org.owasp.esapi.reference
Class DefaultSecurityConfiguration

java.lang.Object
  extended by org.owasp.esapi.reference.DefaultSecurityConfiguration
All Implemented Interfaces:
SecurityConfiguration

public class DefaultSecurityConfiguration
extends java.lang.Object
implements SecurityConfiguration

The reference SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference implementation, resources can be put in several locations, which are searched in the following order:

1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).

2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):

                java -Dorg.owasp.esapi.resources="C:\temp\resources"
 
You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.

3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory (supported for backward compatibility) or inside the System.getProperty( "user.home" ) + "/esapi" directory.

4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)

Once the Configuration is initialized with a resource directory, you can edit it to set things like master keys and passwords, logging locations, error thresholds, and allowed file extensions.

WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.

Author:
Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Jim Manico (jim .at. manico.net) Manico.net, Kevin Wall (kevin.w.wall .at. gmail.com)

Nested Class Summary
 
Nested classes/interfaces inherited from interface org.owasp.esapi.SecurityConfiguration
SecurityConfiguration.Threshold
 
Field Summary
static java.lang.String ABSOLUTE_TIMEOUT_DURATION
           
static java.lang.String ACCEPT_LENIENT_DATES
           
static java.lang.String ACCESS_CONTROL_IMPLEMENTATION
           
static java.lang.String ADDITIONAL_ALLOWED_CIPHER_MODES
           
static java.lang.String ALLOW_MIXED_ENCODING
           
static java.lang.String ALLOW_MULTIPLE_ENCODING
           
static java.lang.String ALLOWED_LOGIN_ATTEMPTS
           
static java.lang.String APPLICATION_NAME
           
static java.lang.String APPROVED_EXECUTABLES
           
static java.lang.String APPROVED_UPLOAD_EXTENSIONS
           
static java.lang.String AUTHENTICATION_IMPLEMENTATION
           
static java.lang.String CANONICALIZATION_CODECS
           
static java.lang.String CHARACTER_ENCODING
           
static java.lang.String CIPHER_TRANSFORMATION_IMPLEMENTATION
           
static java.lang.String CIPHERTEXT_USE_MAC
           
static java.lang.String COMBINED_CIPHER_MODES
           
static java.lang.String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
           
static java.lang.String DEFAULT_AUTHENTICATION_IMPLEMENTATION
           
static java.lang.String DEFAULT_ENCODER_IMPLEMENTATION
           
static java.lang.String DEFAULT_ENCRYPTION_IMPLEMENTATION
           
static java.lang.String DEFAULT_EXECUTOR_IMPLEMENTATION
           
static java.lang.String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
           
static java.lang.String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
           
static java.lang.String DEFAULT_LOG_IMPLEMENTATION
           
static int DEFAULT_MAX_LOG_FILE_SIZE
          The default max log file size is set to 10,000,000 bytes (10 Meg).
static java.lang.String DEFAULT_RANDOMIZER_IMPLEMENTATION
           
static java.lang.String DEFAULT_VALIDATOR_IMPLEMENTATION
           
static java.lang.String DIGITAL_SIGNATURE_ALGORITHM
           
static java.lang.String DIGITAL_SIGNATURE_KEY_LENGTH
           
static java.lang.String DISABLE_INTRUSION_DETECTION
           
static java.lang.String ENCODER_IMPLEMENTATION
           
static java.lang.String ENCRYPTION_ALGORITHM
           
static java.lang.String ENCRYPTION_IMPLEMENTATION
           
static java.lang.String EXECUTOR_IMPLEMENTATION
           
static java.lang.String FIXED_IV
           
static java.lang.String FORCE_HTTPONLYCOOKIES
           
static java.lang.String FORCE_HTTPONLYSESSION
           
static java.lang.String FORCE_SECURECOOKIES
           
static java.lang.String FORCE_SECURESESSION
           
static java.lang.String HASH_ALGORITHM
           
static java.lang.String HASH_ITERATIONS
           
static java.lang.String HTTP_SESSION_ID_NAME
           
static java.lang.String HTTP_UTILITIES_IMPLEMENTATION
           
static java.lang.String IDLE_TIMEOUT_DURATION
           
static java.lang.String INTRUSION_DETECTION_IMPLEMENTATION
           
static java.lang.String IV_TYPE
           
static java.lang.String KDF_PRF_ALG
           
static java.lang.String KEY_LENGTH
           
static java.lang.String LOG_APPLICATION_NAME
           
static java.lang.String LOG_ENCODING_REQUIRED
           
static java.lang.String LOG_FILE_NAME
           
static java.lang.String LOG_IMPLEMENTATION
           
static java.lang.String LOG_LEVEL
           
static java.lang.String LOG_SERVER_IP
           
static java.lang.String MASTER_KEY
           
static java.lang.String MASTER_SALT
           
protected  int MAX_FILE_NAME_LENGTH
          Deprecated. It is not clear whether this is intended to be the max file name length for the basename(1) of a file or the max full path name length of a canonical full path name. Since it is not used anywhere in the ESAPI code it is being deprecated and scheduled to be removed in release 2.1.
static java.lang.String MAX_HTTP_HEADER_SIZE
           
static java.lang.String MAX_LOG_FILE_SIZE
           
static java.lang.String MAX_OLD_PASSWORD_HASHES
           
protected  int MAX_REDIRECT_LOCATION
           
static java.lang.String MAX_UPLOAD_FILE_BYTES
           
static java.lang.String PASSWORD_PARAMETER_NAME
           
static java.lang.String PLAINTEXT_OVERWRITE
           
static java.lang.String PREFERRED_JCE_PROVIDER
           
static java.lang.String PRINT_PROPERTIES_WHEN_LOADED
           
static java.lang.String RANDOM_ALGORITHM
           
static java.lang.String RANDOMIZER_IMPLEMENTATION
           
static java.lang.String REMEMBER_TOKEN_DURATION
           
static java.lang.String RESOURCE_FILE
          The name of the ESAPI property file
static java.lang.String RESPONSE_CONTENT_TYPE
           
static java.lang.String UPLOAD_DIRECTORY
           
static java.lang.String UPLOAD_TEMP_DIRECTORY
           
static java.lang.String USERNAME_PARAMETER_NAME
           
static java.lang.String VALIDATION_PROPERTIES
           
static java.lang.String VALIDATOR_IMPLEMENTATION
           
static java.lang.String WORKING_DIRECTORY
           
 
Constructor Summary
DefaultSecurityConfiguration()
          Instantiates a new configuration.
DefaultSecurityConfiguration(java.util.Properties properties)
          Instantiates a new configuration with the supplied properties.
 
Method Summary
 java.lang.String getAccessControlImplementation()
          Returns the fully qualified classname of the ESAPI Access Control implementation.
 java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
          Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by #getPreferredCipherModes()) to be used for encryption and decryption operations.
 java.util.List<java.lang.String> getAllowedExecutables()
          Gets the allowed executables to run with the Executor.
 java.util.List<java.lang.String> getAllowedFileExtensions()
          Gets the allowed file extensions for files that are uploaded to this application.
 int getAllowedFileUploadSize()
          Gets the maximum allowed file upload size.
 int getAllowedLoginAttempts()
          Gets the number of login attempts allowed before the user's account is locked.
 boolean getAllowMixedEncoding()
          Return true if mixed encoding is allowed
 boolean getAllowMultipleEncoding()
          Return true if multiple encoding is allowed
 java.lang.String getApplicationName()
          Gets the application name, used for logging
 java.lang.String getAuthenticationImplementation()
          Returns the fully qualified classname of the ESAPI Authentication implementation.
 java.lang.String getCharacterEncoding()
          Gets the character encoding scheme supported by this application.
 java.lang.String getCipherTransformation()
          Retrieve the cipher transformation.
 java.util.List<java.lang.String> getCombinedCipherModes()
          Return a List of strings of combined cipher modes that support both confidentiality and authenticity.
 java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
          Returns the List of Codecs to use when canonicalizing data
 java.lang.String getDigitalSignatureAlgorithm()
          Gets the digital signature algorithm used by ESAPI to generate and verify signatures.
 int getDigitalSignatureKeyLength()
          Gets the digital signature key length used by ESAPI to generate and verify signatures.
 boolean getDisableIntrusionDetection()
          Allows for complete disabling of all intrusion detection mechanisms
 java.lang.String getEncoderImplementation()
          Returns the fully qualified classname of the ESAPI Encoder implementation.
 java.lang.String getEncryptionAlgorithm()
          Gets the encryption algorithm used by ESAPI to protect data.
 java.lang.String getEncryptionImplementation()
          Returns the fully qualified classname of the ESAPI Encryption implementation.
 int getEncryptionKeyLength()
          Gets the key length to use in cryptographic operations declared in the ESAPI properties file.
protected  java.util.Properties getESAPIProperties()
           
protected  boolean getESAPIProperty(java.lang.String key, boolean def)
           
protected  int getESAPIProperty(java.lang.String key, int def)
           
protected  java.util.List<java.lang.String> getESAPIProperty(java.lang.String key, java.util.List<java.lang.String> def)
          Returns a List representing the parsed, comma-separated property.
protected  java.lang.String getESAPIProperty(java.lang.String key, java.lang.String def)
           
protected  byte[] getESAPIPropertyEncoded(java.lang.String key, byte[] def)
           
 java.lang.String getExecutorImplementation()
          Returns the fully qualified classname of the ESAPI OS Execution implementation.
 java.lang.String getFixedIV()
          If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string.
 boolean getForceHttpOnlyCookies()
          Forces new cookies to have HttpOnly flag set.
 boolean getForceHttpOnlySession()
          Forces new cookies to have HttpOnly flag set.
 boolean getForceSecureCookies()
          Forces new cookies to have Secure flag set.
 boolean getForceSecureSession()
          Forces session cookies to have Secure flag set.
 java.lang.String getHashAlgorithm()
          Gets the hashing algorithm used by ESAPI to hash data.
 int getHashIterations()
          Gets the hash iterations used by ESAPI to hash data.
 java.lang.String getHttpSessionIdName()
          This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.
 java.lang.String getHTTPUtilitiesImplementation()
          Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.
static SecurityConfiguration getInstance()
           
 java.lang.String getIntrusionDetectionImplementation()
          Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.
 java.lang.String getIVType()
          Get a string indicating how to compute an Initialization Vector (IV).
 java.lang.String getKDFPseudoRandomFunction()
          Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).
 boolean getLenientDatesAccepted()
          Determines whether ESAPI will accept "lenient" dates when attempt to parse dates.
 boolean getLogApplicationName()
          Returns whether ESAPI should log the application name.
 boolean getLogEncodingRequired()
          Returns whether HTML entity encoding should be applied to log entries.
 java.lang.String getLogFileName()
          Get the name of the log file specified in the ESAPI configuration properties file.
 java.lang.String getLogImplementation()
          Returns the fully qualified classname of the ESAPI Logging implementation.
 int getLogLevel()
          Returns the current log level.
 boolean getLogServerIP()
          Returns whether ESAPI should log the server IP.
 byte[] getMasterKey()
          Gets the master key.
 byte[] getMasterSalt()
          Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.
 int getMaxHttpHeaderSize()
          Returns the maximum allowable HTTP header size.
 int getMaxLogFileSize()
          Get the maximum size of a single log file from the ESAPI configuration properties file.
 int getMaxOldPasswordHashes()
          Gets the maximum number of old password hashes that should be retained.
 java.lang.String getPasswordParameterName()
          Gets the name of the password parameter used during user authentication.
 java.lang.String getPreferredJCEProvider()
          Retrieve the preferred JCE provider for ESAPI and your application.
 SecurityConfiguration.Threshold getQuota(java.lang.String eventName)
          Gets the intrusion detection quota for the specified event.
 java.lang.String getRandomAlgorithm()
          Gets the random number generation algorithm used to generate random numbers where needed.
 java.lang.String getRandomizerImplementation()
          Returns the fully qualified classname of the ESAPI Randomizer implementation.
 long getRememberTokenDuration()
          Gets the length of the time to live window for remember me tokens (in milliseconds).
 java.io.File getResourceFile(java.lang.String filename)
          Gets a file from the resource directory
 java.io.InputStream getResourceStream(java.lang.String filename)
          Gets an InputStream to a file in the resource directory
 java.lang.String getResponseContentType()
          Gets the content type for responses used when setSafeContentType() is called.
 int getSessionAbsoluteTimeoutLength()
          Gets the absolute timeout length for sessions (in milliseconds).
 int getSessionIdleTimeoutLength()
          Gets the idle timeout length for sessions (in milliseconds).
 java.io.File getUploadDirectory()
          Retrieves the upload directory as specified in the ESAPI.properties file.
 java.io.File getUploadTempDirectory()
          Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
 java.lang.String getUsernameParameterName()
          Gets the name of the username parameter used during user authentication.
 java.lang.String getValidationImplementation()
          Returns the fully qualified classname of the ESAPI Validation implementation.
 java.util.regex.Pattern getValidationPattern(java.lang.String key)
          getValidationPattern returns a single pattern based upon key
 java.io.File getWorkingDirectory()
          getWorkingDirectory returns the default directory where processes will be executed by the Executor.
protected  void loadConfiguration()
          Load configuration.
 boolean overwritePlainText()
          Indicates whether the PlainText objects may be overwritten after they have been encrypted.
 java.lang.String setCipherTransformation(java.lang.String cipherXform)
          Set the cipher transformation.
 void setResourceDirectory(java.lang.String dir)
          Sets the ESAPI resource directory.
protected  boolean shouldPrintProperties()
           
 boolean useMACforCipherText()
          Determines whether the CipherText should be used with a Message Authentication Code (MAC).
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

RESOURCE_FILE

public static final java.lang.String RESOURCE_FILE
The name of the ESAPI property file

See Also:
Constant Field Values

REMEMBER_TOKEN_DURATION

public static final java.lang.String REMEMBER_TOKEN_DURATION
See Also:
Constant Field Values

IDLE_TIMEOUT_DURATION

public static final java.lang.String IDLE_TIMEOUT_DURATION
See Also:
Constant Field Values

ABSOLUTE_TIMEOUT_DURATION

public static final java.lang.String ABSOLUTE_TIMEOUT_DURATION
See Also:
Constant Field Values

ALLOWED_LOGIN_ATTEMPTS

public static final java.lang.String ALLOWED_LOGIN_ATTEMPTS
See Also:
Constant Field Values

USERNAME_PARAMETER_NAME

public static final java.lang.String USERNAME_PARAMETER_NAME
See Also:
Constant Field Values

PASSWORD_PARAMETER_NAME

public static final java.lang.String PASSWORD_PARAMETER_NAME
See Also:
Constant Field Values

MAX_OLD_PASSWORD_HASHES

public static final java.lang.String MAX_OLD_PASSWORD_HASHES
See Also:
Constant Field Values

ALLOW_MULTIPLE_ENCODING

public static final java.lang.String ALLOW_MULTIPLE_ENCODING
See Also:
Constant Field Values

ALLOW_MIXED_ENCODING

public static final java.lang.String ALLOW_MIXED_ENCODING
See Also:
Constant Field Values

CANONICALIZATION_CODECS

public static final java.lang.String CANONICALIZATION_CODECS
See Also:
Constant Field Values

DISABLE_INTRUSION_DETECTION

public static final java.lang.String DISABLE_INTRUSION_DETECTION
See Also:
Constant Field Values

MASTER_KEY

public static final java.lang.String MASTER_KEY
See Also:
Constant Field Values

MASTER_SALT

public static final java.lang.String MASTER_SALT
See Also:
Constant Field Values

KEY_LENGTH

public static final java.lang.String KEY_LENGTH
See Also:
Constant Field Values

ENCRYPTION_ALGORITHM

public static final java.lang.String ENCRYPTION_ALGORITHM
See Also:
Constant Field Values

HASH_ALGORITHM

public static final java.lang.String HASH_ALGORITHM
See Also:
Constant Field Values

HASH_ITERATIONS

public static final java.lang.String HASH_ITERATIONS
See Also:
Constant Field Values

CHARACTER_ENCODING

public static final java.lang.String CHARACTER_ENCODING
See Also:
Constant Field Values

RANDOM_ALGORITHM

public static final java.lang.String RANDOM_ALGORITHM
See Also:
Constant Field Values

DIGITAL_SIGNATURE_ALGORITHM

public static final java.lang.String DIGITAL_SIGNATURE_ALGORITHM
See Also:
Constant Field Values

DIGITAL_SIGNATURE_KEY_LENGTH

public static final java.lang.String DIGITAL_SIGNATURE_KEY_LENGTH
See Also:
Constant Field Values

PREFERRED_JCE_PROVIDER

public static final java.lang.String PREFERRED_JCE_PROVIDER
See Also:
Constant Field Values

CIPHER_TRANSFORMATION_IMPLEMENTATION

public static final java.lang.String CIPHER_TRANSFORMATION_IMPLEMENTATION
See Also:
Constant Field Values

CIPHERTEXT_USE_MAC

public static final java.lang.String CIPHERTEXT_USE_MAC
See Also:
Constant Field Values

PLAINTEXT_OVERWRITE

public static final java.lang.String PLAINTEXT_OVERWRITE
See Also:
Constant Field Values

IV_TYPE

public static final java.lang.String IV_TYPE
See Also:
Constant Field Values

FIXED_IV

public static final java.lang.String FIXED_IV
See Also:
Constant Field Values

COMBINED_CIPHER_MODES

public static final java.lang.String COMBINED_CIPHER_MODES
See Also:
Constant Field Values

ADDITIONAL_ALLOWED_CIPHER_MODES

public static final java.lang.String ADDITIONAL_ALLOWED_CIPHER_MODES
See Also:
Constant Field Values

KDF_PRF_ALG

public static final java.lang.String KDF_PRF_ALG
See Also:
Constant Field Values

PRINT_PROPERTIES_WHEN_LOADED

public static final java.lang.String PRINT_PROPERTIES_WHEN_LOADED
See Also:
Constant Field Values

WORKING_DIRECTORY

public static final java.lang.String WORKING_DIRECTORY
See Also:
Constant Field Values

APPROVED_EXECUTABLES

public static final java.lang.String APPROVED_EXECUTABLES
See Also:
Constant Field Values

FORCE_HTTPONLYSESSION

public static final java.lang.String FORCE_HTTPONLYSESSION
See Also:
Constant Field Values

FORCE_SECURESESSION

public static final java.lang.String FORCE_SECURESESSION
See Also:
Constant Field Values

FORCE_HTTPONLYCOOKIES

public static final java.lang.String FORCE_HTTPONLYCOOKIES
See Also:
Constant Field Values

FORCE_SECURECOOKIES

public static final java.lang.String FORCE_SECURECOOKIES
See Also:
Constant Field Values

MAX_HTTP_HEADER_SIZE

public static final java.lang.String MAX_HTTP_HEADER_SIZE
See Also:
Constant Field Values

UPLOAD_DIRECTORY

public static final java.lang.String UPLOAD_DIRECTORY
See Also:
Constant Field Values

UPLOAD_TEMP_DIRECTORY

public static final java.lang.String UPLOAD_TEMP_DIRECTORY
See Also:
Constant Field Values

APPROVED_UPLOAD_EXTENSIONS

public static final java.lang.String APPROVED_UPLOAD_EXTENSIONS
See Also:
Constant Field Values

MAX_UPLOAD_FILE_BYTES

public static final java.lang.String MAX_UPLOAD_FILE_BYTES
See Also:
Constant Field Values

RESPONSE_CONTENT_TYPE

public static final java.lang.String RESPONSE_CONTENT_TYPE
See Also:
Constant Field Values

HTTP_SESSION_ID_NAME

public static final java.lang.String HTTP_SESSION_ID_NAME
See Also:
Constant Field Values

APPLICATION_NAME

public static final java.lang.String APPLICATION_NAME
See Also:
Constant Field Values

LOG_LEVEL

public static final java.lang.String LOG_LEVEL
See Also:
Constant Field Values

LOG_FILE_NAME

public static final java.lang.String LOG_FILE_NAME
See Also:
Constant Field Values

MAX_LOG_FILE_SIZE

public static final java.lang.String MAX_LOG_FILE_SIZE
See Also:
Constant Field Values

LOG_ENCODING_REQUIRED

public static final java.lang.String LOG_ENCODING_REQUIRED
See Also:
Constant Field Values

LOG_APPLICATION_NAME

public static final java.lang.String LOG_APPLICATION_NAME
See Also:
Constant Field Values

LOG_SERVER_IP

public static final java.lang.String LOG_SERVER_IP
See Also:
Constant Field Values

VALIDATION_PROPERTIES

public static final java.lang.String VALIDATION_PROPERTIES
See Also:
Constant Field Values

ACCEPT_LENIENT_DATES

public static final java.lang.String ACCEPT_LENIENT_DATES
See Also:
Constant Field Values

DEFAULT_MAX_LOG_FILE_SIZE

public static final int DEFAULT_MAX_LOG_FILE_SIZE
The default max log file size is set to 10,000,000 bytes (10 Meg). If the current log file exceeds the current max log file size, the logger will move the old log data into another log file. There currently is a max of 1000 log files of the same name. If that is exceeded it will presumably start discarding the oldest logs.

See Also:
Constant Field Values

MAX_REDIRECT_LOCATION

protected final int MAX_REDIRECT_LOCATION
See Also:
Constant Field Values

MAX_FILE_NAME_LENGTH

protected final int MAX_FILE_NAME_LENGTH
Deprecated. It is not clear whether this is intended to be the max file name length for the basename(1) of a file or the max full path name length of a canonical full path name. Since it is not used anywhere in the ESAPI code it is being deprecated and scheduled to be removed in release 2.1.
See Also:
Constant Field Values

LOG_IMPLEMENTATION

public static final java.lang.String LOG_IMPLEMENTATION
See Also:
Constant Field Values

AUTHENTICATION_IMPLEMENTATION

public static final java.lang.String AUTHENTICATION_IMPLEMENTATION
See Also:
Constant Field Values

ENCODER_IMPLEMENTATION

public static final java.lang.String ENCODER_IMPLEMENTATION
See Also:
Constant Field Values

ACCESS_CONTROL_IMPLEMENTATION

public static final java.lang.String ACCESS_CONTROL_IMPLEMENTATION
See Also:
Constant Field Values

ENCRYPTION_IMPLEMENTATION

public static final java.lang.String ENCRYPTION_IMPLEMENTATION
See Also:
Constant Field Values

INTRUSION_DETECTION_IMPLEMENTATION

public static final java.lang.String INTRUSION_DETECTION_IMPLEMENTATION
See Also:
Constant Field Values

RANDOMIZER_IMPLEMENTATION

public static final java.lang.String RANDOMIZER_IMPLEMENTATION
See Also:
Constant Field Values

EXECUTOR_IMPLEMENTATION

public static final java.lang.String EXECUTOR_IMPLEMENTATION
See Also:
Constant Field Values

VALIDATOR_IMPLEMENTATION

public static final java.lang.String VALIDATOR_IMPLEMENTATION
See Also:
Constant Field Values

HTTP_UTILITIES_IMPLEMENTATION

public static final java.lang.String HTTP_UTILITIES_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_LOG_IMPLEMENTATION

public static final java.lang.String DEFAULT_LOG_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_AUTHENTICATION_IMPLEMENTATION

public static final java.lang.String DEFAULT_AUTHENTICATION_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_ENCODER_IMPLEMENTATION

public static final java.lang.String DEFAULT_ENCODER_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_ACCESS_CONTROL_IMPLEMENTATION

public static final java.lang.String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_ENCRYPTION_IMPLEMENTATION

public static final java.lang.String DEFAULT_ENCRYPTION_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION

public static final java.lang.String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_RANDOMIZER_IMPLEMENTATION

public static final java.lang.String DEFAULT_RANDOMIZER_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_EXECUTOR_IMPLEMENTATION

public static final java.lang.String DEFAULT_EXECUTOR_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_HTTP_UTILITIES_IMPLEMENTATION

public static final java.lang.String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION
See Also:
Constant Field Values

DEFAULT_VALIDATOR_IMPLEMENTATION

public static final java.lang.String DEFAULT_VALIDATOR_IMPLEMENTATION
See Also:
Constant Field Values
Constructor Detail

DefaultSecurityConfiguration

public DefaultSecurityConfiguration()
Instantiates a new configuration.


DefaultSecurityConfiguration

public DefaultSecurityConfiguration(java.util.Properties properties)
Instantiates a new configuration with the supplied properties. Warning - if the setResourceDirectory() method is invoked the properties will be re-loaded, replacing the supplied properties.

Parameters:
properties -
Method Detail

getInstance

public static SecurityConfiguration getInstance()

getApplicationName

public java.lang.String getApplicationName()
Gets the application name, used for logging

Specified by:
getApplicationName in interface SecurityConfiguration
Returns:
the name of the current application

getLogImplementation

public java.lang.String getLogImplementation()
Returns the fully qualified classname of the ESAPI Logging implementation.

Specified by:
getLogImplementation in interface SecurityConfiguration

getAuthenticationImplementation

public java.lang.String getAuthenticationImplementation()
Returns the fully qualified classname of the ESAPI Authentication implementation.

Specified by:
getAuthenticationImplementation in interface SecurityConfiguration

getEncoderImplementation

public java.lang.String getEncoderImplementation()
Returns the fully qualified classname of the ESAPI Encoder implementation.

Specified by:
getEncoderImplementation in interface SecurityConfiguration

getAccessControlImplementation

public java.lang.String getAccessControlImplementation()
Returns the fully qualified classname of the ESAPI Access Control implementation.

Specified by:
getAccessControlImplementation in interface SecurityConfiguration

getEncryptionImplementation

public java.lang.String getEncryptionImplementation()
Returns the fully qualified classname of the ESAPI Encryption implementation.

Specified by:
getEncryptionImplementation in interface SecurityConfiguration

getIntrusionDetectionImplementation

public java.lang.String getIntrusionDetectionImplementation()
Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.

Specified by:
getIntrusionDetectionImplementation in interface SecurityConfiguration

getRandomizerImplementation

public java.lang.String getRandomizerImplementation()
Returns the fully qualified classname of the ESAPI Randomizer implementation.

Specified by:
getRandomizerImplementation in interface SecurityConfiguration

getExecutorImplementation

public java.lang.String getExecutorImplementation()
Returns the fully qualified classname of the ESAPI OS Execution implementation.

Specified by:
getExecutorImplementation in interface SecurityConfiguration

getHTTPUtilitiesImplementation

public java.lang.String getHTTPUtilitiesImplementation()
Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.

Specified by:
getHTTPUtilitiesImplementation in interface SecurityConfiguration

getValidationImplementation

public java.lang.String getValidationImplementation()
Returns the fully qualified classname of the ESAPI Validation implementation.

Specified by:
getValidationImplementation in interface SecurityConfiguration

getMasterKey

public byte[] getMasterKey()
Gets the master key. This password is used to encrypt/decrypt other files or types of data that need to be protected by your application.

Specified by:
getMasterKey in interface SecurityConfiguration
Returns:
the current master key

setResourceDirectory

public void setResourceDirectory(java.lang.String dir)
Sets the ESAPI resource directory.

Specified by:
setResourceDirectory in interface SecurityConfiguration
Parameters:
dir - The location of the resource directory.

getEncryptionKeyLength

public int getEncryptionKeyLength()
Description copied from interface: SecurityConfiguration
Gets the key length to use in cryptographic operations declared in the ESAPI properties file.

Specified by:
getEncryptionKeyLength in interface SecurityConfiguration
Returns:
the key length.

getMasterSalt

public byte[] getMasterSalt()
Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.

Specified by:
getMasterSalt in interface SecurityConfiguration
Returns:
the current master salt

getAllowedExecutables

public java.util.List<java.lang.String> getAllowedExecutables()
Gets the allowed executables to run with the Executor.

Specified by:
getAllowedExecutables in interface SecurityConfiguration
Returns:
a list of the current allowed file extensions

getAllowedFileExtensions

public java.util.List<java.lang.String> getAllowedFileExtensions()
Gets the allowed file extensions for files that are uploaded to this application.

Specified by:
getAllowedFileExtensions in interface SecurityConfiguration
Returns:
a list of the current allowed file extensions

getAllowedFileUploadSize

public int getAllowedFileUploadSize()
Gets the maximum allowed file upload size.

Specified by:
getAllowedFileUploadSize in interface SecurityConfiguration
Returns:
the current allowed file upload size

loadConfiguration

protected void loadConfiguration()
                          throws java.io.IOException
Load configuration. Never prints properties.

Throws:
java.io.IOException - if the file is inaccessible

getResourceStream

public java.io.InputStream getResourceStream(java.lang.String filename)
                                      throws java.io.IOException
Description copied from interface: SecurityConfiguration
Gets an InputStream to a file in the resource directory

Specified by:
getResourceStream in interface SecurityConfiguration
Parameters:
filename -
Returns:
An InputStream associated with the specified file name as a resource stream.
Throws:
java.io.IOException - If the file cannot be found or opened for reading.

getResourceFile

public java.io.File getResourceFile(java.lang.String filename)
Gets a file from the resource directory

Specified by:
getResourceFile in interface SecurityConfiguration
Parameters:
filename - The file name resource.
Returns:
A File object representing the specified file name or null if not found.

getPasswordParameterName

public java.lang.String getPasswordParameterName()
Gets the name of the password parameter used during user authentication.

Specified by:
getPasswordParameterName in interface SecurityConfiguration
Returns:
the name of the password parameter

getUsernameParameterName

public java.lang.String getUsernameParameterName()
Gets the name of the username parameter used during user authentication.

Specified by:
getUsernameParameterName in interface SecurityConfiguration
Returns:
the name of the username parameter

getEncryptionAlgorithm

public java.lang.String getEncryptionAlgorithm()
Gets the encryption algorithm used by ESAPI to protect data. This is mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to use "cipher transformation" since it supports multiple cipher modes and padding schemes.

Specified by:
getEncryptionAlgorithm in interface SecurityConfiguration
Returns:
the current encryption algorithm

getCipherTransformation

public java.lang.String getCipherTransformation()
Retrieve the cipher transformation. In general, the cipher transformation is a specification of cipher algorithm, cipher mode, and padding scheme and in general, is a String that takes the following form:
                cipher_alg/cipher_mode[bits]/padding_scheme
 
where cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as CFB and OFB. Using modes such as CFB and OFB, block ciphers can encrypt data in units smaller than the cipher's actual block size. When requesting such a mode, you may optionally specify the number of bits to be processed at a time. This generally must be an integral multiple of 8-bits so that it can specify a whole number of octets.

Examples are:

                "AES/ECB/NoPadding"             // Default for ESAPI Java 1.4 (insecure)
                "AES/CBC/PKCS5Padding"  // Default for ESAPI Java 2.0
                "DESede/OFB32/PKCS5Padding"
 
NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:
                "Blowfish-192/CFB8/PKCS5Padding"
 
in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.

Specified by:
getCipherTransformation in interface SecurityConfiguration
Returns:
The cipher transformation.

setCipherTransformation

public java.lang.String setCipherTransformation(java.lang.String cipherXform)
Set the cipher transformation. This allows a different cipher transformation to be used without changing the ESAPI.properties file. For instance you may normally want to use AES/CBC/PKCS5Padding, but have some legacy encryption where you have ciphertext that was encrypted using 3DES.

Specified by:
setCipherTransformation in interface SecurityConfiguration
Parameters:
cipherXform - The new cipher transformation. See SecurityConfiguration.getCipherTransformation() for format. If null is passed as the parameter, the cipher transformation will be set to the the default taken from the property Encryptor.CipherTransformation in the ESAPI.properties file. BEWARE: there is NO sanity checking here (other than the empty string, and then, only if Java assertions are enabled), so if you set this wrong, you will not get any errors until you later try to use it to encrypt or decrypt data.
Returns:
The previous cipher transformation is returned for convenience, with the assumption that you may wish to restore it once you have completed the encryption / decryption with the new cipher transformation.

useMACforCipherText

public boolean useMACforCipherText()
Determines whether the CipherText should be used with a Message Authentication Code (MAC). Generally this makes for a more robust cryptographic scheme, but there are some minor performance implications. Controlled by the ESAPI property Encryptor.CipherText.useMAC.

For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".

Specified by:
useMACforCipherText in interface SecurityConfiguration
Returns:
true if a you want a MAC to be used, otherwise false.

overwritePlainText

public boolean overwritePlainText()
Indicates whether the PlainText objects may be overwritten after they have been encrypted. Generally this is a good idea, especially if your VM is shared by multiple applications (e.g., multiple applications running in the same J2EE container) or if there is a possibility that your VM may leave a core dump (say because it is running non-native Java code.

Controlled by the property Encryptor.PlainText.overwrite in the ESAPI.properties file.

Specified by:
overwritePlainText in interface SecurityConfiguration
Returns:
True if it is OK to overwrite the PlainText objects after encrypting, false otherwise.

getIVType

public java.lang.String getIVType()
Get a string indicating how to compute an Initialization Vector (IV). Currently supported modes are "random" to generate a random IV or "fixed" to use a fixed (static) IV. If a "fixed" IV is chosen, then the the value of this fixed IV must be specified as the property Encryptor.fixedIV and be of the appropriate length.

Specified by:
getIVType in interface SecurityConfiguration
Returns:
A string specifying the IV type. Should be "random" or "fixed".
See Also:
SecurityConfiguration.getFixedIV()

getFixedIV

public java.lang.String getFixedIV()
If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string.

Specified by:
getFixedIV in interface SecurityConfiguration
Returns:
The fixed IV as a hex-encoded string.

getHashAlgorithm

public java.lang.String getHashAlgorithm()
Gets the hashing algorithm used by ESAPI to hash data.

Specified by:
getHashAlgorithm in interface SecurityConfiguration
Returns:
the current hashing algorithm

getHashIterations

public int getHashIterations()
Gets the hash iterations used by ESAPI to hash data.

Specified by:
getHashIterations in interface SecurityConfiguration
Returns:
the current hashing algorithm

getKDFPseudoRandomFunction

public java.lang.String getKDFPseudoRandomFunction()
Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).

Specified by:
getKDFPseudoRandomFunction in interface SecurityConfiguration
Returns:
The KDF PRF algorithm name.

getCharacterEncoding

public java.lang.String getCharacterEncoding()
Gets the character encoding scheme supported by this application. This is used to set the character encoding scheme on requests and responses when setCharacterEncoding() is called on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs and any other place where the current encoding scheme needs to be known.

Note: This does not get the configured response content type. That is accessed by calling getResponseContentType().

Specified by:
getCharacterEncoding in interface SecurityConfiguration
Returns:
the current character encoding scheme

getAllowMultipleEncoding

public boolean getAllowMultipleEncoding()
Return true if multiple encoding is allowed

Specified by:
getAllowMultipleEncoding in interface SecurityConfiguration
Returns:
whether multiple encoding is allowed when canonicalizing data

getAllowMixedEncoding

public boolean getAllowMixedEncoding()
Return true if mixed encoding is allowed

Specified by:
getAllowMixedEncoding in interface SecurityConfiguration
Returns:
whether mixed encoding is allowed when canonicalizing data

getDefaultCanonicalizationCodecs

public java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
Returns the List of Codecs to use when canonicalizing data

Specified by:
getDefaultCanonicalizationCodecs in interface SecurityConfiguration
Returns:
the codec list

getDigitalSignatureAlgorithm

public java.lang.String getDigitalSignatureAlgorithm()
Gets the digital signature algorithm used by ESAPI to generate and verify signatures.

Specified by:
getDigitalSignatureAlgorithm in interface SecurityConfiguration
Returns:
the current digital signature algorithm

getDigitalSignatureKeyLength

public int getDigitalSignatureKeyLength()
Gets the digital signature key length used by ESAPI to generate and verify signatures.

Specified by:
getDigitalSignatureKeyLength in interface SecurityConfiguration
Returns:
the current digital signature key length

getRandomAlgorithm

public java.lang.String getRandomAlgorithm()
Gets the random number generation algorithm used to generate random numbers where needed.

Specified by:
getRandomAlgorithm in interface SecurityConfiguration
Returns:
the current random number generation algorithm

getAllowedLoginAttempts

public int getAllowedLoginAttempts()
Gets the number of login attempts allowed before the user's account is locked. If this many failures are detected within the alloted time period, the user's account will be locked.

Specified by:
getAllowedLoginAttempts in interface SecurityConfiguration
Returns:
the number of failed login attempts that cause an account to be locked

getMaxOldPasswordHashes

public int getMaxOldPasswordHashes()
Gets the maximum number of old password hashes that should be retained. These hashes can be used to ensure that the user doesn't reuse the specified number of previous passwords when they change their password.

Specified by:
getMaxOldPasswordHashes in interface SecurityConfiguration
Returns:
the number of old hashed passwords to retain

getUploadDirectory

public java.io.File getUploadDirectory()
Retrieves the upload directory as specified in the ESAPI.properties file.

Specified by:
getUploadDirectory in interface SecurityConfiguration
Returns:
the upload directory

getUploadTempDirectory

public java.io.File getUploadTempDirectory()
Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.

Specified by:
getUploadTempDirectory in interface SecurityConfiguration
Returns:
the temp directory

getDisableIntrusionDetection

public boolean getDisableIntrusionDetection()
Allows for complete disabling of all intrusion detection mechanisms

Specified by:
getDisableIntrusionDetection in interface SecurityConfiguration
Returns:
true if intrusion detection should be disabled

getQuota

public SecurityConfiguration.Threshold getQuota(java.lang.String eventName)
Gets the intrusion detection quota for the specified event.

Specified by:
getQuota in interface SecurityConfiguration
Parameters:
eventName - the name of the event whose quota is desired
Returns:
the Quota that has been configured for the specified type of event

getLogLevel

public int getLogLevel()
Returns the current log level.

Specified by:
getLogLevel in interface SecurityConfiguration
Returns:
An integer representing the current log level.

getLogFileName

public java.lang.String getLogFileName()
Get the name of the log file specified in the ESAPI configuration properties file. Return a default value if it is not specified.

Specified by:
getLogFileName in interface SecurityConfiguration
Returns:
the log file name defined in the properties file.

getMaxLogFileSize

public int getMaxLogFileSize()
Get the maximum size of a single log file from the ESAPI configuration properties file. Return a default value if it is not specified. Once the log hits this file size, it will roll over into a new log.

Specified by:
getMaxLogFileSize in interface SecurityConfiguration
Returns:
the maximum size of a single log file (in bytes).

getLogEncodingRequired

public boolean getLogEncodingRequired()
Returns whether HTML entity encoding should be applied to log entries.

Specified by:
getLogEncodingRequired in interface SecurityConfiguration
Returns:
True if log entries are to be HTML Entity encoded. False otherwise.

getLogApplicationName

public boolean getLogApplicationName()
Returns whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.

Specified by:
getLogApplicationName in interface SecurityConfiguration
Returns:
True if ESAPI should log the application name, False otherwise

getLogServerIP

public boolean getLogServerIP()
Returns whether ESAPI should log the server IP. This might be clutter in some single-server environments.

Specified by:
getLogServerIP in interface SecurityConfiguration
Returns:
True if ESAPI should log the server IP and port, False otherwise

getForceHttpOnlySession

public boolean getForceHttpOnlySession()
Forces new cookies to have HttpOnly flag set.

Specified by:
getForceHttpOnlySession in interface SecurityConfiguration

getForceSecureSession

public boolean getForceSecureSession()
Forces session cookies to have Secure flag set.

Specified by:
getForceSecureSession in interface SecurityConfiguration

getForceHttpOnlyCookies

public boolean getForceHttpOnlyCookies()
Forces new cookies to have HttpOnly flag set.

Specified by:
getForceHttpOnlyCookies in interface SecurityConfiguration

getForceSecureCookies

public boolean getForceSecureCookies()
Forces new cookies to have Secure flag set.

Specified by:
getForceSecureCookies in interface SecurityConfiguration

getMaxHttpHeaderSize

public int getMaxHttpHeaderSize()
Returns the maximum allowable HTTP header size.

Specified by:
getMaxHttpHeaderSize in interface SecurityConfiguration

getResponseContentType

public java.lang.String getResponseContentType()
Gets the content type for responses used when setSafeContentType() is called.

Note: This does not get the configured character encoding scheme. That is accessed by calling getCharacterEncoding().

Specified by:
getResponseContentType in interface SecurityConfiguration
Returns:
The current content-type set for responses.

getHttpSessionIdName

public java.lang.String getHttpSessionIdName()
This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.

Specified by:
getHttpSessionIdName in interface SecurityConfiguration
Returns:
The name of the session identifier, like "JSESSIONID"

getRememberTokenDuration

public long getRememberTokenDuration()
Gets the length of the time to live window for remember me tokens (in milliseconds).

Specified by:
getRememberTokenDuration in interface SecurityConfiguration
Returns:
The time to live length for generated remember me tokens.

getSessionIdleTimeoutLength

public int getSessionIdleTimeoutLength()
Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.

Specified by:
getSessionIdleTimeoutLength in interface SecurityConfiguration
Returns:
The session idle timeout length.

getSessionAbsoluteTimeoutLength

public int getSessionAbsoluteTimeoutLength()
Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires regardless of the amount of user activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.

Specified by:
getSessionAbsoluteTimeoutLength in interface SecurityConfiguration
Returns:
The session absolute timeout length.

getValidationPattern

public java.util.regex.Pattern getValidationPattern(java.lang.String key)
getValidationPattern returns a single pattern based upon key

Specified by:
getValidationPattern in interface SecurityConfiguration
Parameters:
key - validation pattern name you'd like
Returns:
if key exists, the associated validation pattern, null otherwise

getWorkingDirectory

public java.io.File getWorkingDirectory()
getWorkingDirectory returns the default directory where processes will be executed by the Executor.

Specified by:
getWorkingDirectory in interface SecurityConfiguration

getPreferredJCEProvider

public java.lang.String getPreferredJCEProvider()
Retrieve the preferred JCE provider for ESAPI and your application. ESAPI 2.0 now allows setting the property Encryptor.PreferredJCEProvider in the ESAPI.properties file, which will cause the specified JCE provider to be automatically and dynamically loaded (assuming that SecurityManager permissions allow) as the Ii>preferred JCE provider. (Note this only happens if the JCE provider is not already loaded.) This method returns the property Encryptor.PreferredJCEProvider. By default, this Encryptor.PreferredJCEProvider property is set to an empty string, which means that the preferred JCE provider is not changed.

Specified by:
getPreferredJCEProvider in interface SecurityConfiguration
Returns:
The property Encryptor.PreferredJCEProvider is returned.
See Also:
org.owasp.esapi.crypto.SecurityProvider

getCombinedCipherModes

public java.util.List<java.lang.String> getCombinedCipherModes()
Return a List of strings of combined cipher modes that support both confidentiality and authenticity. These would be preferred cipher modes to use if your JCE provider supports them. If such a cipher mode is used, no explicit separate MAC is calculated as part of the CipherText object upon encryption nor is any attempt made to verify the same on decryption.

The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.combined_modes.

Specified by:
getCombinedCipherModes in interface SecurityConfiguration
Returns:
The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.

getAdditionalAllowedCipherModes

public java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by #getPreferredCipherModes()) to be used for encryption and decryption operations.

The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.additional_allowed.

Specified by:
getAdditionalAllowedCipherModes in interface SecurityConfiguration
Returns:
The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.
See Also:
#getPreferredCipherModes()

getLenientDatesAccepted

public boolean getLenientDatesAccepted()
Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. Controlled by ESAPI property Validator.AcceptLenientDates, which defaults to false if unset.

Specified by:
getLenientDatesAccepted in interface SecurityConfiguration
Returns:
True if lenient dates are accepted; false otherwise.
See Also:
DateFormat.setLenient(boolean)

getESAPIProperty

protected java.lang.String getESAPIProperty(java.lang.String key,
                                            java.lang.String def)

getESAPIProperty

protected boolean getESAPIProperty(java.lang.String key,
                                   boolean def)

getESAPIPropertyEncoded

protected byte[] getESAPIPropertyEncoded(java.lang.String key,
                                         byte[] def)

getESAPIProperty

protected int getESAPIProperty(java.lang.String key,
                               int def)

getESAPIProperty

protected java.util.List<java.lang.String> getESAPIProperty(java.lang.String key,
                                                            java.util.List<java.lang.String> def)
Returns a List representing the parsed, comma-separated property.

Parameters:
key - The specified property name
def - A default value for the property name to return if the property is not set.
Returns:
A list of strings.

shouldPrintProperties

protected boolean shouldPrintProperties()

getESAPIProperties

protected java.util.Properties getESAPIProperties()


Copyright © 2011 The Open Web Application Security Project (OWASP). All Rights Reserved.