Package org.owasp.esapi
Interface SecurityConfiguration
-
- All Superinterfaces:
EsapiPropertyLoader
- All Known Implementing Classes:
DefaultSecurityConfiguration
public interface SecurityConfiguration extends EsapiPropertyLoader
TheSecurityConfiguration
interface stores all configuration information that directs the behavior of the ESAPI implementation.
Protection of this configuration information is critical to the secure operation of the application using the ESAPI. You should use operating system access controls to limit access to wherever the configuration information is stored.
Please note that adding another layer of encryption does not make the attackers job much more difficult. Somewhere there must be a master "secret" that is stored unencrypted on the application platform (unless you are willing to prompt for some passphrase when you application starts or insert a USB thumb drive or an HSM card, etc., in which case this master "secret" it would only be in memory). Creating another layer of indirection provides additional obfuscation, but doesn't provide any real additional security. It's up to the reference implementation to decide whether this file should be encrypted or not.
The ESAPI reference implementation (DefaultSecurityConfiguration.java) does not encrypt its properties file.- Since:
- June 1, 2007
- Author:
- Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static class
SecurityConfiguration.Threshold
Models a simple threshold as a count and an interval, along with a set of actions to take if the threshold is exceeded.
-
Method Summary
All Methods Instance Methods Abstract Methods Deprecated Methods Modifier and Type Method Description java.lang.String
getAccessControlImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.util.List<java.lang.String>
getAdditionalAllowedCipherModes()
ReturnList
of strings of additional cipher modes that are permitted (i.e., in addition to those returned bygetCombinedCipherModes()
) to be used for encryption and decryption operations.java.util.List<java.lang.String>
getAllowedExecutables()
Gets the allowed executables to run with the Executor.java.util.List<java.lang.String>
getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application.int
getAllowedFileUploadSize()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.int
getAllowedLoginAttempts()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.boolean
getAllowMixedEncoding()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.boolean
getAllowMultipleEncoding()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.java.lang.String
getApplicationName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getAuthenticationImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getCharacterEncoding()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getCipherTransformation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.util.List<java.lang.String>
getCombinedCipherModes()
Return aList
of strings of combined cipher modes that support both confidentiality and authenticity.java.util.List<java.lang.String>
getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing datajava.lang.String
getDigitalSignatureAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.int
getDigitalSignatureKeyLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.boolean
getDisableIntrusionDetection()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.java.lang.String
getEncoderImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getEncryptionAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getEncryptionImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.int
getEncryptionKeyLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.java.lang.String
getExecutorImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.boolean
getForceHttpOnlyCookies()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.boolean
getForceHttpOnlySession()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.boolean
getForceSecureCookies()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.boolean
getForceSecureSession()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.java.lang.String
getHashAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.int
getHashIterations()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.java.lang.String
getHttpSessionIdName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getHTTPUtilitiesImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getIntrusionDetectionImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getIVType()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getKDFPseudoRandomFunction()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.boolean
getLenientDatesAccepted()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.boolean
getLogApplicationName()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.boolean
getLogEncodingRequired()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.java.lang.String
getLogImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.boolean
getLogServerIP()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.byte[]
getMasterKey()
Deprecated.Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.byte[]
getMasterSalt()
Deprecated.Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.int
getMaxHttpHeaderSize()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.int
getMaxOldPasswordHashes()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.java.lang.String
getPasswordParameterName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getPreferredJCEProvider()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.SecurityConfiguration.Threshold
getQuota(java.lang.String eventName)
Gets the intrusion detection quota for the specified event.java.lang.String
getRandomAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getRandomizerImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.long
getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds).java.io.File
getResourceFile(java.lang.String filename)
Gets a file from the resource directoryjava.io.InputStream
getResourceStream(java.lang.String filename)
Gets an InputStream to a file in the resource directoryjava.lang.String
getResponseContentType()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.int
getSessionAbsoluteTimeoutLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.int
getSessionIdleTimeoutLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.java.io.File
getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file.java.io.File
getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.java.lang.String
getUsernameParameterName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.lang.String
getValidationImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.java.util.regex.Pattern
getValidationPattern(java.lang.String typeName)
Returns the validation pattern for a particular typejava.io.File
getWorkingDirectory()
Returns the default working directory for executing native processes with Runtime.exec().boolean
overwritePlainText()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.java.lang.String
setCipherTransformation(java.lang.String cipherXform)
Deprecated.To be replaced by new class in ESAPI 2.1, but here if you need it until then.void
setResourceDirectory(java.lang.String dir)
Sets the ESAPI resource directory.boolean
useMACforCipherText()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.-
Methods inherited from interface org.owasp.esapi.configuration.EsapiPropertyLoader
getBooleanProp, getByteArrayProp, getIntProp, getStringProp
-
-
-
-
Method Detail
-
getApplicationName
@Deprecated java.lang.String getApplicationName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the application name, used for logging- Returns:
- the name of the current application
-
getLogImplementation
@Deprecated java.lang.String getLogImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Logging implementation.
-
getAuthenticationImplementation
@Deprecated java.lang.String getAuthenticationImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Authentication implementation.
-
getEncoderImplementation
@Deprecated java.lang.String getEncoderImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Encoder implementation.
-
getAccessControlImplementation
@Deprecated java.lang.String getAccessControlImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Access Control implementation.
-
getIntrusionDetectionImplementation
@Deprecated java.lang.String getIntrusionDetectionImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.
-
getRandomizerImplementation
@Deprecated java.lang.String getRandomizerImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Randomizer implementation.
-
getEncryptionImplementation
@Deprecated java.lang.String getEncryptionImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Encryption implementation.
-
getValidationImplementation
@Deprecated java.lang.String getValidationImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI Validation implementation.
-
getValidationPattern
java.util.regex.Pattern getValidationPattern(java.lang.String typeName)
Returns the validation pattern for a particular type- Parameters:
typeName
-- Returns:
- the validation pattern
-
getLenientDatesAccepted
@Deprecated boolean getLenientDatesAccepted()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. Controlled by ESAPI propertyValidator.AcceptLenientDates
, which defaults tofalse
if unset.- Returns:
- True if lenient dates are accepted; false otherwise.
- See Also:
DateFormat.setLenient(boolean)
-
getExecutorImplementation
@Deprecated java.lang.String getExecutorImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI OS Execution implementation.
-
getHTTPUtilitiesImplementation
@Deprecated java.lang.String getHTTPUtilitiesImplementation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.
-
getMasterKey
@Deprecated byte[] getMasterKey()
Deprecated.Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.Gets the master key. This password is used to encrypt/decrypt other files or types of data that need to be protected by your application.- Returns:
- the current master key
-
getUploadDirectory
java.io.File getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file.- Returns:
- the upload directory
-
getUploadTempDirectory
java.io.File getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.- Returns:
- the temp directory
-
getEncryptionKeyLength
@Deprecated int getEncryptionKeyLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the key length to use in cryptographic operations declared in the ESAPI properties file. Note that this corresponds to the ESAPI property Encryptor.EncryptionKeyLength which is considered the default key size that ESAPI will use for symmetric ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength, which is the minimum key size (in bits) that ESAPI will support for encryption. (There is no miminimum for decryption.)- Returns:
- the key length (in bits)
-
getMasterSalt
@Deprecated byte[] getMasterSalt()
Deprecated.Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.- Returns:
- the current master salt
-
getAllowedExecutables
java.util.List<java.lang.String> getAllowedExecutables()
Gets the allowed executables to run with the Executor.- Returns:
- a list of the current allowed file extensions
-
getAllowedFileExtensions
java.util.List<java.lang.String> getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application.- Returns:
- a list of the current allowed file extensions
-
getAllowedFileUploadSize
@Deprecated int getAllowedFileUploadSize()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the maximum allowed file upload size.- Returns:
- the current allowed file upload size
-
getPasswordParameterName
@Deprecated java.lang.String getPasswordParameterName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the name of the password parameter used during user authentication.- Returns:
- the name of the password parameter
-
getUsernameParameterName
@Deprecated java.lang.String getUsernameParameterName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the name of the username parameter used during user authentication.- Returns:
- the name of the username parameter
-
getEncryptionAlgorithm
@Deprecated java.lang.String getEncryptionAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the encryption algorithm used by ESAPI to protect data. This is mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to use "cipher transformation" since it supports multiple cipher modes and padding schemes.- Returns:
- the current encryption algorithm
-
getCipherTransformation
@Deprecated java.lang.String getCipherTransformation()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Retrieve the cipher transformation. In general, the cipher transformation is a specification of cipher algorithm, cipher mode, and padding scheme and in general, is aString
that takes the following form:cipher_alg/cipher_mode[bits]/padding_scheme
where cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such asCFB
andOFB
. Using modes such as CFB and OFB, block ciphers can encrypt data in units smaller than the cipher's actual block size. When requesting such a mode, you may optionally specify the number of bits to be processed at a time. This generally must be an integral multiple of 8-bits so that it can specify a whole number of octets.Examples are:
"AES/ECB/NoPadding" // Default for ESAPI Java 1.4 (insecure) "AES/CBC/PKCS5Padding" // Default for ESAPI Java 2.0 "DESede/OFB32/PKCS5Padding"
NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:"Blowfish-192/CFB8/PKCS5Padding"
in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.- Returns:
- The cipher transformation.
-
setCipherTransformation
@Deprecated java.lang.String setCipherTransformation(java.lang.String cipherXform)
Deprecated.To be replaced by new class in ESAPI 2.1, but here if you need it until then. Details of replacement forthcoming to ESAPI-Dev list. Most likely to be replaced by a new CTOR for JavaEncryptor that takes a list of properties to override.Set the cipher transformation. This allows a different cipher transformation to be used without changing theESAPI.properties
file. For instance you may normally want to use AES/CBC/PKCS5Padding, but have some legacy encryption where you have ciphertext that was encrypted using 3DES.- Parameters:
cipherXform
- The new cipher transformation. SeegetCipherTransformation()
for format. Ifnull
is passed as the parameter, the cipher transformation will be set to the the default taken from the propertyEncryptor.CipherTransformation
in theESAPI.properties
file. BEWARE: there is NO sanity checking here (other than the empty string, and then, only if Java assertions are enabled), so if you set this wrong, you will not get any errors until you later try to use it to encrypt or decrypt data.- Returns:
- The previous cipher transformation is returned for convenience, with the assumption that you may wish to restore it once you have completed the encryption / decryption with the new cipher transformation.
-
getPreferredJCEProvider
@Deprecated java.lang.String getPreferredJCEProvider()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Retrieve the preferred JCE provider for ESAPI and your application. ESAPI 2.0 now allows setting the propertyEncryptor.PreferredJCEProvider
in theESAPI.properties
file, which will cause the specified JCE provider to be automatically and dynamically loaded (assuming thatSecurityManager
permissions allow) as the Ii>preferred JCE provider. (Note this only happens if the JCE provider is not already loaded.) This method returns the propertyEncryptor.PreferredJCEProvider
. By default, thisEncryptor.PreferredJCEProvider
property is set to an empty string, which means that the preferred JCE provider is not changed.- Returns:
- The property
Encryptor.PreferredJCEProvider
is returned. - See Also:
SecurityProviderLoader
-
useMACforCipherText
@Deprecated boolean useMACforCipherText()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Determines whether theCipherText
should be used with a Message Authentication Code (MAC). Generally this makes for a more robust cryptographic scheme, but there are some minor performance implications. Controlled by the ESAPI property Encryptor.CipherText.useMAC.For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".
- Returns:
true
if a you want a MAC to be used, otherwisefalse
.
-
overwritePlainText
@Deprecated boolean overwritePlainText()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Indicates whether thePlainText
objects may be overwritten after they have been encrypted. Generally this is a good idea, especially if your VM is shared by multiple applications (e.g., multiple applications running in the same J2EE container) or if there is a possibility that your VM may leave a core dump (say because it is running non-native Java code.Controlled by the property
Encryptor.PlainText.overwrite
in theESAPI.properties
file.- Returns:
- True if it is OK to overwrite the
PlainText
objects after encrypting, false otherwise.
-
getIVType
@Deprecated java.lang.String getIVType()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead. This method will be removed in a future release as it is now moot since it can only legitimately have the single value of "random".Get a string indicating how to compute an Initialization Vector (IV). Currently supported modes are "random" to generate a random IV or "fixed" to use a fixed (static) IV. WARNING: 'fixed' was only intended to support legacy applications with fixed IVs, but the use of non-random IVs is inherently insecure, especially for any supported cipher mode that is considered a streaming mode (which is basically anything except CBC for modes that support require an IV). For this reason, 'fixed' has now been removed (it was considered deprecated since release 2.2.0.0). An ESAPI.properties value of for the property will now result in a being thrown.- Returns:
- A string specifying the IV type. Should be "random". Anything else should fail with a being thrown.
- See Also:
#getFixedIV()
-
getCombinedCipherModes
java.util.List<java.lang.String> getCombinedCipherModes()
Return aList
of strings of combined cipher modes that support both confidentiality and authenticity. These would be preferred cipher modes to use if your JCE provider supports them. If such a cipher mode is used, no explicit separate MAC is calculated as part of theCipherText
object upon encryption nor is any attempt made to verify the same on decryption.The list is taken from the comma-separated list of cipher modes specified by the ESAPI property
Encryptor.cipher_modes.combined_modes
.- Returns:
- The parsed list of comma-separated cipher modes if the property
was specified in
ESAPI.properties
; otherwise the empty list is returned.
-
getAdditionalAllowedCipherModes
java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
ReturnList
of strings of additional cipher modes that are permitted (i.e., in addition to those returned bygetCombinedCipherModes()
) to be used for encryption and decryption operations.The list is taken from the comma-separated list of cipher modes specified by the ESAPI property
Encryptor.cipher_modes.additional_allowed
.- Returns:
- The parsed list of comma-separated cipher modes if the property
was specified in
ESAPI.properties
; otherwise the empty list is returned. - See Also:
getCombinedCipherModes()
-
getHashAlgorithm
@Deprecated java.lang.String getHashAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the hashing algorithm used by ESAPI to hash data.- Returns:
- the current hashing algorithm
-
getHashIterations
@Deprecated int getHashIterations()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the hash iterations used by ESAPI to hash data.- Returns:
- the current hashing algorithm
-
getKDFPseudoRandomFunction
@Deprecated java.lang.String getKDFPseudoRandomFunction()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).- Returns:
- The KDF PRF algorithm name.
-
getCharacterEncoding
@Deprecated java.lang.String getCharacterEncoding()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the character encoding scheme supported by this application. This is used to set the character encoding scheme on requests and responses when setCharacterEncoding() is called on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs and any other place where the current encoding scheme needs to be known.
Note: This does not get the configured response content type. That is accessed by calling getResponseContentType().- Returns:
- the current character encoding scheme
-
getAllowMultipleEncoding
@Deprecated boolean getAllowMultipleEncoding()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Return true if multiple encoding is allowed- Returns:
- whether multiple encoding is allowed when canonicalizing data
-
getAllowMixedEncoding
@Deprecated boolean getAllowMixedEncoding()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Return true if mixed encoding is allowed- Returns:
- whether mixed encoding is allowed when canonicalizing data
-
getDefaultCanonicalizationCodecs
java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing data- Returns:
- the codec list
-
getDigitalSignatureAlgorithm
@Deprecated java.lang.String getDigitalSignatureAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the digital signature algorithm used by ESAPI to generate and verify signatures.- Returns:
- the current digital signature algorithm
-
getDigitalSignatureKeyLength
@Deprecated int getDigitalSignatureKeyLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the digital signature key length used by ESAPI to generate and verify signatures.- Returns:
- the current digital signature key length
-
getRandomAlgorithm
@Deprecated java.lang.String getRandomAlgorithm()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the random number generation algorithm used to generate random numbers where needed.- Returns:
- the current random number generation algorithm
-
getAllowedLoginAttempts
@Deprecated int getAllowedLoginAttempts()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the number of login attempts allowed before the user's account is locked. If this many failures are detected within the alloted time period, the user's account will be locked.- Returns:
- the number of failed login attempts that cause an account to be locked
-
getMaxOldPasswordHashes
@Deprecated int getMaxOldPasswordHashes()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the maximum number of old password hashes that should be retained. These hashes can be used to ensure that the user doesn't reuse the specified number of previous passwords when they change their password.- Returns:
- the number of old hashed passwords to retain
-
getDisableIntrusionDetection
@Deprecated boolean getDisableIntrusionDetection()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Allows for complete disabling of all intrusion detection mechanisms- Returns:
- true if intrusion detection should be disabled
-
getQuota
SecurityConfiguration.Threshold getQuota(java.lang.String eventName)
Gets the intrusion detection quota for the specified event.- Parameters:
eventName
- the name of the event whose quota is desired- Returns:
- the Quota that has been configured for the specified type of event
-
getResourceFile
java.io.File getResourceFile(java.lang.String filename)
Gets a file from the resource directory- Parameters:
filename
- The file name resource.- Returns:
- A
File
object representing the specified file name or null if not found.
-
getForceHttpOnlySession
@Deprecated boolean getForceHttpOnlySession()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Returns true if session cookies are required to have HttpOnly flag set.
-
getForceSecureSession
@Deprecated boolean getForceSecureSession()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Returns true if session cookies are required to have Secure flag set.
-
getForceHttpOnlyCookies
@Deprecated boolean getForceHttpOnlyCookies()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Returns true if new cookies are required to have HttpOnly flag set.
-
getForceSecureCookies
@Deprecated boolean getForceSecureCookies()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Returns true if new cookies are required to have Secure flag set.
-
getMaxHttpHeaderSize
@Deprecated int getMaxHttpHeaderSize()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Returns the maximum allowable HTTP header size.
-
getResourceStream
java.io.InputStream getResourceStream(java.lang.String filename) throws java.io.IOException
Gets an InputStream to a file in the resource directory- Parameters:
filename
- A file name in the resource directory.- Returns:
- An
InputStream
to the specified file name in the resource directory. - Throws:
java.io.IOException
- If the specified file name cannot be found or opened for reading.
-
setResourceDirectory
void setResourceDirectory(java.lang.String dir)
Sets the ESAPI resource directory.- Parameters:
dir
- The location of the resource directory.
-
getResponseContentType
@Deprecated java.lang.String getResponseContentType()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.Gets the content type for responses used when setSafeContentType() is called.
Note: This does not get the configured character encoding scheme. That is accessed by calling getCharacterEncoding().- Returns:
- The current content-type set for responses.
-
getHttpSessionIdName
@Deprecated java.lang.String getHttpSessionIdName()
Deprecated.Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.- Returns:
- The name of the session identifier, like "JSESSIONID"
-
getRememberTokenDuration
long getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds).- Returns:
- The time to live length for generated "remember me" tokens.
-
getSessionIdleTimeoutLength
@Deprecated int getSessionIdleTimeoutLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.- Returns:
- The session idle timeout length.
-
getSessionAbsoluteTimeoutLength
@Deprecated int getSessionAbsoluteTimeoutLength()
Deprecated.Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires regardless of the amount of user activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.- Returns:
- The session absolute timeout length.
-
getLogEncodingRequired
@Deprecated boolean getLogEncodingRequired()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Returns whether HTML entity encoding should be applied to log entries.- Returns:
- True if log entries are to be HTML Entity encoded. False otherwise.
-
getLogApplicationName
@Deprecated boolean getLogApplicationName()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Returns whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.- Returns:
- True if ESAPI should log the application name, False otherwise
-
getLogServerIP
@Deprecated boolean getLogServerIP()
Deprecated.Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.Returns whether ESAPI should log the server IP. This might be clutter in some single-server environments.- Returns:
- True if ESAPI should log the server IP and port, False otherwise
-
getWorkingDirectory
java.io.File getWorkingDirectory()
Returns the default working directory for executing native processes with Runtime.exec().
-
-