lang.String RESPONSE_CONTENT_TYPE
        See Also:
        Constant Field Values

      • HTTP_SESSION_ID_NAME

        public static final java.lang.String HTTP_SESSION_ID_NAME
        See Also:
        Constant Field Values

      • APPLICATION_NAME

        public static final java.lang.String APPLICATION_NAME
        See Also:
        Constant Field Values

      • LOG_ENCODING_REQUIRED

        public static final java.lang.String LOG_ENCODING_REQUIRED
        See Also:
        Constant Field Values

      • LOG_APPLICATION_NAME

        public static final java.lang.String LOG_APPLICATION_NAME
        See Also:
        Constant Field Values

      • VALIDATION_PROPERTIES

        public static final java.lang.String VALIDATION_PROPERTIES
        See Also:
        Constant Field Values

      • VALIDATION_PROPERTIES_MULTIVALUED

        public static final java.lang.String VALIDATION_PROPERTIES_MULTIVALUED
        See Also:
        Constant Field Values

      • ACCEPT_LENIENT_DATES

        public static final java.lang.String ACCEPT_LENIENT_DATES
        See Also:
        Constant Field Values

      • VALIDATOR_HTML_VALIDATION_ACTION

        public static final java.lang.String VALIDATOR_HTML_VALIDATION_ACTION
        See Also:
        Constant Field Values

      • VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE

        public static final java.lang.String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE
        See Also:
        Constant Field Values

      • DISCARD_LOGSPECIAL

        public static final java.lang.String DISCARD_LOGSPECIAL
        Special System property that, if set to true, will disable logging from DefaultSecurityConfiguration.logToStdout() methods, which is called from various logSpecial() methods.
        See Also:
        logToStdout(String msg, Throwable t), Constant Field Values

      • LOG_IMPLEMENTATION

        public static final java.lang.String LOG_IMPLEMENTATION
        See Also:
        Constant Field Values

      • AUTHENTICATION_IMPLEMENTATION

        public static final java.lang.String AUTHENTICATION_IMPLEMENTATION
        See Also:
        Constant Field Values

      • ENCODER_IMPLEMENTATION

        public static final java.lang.String ENCODER_IMPLEMENTATION
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_IMPLEMENTATION

        public static final java.lang.String ACCESS_CONTROL_IMPLEMENTATION
        See Also:
        Constant Field Values

      • ENCRYPTION_IMPLEMENTATION

        public static final java.lang.String ENCRYPTION_IMPLEMENTATION
        See Also:
        Constant Field Values

      • INTRUSION_DETECTION_IMPLEMENTATION

        public static final java.lang.String INTRUSION_DETECTION_IMPLEMENTATION
        See Also:
        Constant Field Values

      • RANDOMIZER_IMPLEMENTATION

        public static final java.lang.String RANDOMIZER_IMPLEMENTATION
        See Also:
        Constant Field Values

      • EXECUTOR_IMPLEMENTATION

        public static final java.lang.String EXECUTOR_IMPLEMENTATION
        See Also:
        Constant Field Values

      • VALIDATOR_IMPLEMENTATION

        public static final java.lang.String VALIDATOR_IMPLEMENTATION
        See Also:
        Constant Field Values

      • HTTP_UTILITIES_IMPLEMENTATION

        public static final java.lang.String HTTP_UTILITIES_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_LOG_IMPLEMENTATION

        public static final java.lang.String DEFAULT_LOG_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_AUTHENTICATION_IMPLEMENTATION

        public static final java.lang.String DEFAULT_AUTHENTICATION_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_ENCODER_IMPLEMENTATION

        public static final java.lang.String DEFAULT_ENCODER_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_ACCESS_CONTROL_IMPLEMENTATION

        public static final java.lang.String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_ENCRYPTION_IMPLEMENTATION

        public static final java.lang.String DEFAULT_ENCRYPTION_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION

        public static final java.lang.String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_RANDOMIZER_IMPLEMENTATION

        public static final java.lang.String DEFAULT_RANDOMIZER_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_EXECUTOR_IMPLEMENTATION

        public static final java.lang.String DEFAULT_EXECUTOR_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_HTTP_UTILITIES_IMPLEMENTATION

        public static final java.lang.String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
        See Also:
        Constant Field Values

      • DEFAULT_VALIDATOR_IMPLEMENTATION

        public static final java.lang.String DEFAULT_VALIDATOR_IMPLEMENTATION
        See Also:
        Constant Field Values

    • Constructor Detail

      • DefaultSecurityConfiguration

        public DefaultSecurityConfiguration​(java.util.Properties properties)
        Instantiates a new configuration with the supplied properties. Warning - if the setResourceDirectory() method is invoked the properties will be re-loaded, replacing the supplied properties.
        Parameters:
        properties -

      • DefaultSecurityConfiguration

        public DefaultSecurityConfiguration()
        Instantiates a new configuration.

    • Method Detail

      • getApplicationName

        public java.lang.String getApplicationName()
        Gets the application name, used for logging
        Specified by:
        getApplicationName in interface SecurityConfiguration
        Returns:
        the name of the current application

      • getLogImplementation

        public java.lang.String getLogImplementation()
        Returns the fully qualified classname of the ESAPI Logging implementation.
        Specified by:
        getLogImplementation in interface SecurityConfiguration

      • getEncoderImplementation

        public java.lang.String getEncoderImplementation()
        Returns the fully qualified classname of the ESAPI Encoder implementation.
        Specified by:
        getEncoderImplementation in interface SecurityConfiguration

      • getAccessControlImplementation

        public java.lang.String getAccessControlImplementation()
        Returns the fully qualified classname of the ESAPI Access Control implementation.
        Specified by:
        getAccessControlImplementation in interface SecurityConfiguration

      • getEncryptionImplementation

        public java.lang.String getEncryptionImplementation()
        Returns the fully qualified classname of the ESAPI Encryption implementation.
        Specified by:
        getEncryptionImplementation in interface SecurityConfiguration

      • getRandomizerImplementation

        public java.lang.String getRandomizerImplementation()
        Returns the fully qualified classname of the ESAPI Randomizer implementation.
        Specified by:
        getRandomizerImplementation in interface SecurityConfiguration

      • getExecutorImplementation

        public java.lang.String getExecutorImplementation()
        Returns the fully qualified classname of the ESAPI OS Execution implementation.
        Specified by:
        getExecutorImplementation in interface SecurityConfiguration

      • getValidationImplementation

        public java.lang.String getValidationImplementation()
        Returns the fully qualified classname of the ESAPI Validation implementation.
        Specified by:
        getValidationImplementation in interface SecurityConfiguration

      • getMasterKey

        public byte[] getMasterKey()
        Gets the master key. This password is used to encrypt/decrypt other files or types of data that need to be protected by your application.
        Specified by:
        getMasterKey in interface SecurityConfiguration
        Returns:
        the current master key

      • setResourceDirectory

        public void setResourceDirectory​(java.lang.String dir)
        Sets the ESAPI resource directory.
        Specified by:
        setResourceDirectory in interface SecurityConfiguration
        Parameters:
        dir - The location of the resource directory.

      • getEncryptionKeyLength

        public int getEncryptionKeyLength()
        Description copied from interface: SecurityConfiguration
        Gets the key length to use in cryptographic operations declared in the ESAPI properties file. Note that this corresponds to the ESAPI property Encryptor.EncryptionKeyLength which is considered the default key size that ESAPI will use for symmetric ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength, which is the minimum key size (in bits) that ESAPI will support for encryption. (There is no miminimum for decryption.)
        Specified by:
        getEncryptionKeyLength in interface SecurityConfiguration
        Returns:
        the key length (in bits)

      • getMasterSalt

        public byte[] getMasterSalt()
        Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.
        Specified by:
        getMasterSalt in interface SecurityConfiguration
        Returns:
        the current master salt

      • getAllowedExecutables

        public java.util.List<java.lang.String> getAllowedExecutables()
        Gets the allowed executables to run with the Executor.
        Specified by:
        getAllowedExecutables in interface SecurityConfiguration
        Returns:
        a list of the current allowed file extensions

      • getAllowedFileExtensions

        public java.util.List<java.lang.String> getAllowedFileExtensions()
        Gets the allowed file extensions for files that are uploaded to this application.
        Specified by:
        getAllowedFileExtensions in interface SecurityConfiguration
        Returns:
        a list of the current allowed file extensions

      • getAllowedFileUploadSize

        public int getAllowedFileUploadSize()
        Gets the maximum allowed file upload size.
        Specified by:
        getAllowedFileUploadSize in interface SecurityConfiguration
        Returns:
        the current allowed file upload size

      • loadConfiguration

        protected void loadConfiguration()
                          throws java.io.IOException
        Load configuration. Never prints properties.
        Throws:
        java.io.IOException - if the file is inaccessible

      • getResourceStream

        public java.io.InputStream getResourceStream​(java.lang.String filename)
                                      throws java.io.IOException
        Description copied from interface: SecurityConfiguration
        Gets an InputStream to a file in the resource directory
        Specified by:
        getResourceStream in interface SecurityConfiguration
        Parameters:
        filename -
        Returns:
        An InputStream associated with the specified file name as a resource stream.
        Throws:
        java.io.IOException - If the file cannot be found or opened for reading.

      • getResourceFile

        public java.io.File getResourceFile​(java.lang.String filename)
        Gets a file from the resource directory
        Specified by:
        getResourceFile in interface SecurityConfiguration
        Parameters:
        filename - The file name resource.
        Returns:
        A File object representing the specified file name or null if not found.

      • logToStdout

        public static final void logToStdout​(java.lang.String msg,
                                     java.lang.Throwable t)
        Log to standard output (i.e., System.out. This method is synchronized to reduce the possibility of interleaving the message output (since the System.out PrintStream is buffered) it invoked from multiple threads. Output is discarded if the System property "org.owasp.esapi.logSpecial.discard" is set to true.
        Parameters:
        msg - Message to be logged.
        t - Associated exception that was caught. The class name and exception message is also logged.

      • getPasswordParameterName

        public java.lang.String getPasswordParameterName()
        Gets the name of the password parameter used during user authentication.
        Specified by:
        getPasswordParameterName in interface SecurityConfiguration
        Returns:
        the name of the password parameter

      • getUsernameParameterName

        public java.lang.String getUsernameParameterName()
        Gets the name of the username parameter used during user authentication.
        Specified by:
        getUsernameParameterName in interface SecurityConfiguration
        Returns:
        the name of the username parameter

      • getEncryptionAlgorithm

        public java.lang.String getEncryptionAlgorithm()
        Gets the encryption algorithm used by ESAPI to protect data. This is mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to use "cipher transformation" since it supports multiple cipher modes and padding schemes.
        Specified by:
        getEncryptionAlgorithm in interface SecurityConfiguration
        Returns:
        the current encryption algorithm

      • getCipherTransformation

        public java.lang.String getCipherTransformation()
        Retrieve the cipher transformation. In general, the cipher transformation is a specification of cipher algorithm, cipher mode, and padding scheme and in general, is a String that takes the following form: 
                        cipher_alg/cipher_mode[bits]/padding_scheme
        where cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as CFB and OFB. Using modes such as CFB and OFB, block ciphers can encrypt data in units smaller than the cipher's actual block size. When requesting such a mode, you may optionally specify the number of bits to be processed at a time. This generally must be an integral multiple of 8-bits so that it can specify a whole number of octets.

        Examples are: 

                        "AES/ECB/NoPadding"             // Default for ESAPI Java 1.4 (insecure)
                "AES/CBC/PKCS5Padding"  // Default for ESAPI Java 2.0
                "DESede/OFB32/PKCS5Padding"
        NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this: 
                        "Blowfish-192/CFB8/PKCS5Padding"
        in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.
        Specified by:
        getCipherTransformation in interface SecurityConfiguration
        Returns:
        The cipher transformation.

      • setCipherTransformation

        public java.lang.String setCipherTransformation​(java.lang.String cipherXform)
        Set the cipher transformation. This allows a different cipher transformation to be used without changing the ESAPI.properties file. For instance you may normally want to use AES/CBC/PKCS5Padding, but have some legacy encryption where you have ciphertext that was encrypted using 3DES.
        Specified by:
        setCipherTransformation in interface SecurityConfiguration
        Parameters:
        cipherXform - The new cipher transformation. See SecurityConfiguration.getCipherTransformation() for format. If null is passed as the parameter, the cipher transformation will be set to the the default taken from the property Encryptor.CipherTransformation in the ESAPI.properties file. BEWARE: there is NO sanity checking here (other than the empty string, and then, only if Java assertions are enabled), so if you set this wrong, you will not get any errors until you later try to use it to encrypt or decrypt data.
        Returns:
        The previous cipher transformation is returned for convenience, with the assumption that you may wish to restore it once you have completed the encryption / decryption with the new cipher transformation.

      • useMACforCipherText

        public boolean useMACforCipherText()
        Determines whether the CipherText should be used with a Message Authentication Code (MAC). Generally this makes for a more robust cryptographic scheme, but there are some minor performance implications. Controlled by the ESAPI property Encryptor.CipherText.useMAC.

        For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".

        Specified by:
        useMACforCipherText in interface SecurityConfiguration
        Returns:
        true if a you want a MAC to be used, otherwise false.

      • overwritePlainText

        public boolean overwritePlainText()
        Indicates whether the PlainText objects may be overwritten after they have been encrypted. Generally this is a good idea, especially if your VM is shared by multiple applications (e.g., multiple applications running in the same J2EE container) or if there is a possibility that your VM may leave a core dump (say because it is running non-native Java code.

        Controlled by the property Encryptor.PlainText.overwrite in the ESAPI.properties file.

        Specified by:
        overwritePlainText in interface SecurityConfiguration
        Returns:
        True if it is OK to overwrite the PlainText objects after encrypting, false otherwise.

      • getIVType

        public java.lang.String getIVType()
        Get a string indicating how to compute an Initialization Vector (IV). Currently supported modes are "random" to generate a random IV or "fixed" to use a fixed (static) IV. WARNING: 'fixed' was only intended to support legacy applications with fixed IVs, but the use of non-random IVs is inherently insecure, especially for any supported cipher mode that is considered a streaming mode (which is basically anything except CBC for modes that support require an IV). For this reason, 'fixed' is considered deprecated and will be removed during the next ESAPI point release (tentatively, 2.3). However, note that if a "fixed" IV is chosen, then the the value of this fixed IV must be specified as the property Encryptor.fixedIV and be of the appropriate length.
        Specified by:
        getIVType in interface SecurityConfiguration
        Returns:
        A string specifying the IV type. Should be "random" or "fixed" (dereprected).
        See Also:
        SecurityConfiguration.getFixedIV()

      • getFixedIV

        @Deprecated
public java.lang.String getFixedIV()
        Deprecated.
        If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string.
        Specified by:
        getFixedIV in interface SecurityConfiguration
        Returns:
        The fixed IV as a hex-encoded string.

      • getHashAlgorithm

        public java.lang.String getHashAlgorithm()
        Gets the hashing algorithm used by ESAPI to hash data.
        Specified by:
        getHashAlgorithm in interface SecurityConfiguration
        Returns:
        the current hashing algorithm

      • getHashIterations

        public int getHashIterations()
        Gets the hash iterations used by ESAPI to hash data.
        Specified by:
        getHashIterations in interface SecurityConfiguration
        Returns:
        the current hashing algorithm

      • getKDFPseudoRandomFunction

        public java.lang.String getKDFPseudoRandomFunction()
        Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).
        Specified by:
        getKDFPseudoRandomFunction in interface SecurityConfiguration
        Returns:
        The KDF PRF algorithm name.

      • getCharacterEncoding

        public java.lang.String getCharacterEncoding()
        Gets the character encoding scheme supported by this application. This is used to set the character encoding scheme on requests and responses when setCharacterEncoding() is called on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs and any other place where the current encoding scheme needs to be known.

        Note: This does not get the configured response content type. That is accessed by calling getResponseContentType().
        Specified by:
        getCharacterEncoding in interface SecurityConfiguration
        Returns:
        the current character encoding scheme

      • getAllowMultipleEncoding

        public boolean getAllowMultipleEncoding()
        Return true if multiple encoding is allowed
        Specified by:
        getAllowMultipleEncoding in interface SecurityConfiguration
        Returns:
        whether multiple encoding is allowed when canonicalizing data

      • getAllowMixedEncoding

        public boolean getAllowMixedEncoding()
        Return true if mixed encoding is allowed
        Specified by:
        getAllowMixedEncoding in interface SecurityConfiguration
        Returns:
        whether mixed encoding is allowed when canonicalizing data

      • getDefaultCanonicalizationCodecs

        public java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
        Returns the List of Codecs to use when canonicalizing data
        Specified by:
        getDefaultCanonicalizationCodecs in interface SecurityConfiguration
        Returns:
        the codec list

      • getDigitalSignatureAlgorithm

        public java.lang.String getDigitalSignatureAlgorithm()
        Gets the digital signature algorithm used by ESAPI to generate and verify signatures.
        Specified by:
        getDigitalSignatureAlgorithm in interface SecurityConfiguration
        Returns:
        the current digital signature algorithm

      • getDigitalSignatureKeyLength

        public int getDigitalSignatureKeyLength()
        Gets the digital signature key length used by ESAPI to generate and verify signatures.
        Specified by:
        getDigitalSignatureKeyLength in interface SecurityConfiguration
        Returns:
        the current digital signature key length

      • getRandomAlgorithm

        public java.lang.String getRandomAlgorithm()
        Gets the random number generation algorithm used to generate random numbers where needed.
        Specified by:
        getRandomAlgorithm in interface SecurityConfiguration
        Returns:
        the current random number generation algorithm

      • getAllowedLoginAttempts

        public int getAllowedLoginAttempts()
        Gets the number of login attempts allowed before the user's account is locked. If this many failures are detected within the alloted time period, the user's account will be locked.
        Specified by:
        getAllowedLoginAttempts in interface SecurityConfiguration
        Returns:
        the number of failed login attempts that cause an account to be locked

      • getMaxOldPasswordHashes

        public int getMaxOldPasswordHashes()
        Gets the maximum number of old password hashes that should be retained. These hashes can be used to ensure that the user doesn't reuse the specified number of previous passwords when they change their password.
        Specified by:
        getMaxOldPasswordHashes in interface SecurityConfiguration
        Returns:
        the number of old hashed passwords to retain

      • getUploadDirectory

        public java.io.File getUploadDirectory()
        Retrieves the upload directory as specified in the ESAPI.properties file.
        Specified by:
        getUploadDirectory in interface SecurityConfiguration
        Returns:
        the upload directory

      • getUploadTempDirectory

        public java.io.File getUploadTempDirectory()
        Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
        Specified by:
        getUploadTempDirectory in interface SecurityConfiguration
        Returns:
        the temp directory

      • getDisableIntrusionDetection

        public boolean getDisableIntrusionDetection()
        Allows for complete disabling of all intrusion detection mechanisms
        Specified by:
        getDisableIntrusionDetection in interface SecurityConfiguration
        Returns:
        true if intrusion detection should be disabled

      • getQuota

        public SecurityConfiguration.Threshold getQuota​(java.lang.String eventName)
        Gets the intrusion detection quota for the specified event.
        Specified by:
        getQuota in interface SecurityConfiguration
        Parameters:
        eventName - the name of the event whose quota is desired
        Returns:
        the Quota that has been configured for the specified type of event

      • getLogEncodingRequired

        public boolean getLogEncodingRequired()
        Returns whether HTML entity encoding should be applied to log entries.
        Specified by:
        getLogEncodingRequired in interface SecurityConfiguration
        Returns:
        True if log entries are to be HTML Entity encoded. False otherwise.

      • getLogApplicationName

        public boolean getLogApplicationName()
        Returns whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
        Specified by:
        getLogApplicationName in interface SecurityConfiguration
        Returns:
        True if ESAPI should log the application name, False otherwise

      • getLogServerIP

        public boolean getLogServerIP()
        Returns whether ESAPI should log the server IP. This might be clutter in some single-server environments.
        Specified by:
        getLogServerIP in interface SecurityConfiguration
        Returns:
        True if ESAPI should log the server IP and port, False otherwise

      • getResponseContentType

        public java.lang.String getResponseContentType()
        Gets the content type for responses used when setSafeContentType() is called.

        Note: This does not get the configured character encoding scheme. That is accessed by calling getCharacterEncoding().
        Specified by:
        getResponseContentType in interface SecurityConfiguration
        Returns:
        The current content-type set for responses.

      • getHttpSessionIdName

        public java.lang.String getHttpSessionIdName()
        This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.
        Specified by:
        getHttpSessionIdName in interface SecurityConfiguration
        Returns:
        The name of the session identifier, like "JSESSIONID"

      • getRememberTokenDuration

        public long getRememberTokenDuration()
        Gets the length of the time to live window for remember me tokens (in milliseconds).
        Specified by:
        getRememberTokenDuration in interface SecurityConfiguration
        Returns:
        The time to live length for generated "remember me" tokens.

      • getSessionIdleTimeoutLength

        public int getSessionIdleTimeoutLength()
        Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.
        Specified by:
        getSessionIdleTimeoutLength in interface SecurityConfiguration
        Returns:
        The session idle timeout length.

      • getSessionAbsoluteTimeoutLength

        public int getSessionAbsoluteTimeoutLength()
        Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires regardless of the amount of user activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.
        Specified by:
        getSessionAbsoluteTimeoutLength in interface SecurityConfiguration
        Returns:
        The session absolute timeout length.

      • getValidationPattern

        public java.util.regex.Pattern getValidationPattern​(java.lang.String key)
        getValidationPattern returns a single pattern based upon key
        Specified by:
        getValidationPattern in interface SecurityConfiguration
        Parameters:
        key - validation pattern name you'd like
        Returns:
        if key exists, the associated validation pattern, null otherwise

      • getWorkingDirectory

        public java.io.File getWorkingDirectory()
        getWorkingDirectory returns the default directory where processes will be executed by the Executor.
        Specified by:
        getWorkingDirectory in interface SecurityConfiguration

      • getPreferredJCEProvider

        public java.lang.String getPreferredJCEProvider()
        Retrieve the preferred JCE provider for ESAPI and your application. ESAPI 2.0 now allows setting the property Encryptor.PreferredJCEProvider in the ESAPI.properties file, which will cause the specified JCE provider to be automatically and dynamically loaded (assuming that SecurityManager permissions allow) as the Ii>preferred JCE provider. (Note this only happens if the JCE provider is not already loaded.) This method returns the property Encryptor.PreferredJCEProvider. By default, this Encryptor.PreferredJCEProvider property is set to an empty string, which means that the preferred JCE provider is not changed.
        Specified by:
        getPreferredJCEProvider in interface SecurityConfiguration
        Returns:
        The property Encryptor.PreferredJCEProvider is returned.
        See Also:
        SecurityProviderLoader

      • getCombinedCipherModes

        public java.util.List<java.lang.String> getCombinedCipherModes()
        Return a List of strings of combined cipher modes that support both confidentiality and authenticity. These would be preferred cipher modes to use if your JCE provider supports them. If such a cipher mode is used, no explicit separate MAC is calculated as part of the CipherText object upon encryption nor is any attempt made to verify the same on decryption.

        The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.combined_modes.

        Specified by:
        getCombinedCipherModes in interface SecurityConfiguration
        Returns:
        The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.

      • getAdditionalAllowedCipherModes

        public java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
        Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by SecurityConfiguration.getCombinedCipherModes()) to be used for encryption and decryption operations.

        The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.additional_allowed.

        Specified by:
        getAdditionalAllowedCipherModes in interface SecurityConfiguration
        Returns:
        The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.
        See Also:
        SecurityConfiguration.getCombinedCipherModes()

      • getLenientDatesAccepted

        public boolean getLenientDatesAccepted()
        Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. Controlled by ESAPI property Validator.AcceptLenientDates, which defaults to false if unset.
        Specified by:
        getLenientDatesAccepted in interface SecurityConfiguration
        Returns:
        True if lenient dates are accepted; false otherwise.
        See Also:
        DateFormat.setLenient(boolean)

      • getESAPIProperty

        protected java.lang.String getESAPIProperty​(java.lang.String key,
                                            java.lang.String def)

      • getESAPIProperty

        protected boolean getESAPIProperty​(java.lang.String key,
                                   boolean def)

      • getESAPIPropertyEncoded

        protected byte[] getESAPIPropertyEncoded​(java.lang.String key,
                                         byte[] def)

      • getESAPIProperty

        protected int getESAPIProperty​(java.lang.String key,
                               int def)

      • getESAPIProperty

        protected java.util.List<java.lang.String> getESAPIProperty​(java.lang.String key,
                                                            java.util.List<java.lang.String> def)
        Returns a List representing the parsed, comma-separated property.
        Parameters:
        key - The specified property name
        def - A default value for the property name to return if the property is not set.
        Returns:
        A list of strings.

      • getIntProp

        public int getIntProp​(java.lang.String propertyName)
               throws ConfigurationException
        Get any int type property from security configuration. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties*
        Specified by:
        getIntProp in interface EsapiPropertyLoader
        Returns:
        property value.
        Throws:
        ConfigurationException - when property does not exist in configuration or has incorrect type.

      • getByteArrayProp

        public byte[] getByteArrayProp​(java.lang.String propertyName)
                        throws ConfigurationException
        Get any byte array type property from security configuration. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties
        Specified by:
        getByteArrayProp in interface EsapiPropertyLoader
        Returns:
        property value.
        Throws:
        ConfigurationException - when property does not exist in configuration or has incorrect type.

      • getBooleanProp

        public java.lang.Boolean getBooleanProp​(java.lang.String propertyName)
                                 throws ConfigurationException
        Get any Boolean type property from security configuration. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties
        Specified by:
        getBooleanProp in interface EsapiPropertyLoader
        Returns:
        property value.
        Throws:
        ConfigurationException - when property does not exist in configuration or has incorrect type.

      • getStringProp

        public java.lang.String getStringProp​(java.lang.String propertyName)
                               throws ConfigurationException
        Get any property from security configuration. As every property can be returned as string, this method throws exception only when property does not exist. Looks for property in three configuration files in following order: 1.) In file defined as org.owasp.esapi.opsteam system property 2.) In file defined as org.owasp.esapi.devteam system property 3.) In ESAPI.properties
        Specified by:
        getStringProp in interface EsapiPropertyLoader
        Returns:
        property value.
        Throws:
        ConfigurationException - when property does not exist in configuration.

      • shouldPrintProperties

        protected boolean shouldPrintProperties()

      • getESAPIProperties

        protected java.util.Properties getESAPIProperties()