org.owasp.esapi

Interface SecurityConfiguration

All Superinterfaces:

EsapiPropertyLoader

All Known Implementing Classes:

DefaultSecurityConfiguration

public interface SecurityConfiguration
extends EsapiPropertyLoader

The SecurityConfiguration interface stores all configuration information that directs the behavior of the ESAPI implementation.

Protection of this configuration information is critical to the secure operation of the application using the ESAPI. You should use operating system access controls to limit access to wherever the configuration information is stored.

Please note that adding another layer of encryption does not make the attackers job much more difficult. Somewhere there must be a master "secret" that is stored unencrypted on the application platform (unless you are willing to prompt for some passphrase when you application starts or insert a USB thumb drive or an HSM card, etc., in which case this master "secret" it would only be in memory). Creating another layer of indirection provides additional obfuscation, but doesn't provide any real additional security. It's up to the reference implementation to decide whether this file should be encrypted or not.

The ESAPI reference implementation (DefaultSecurityConfiguration.java) does not encrypt its properties file.

Since:

June 1, 2007

Author:

Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security

Nested Class Summary

Nested Classes

Modifier and Type	Interface and Description
static class	SecurityConfiguration.Threshold Models a simple threshold as a count and an interval, along with a set of actions to take if the threshold is exceeded.

Method Summary

Modifier and Type	Method and Description
String	getAccessControlImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
List<String>	getAdditionalAllowedCipherModes() Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by getCombinedCipherModes()) to be used for encryption and decryption operations.
List<String>	getAllowedExecutables() Gets the allowed executables to run with the Executor.
List<String>	getAllowedFileExtensions() Gets the allowed file extensions for files that are uploaded to this application.
int	getAllowedFileUploadSize() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
int	getAllowedLoginAttempts() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
boolean	getAllowMixedEncoding() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
boolean	getAllowMultipleEncoding() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
String	getApplicationName() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getAuthenticationImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getCharacterEncoding() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getCipherTransformation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
List<String>	getCombinedCipherModes() Return a List of strings of combined cipher modes that support both confidentiality and authenticity.
List<String>	getDefaultCanonicalizationCodecs() Returns the List of Codecs to use when canonicalizing data
String	getDigitalSignatureAlgorithm() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
int	getDigitalSignatureKeyLength() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
boolean	getDisableIntrusionDetection() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
String	getEncoderImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getEncryptionAlgorithm() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getEncryptionImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
int	getEncryptionKeyLength() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
String	getExecutorImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
boolean	getForceHttpOnlyCookies() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
boolean	getForceHttpOnlySession() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
boolean	getForceSecureCookies() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
boolean	getForceSecureSession() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
String	getHashAlgorithm() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
int	getHashIterations() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
String	getHttpSessionIdName() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getHTTPUtilitiesImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getIntrusionDetectionImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getIVType() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead. This method will be removed in a future release as it is now moot since it can only legitimately have the single value of "random".
String	getKDFPseudoRandomFunction() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
boolean	getLenientDatesAccepted() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
boolean	getLogApplicationName() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
boolean	getLogEncodingRequired() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
String	getLogImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
boolean	getLogServerIP() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
byte[]	getMasterKey() Deprecated. Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
byte[]	getMasterSalt() Deprecated. Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
int	getMaxHttpHeaderSize() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
int	getMaxOldPasswordHashes() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
String	getPasswordParameterName() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getPreferredJCEProvider() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
SecurityConfiguration.Threshold	getQuota(String eventName) Gets the intrusion detection quota for the specified event.
String	getRandomAlgorithm() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getRandomizerImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
long	getRememberTokenDuration() Gets the length of the time to live window for remember me tokens (in milliseconds).
File	getResourceFile(String filename) Gets a file from the resource directory
InputStream	getResourceStream(String filename) Gets an InputStream to a file in the resource directory
String	getResponseContentType() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
int	getSessionAbsoluteTimeoutLength() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
int	getSessionIdleTimeoutLength() Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
File	getUploadDirectory() Retrieves the upload directory as specified in the ESAPI.properties file.
File	getUploadTempDirectory() Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
String	getUsernameParameterName() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
String	getValidationImplementation() Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
Pattern	getValidationPattern(String typeName) Returns the validation pattern for a particular type
File	getWorkingDirectory() Returns the default working directory for executing native processes with Runtime.exec().
boolean	overwritePlainText() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
String	setCipherTransformation(String cipherXform) Deprecated. To be replaced by new class in ESAPI 2.1, but here if you need it until then. Details of replacement forthcoming to ESAPI-Dev list. Most likely to be replaced by a new CTOR for JavaEncryptor that takes a list of properties to override.
void	setResourceDirectory(String dir) Sets the ESAPI resource directory.
boolean	useMACforCipherText() Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Methods inherited from interface org.owasp.esapi.configuration.EsapiPropertyLoader

getBooleanProp, getByteArrayProp, getIntProp, getStringProp

Method Detail

getApplicationName

@Deprecated
String getApplicationName()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the application name, used for logging

Returns:

the name of the current application

getLogImplementation

@Deprecated
String getLogImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Logging implementation.

getAuthenticationImplementation

@Deprecated
String getAuthenticationImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Authentication implementation.

getEncoderImplementation

@Deprecated
String getEncoderImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Encoder implementation.

getAccessControlImplementation

@Deprecated
String getAccessControlImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Access Control implementation.

getIntrusionDetectionImplementation

@Deprecated
String getIntrusionDetectionImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.

getRandomizerImplementation

@Deprecated
String getRandomizerImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Randomizer implementation.

getEncryptionImplementation

@Deprecated
String getEncryptionImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Encryption implementation.

getValidationImplementation

@Deprecated
String getValidationImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI Validation implementation.

getValidationPattern

Pattern getValidationPattern(String typeName)

Returns the validation pattern for a particular type

Parameters:

typeName -

Returns:

the validation pattern

getLenientDatesAccepted

@Deprecated
boolean getLenientDatesAccepted()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. Controlled by ESAPI property Validator.AcceptLenientDates, which defaults to false if unset.

Returns:

True if lenient dates are accepted; false otherwise.

See Also:

DateFormat.setLenient(boolean)

getExecutorImplementation

@Deprecated
String getExecutorImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI OS Execution implementation.

getHTTPUtilitiesImplementation

@Deprecated
String getHTTPUtilitiesImplementation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.

getMasterKey

@Deprecated
byte[] getMasterKey()

Deprecated. Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.

Gets the master key. This password is used to encrypt/decrypt other files or types of data that need to be protected by your application.

Returns:

the current master key

getUploadDirectory

File getUploadDirectory()

Retrieves the upload directory as specified in the ESAPI.properties file.

Returns:

the upload directory

getUploadTempDirectory

File getUploadTempDirectory()

Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.

Returns:

the temp directory

getEncryptionKeyLength

@Deprecated
int getEncryptionKeyLength()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the key length to use in cryptographic operations declared in the ESAPI properties file. Note that this corresponds to the ESAPI property Encryptor.EncryptionKeyLength which is considered the default key size that ESAPI will use for symmetric ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength, which is the minimum key size (in bits) that ESAPI will support for encryption. (There is no minimum for decryption.)

Returns:

the key length (in bits)

getMasterSalt

@Deprecated
byte[] getMasterSalt()

Deprecated. Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.

Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.

Returns:

the current master salt

getAllowedExecutables

List<String> getAllowedExecutables()

Gets the allowed executables to run with the Executor.

Returns:

a list of the current allowed file extensions

getAllowedFileExtensions

List<String> getAllowedFileExtensions()

Gets the allowed file extensions for files that are uploaded to this application.

Returns:

a list of the current allowed file extensions

getAllowedFileUploadSize

@Deprecated
int getAllowedFileUploadSize()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the maximum allowed file upload size.

Returns:

the current allowed file upload size

getPasswordParameterName

@Deprecated
String getPasswordParameterName()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the name of the password parameter used during user authentication.

Returns:

the name of the password parameter

getUsernameParameterName

@Deprecated
String getUsernameParameterName()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the name of the username parameter used during user authentication.

Returns:

the name of the username parameter

getEncryptionAlgorithm

@Deprecated
String getEncryptionAlgorithm()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the encryption algorithm used by ESAPI to protect data. This is mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to use "cipher transformation" since it supports multiple cipher modes and padding schemes.

Returns:

the current encryption algorithm

getCipherTransformation

@Deprecated
String getCipherTransformation()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Retrieve the cipher transformation. In general, the cipher transformation is a specification of cipher algorithm, cipher mode, and padding scheme and in general, is a String that takes the following form:

         cipher_alg/cipher_mode[bits]/padding_scheme
 

where cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as CFB and OFB. Using modes such as CFB and OFB, block ciphers can encrypt data in units smaller than the cipher's actual block size. When requesting such a mode, you may optionally specify the number of bits to be processed at a time. This generally must be an integral multiple of 8-bits so that it can specify a whole number of octets.

Examples are:

         "AES/ECB/NoPadding"        // Default for ESAPI Java 1.4 (insecure)
         "AES/CBC/PKCS5Padding"    // Default for ESAPI Java 2.0
         "DESede/OFB32/PKCS5Padding"
 

NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:

         "Blowfish-192/CFB8/PKCS5Padding"
 

in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.

Returns:

The cipher transformation.

setCipherTransformation

@Deprecated
String setCipherTransformation(String cipherXform)

Deprecated. To be replaced by new class in ESAPI 2.1, but here if you need it until then. Details of replacement forthcoming to ESAPI-Dev list. Most likely to be replaced by a new CTOR for JavaEncryptor that takes a list of properties to override.

Set the cipher transformation. This allows a different cipher transformation to be used without changing the ESAPI.properties file. For instance you may normally want to use AES/CBC/PKCS5Padding, but have some legacy encryption where you have ciphertext that was encrypted using 3DES.

Parameters:

cipherXform - The new cipher transformation. See getCipherTransformation() for format. If null is passed as the parameter, the cipher transformation will be set to the the default taken from the property Encryptor.CipherTransformation in the ESAPI.properties file. BEWARE: there is NO sanity checking here (other than the empty string, and then, only if Java assertions are enabled), so if you set this wrong, you will not get any errors until you later try to use it to encrypt or decrypt data.

Returns:

The previous cipher transformation is returned for convenience, with the assumption that you may wish to restore it once you have completed the encryption / decryption with the new cipher transformation.

getPreferredJCEProvider

@Deprecated
String getPreferredJCEProvider()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Retrieve the preferred JCE provider for ESAPI and your application. ESAPI 2.0 now allows setting the property Encryptor.PreferredJCEProvider in the ESAPI.properties file, which will cause the specified JCE provider to be automatically and dynamically loaded (assuming that SecurityManager permissions allow) as the Ii>preferred JCE provider. (Note this only happens if the JCE provider is not already loaded.) This method returns the property Encryptor.PreferredJCEProvider. By default, this Encryptor.PreferredJCEProvider property is set to an empty string, which means that the preferred JCE provider is not changed.

Returns:

The property Encryptor.PreferredJCEProvider is returned.

See Also:

SecurityProviderLoader

useMACforCipherText

@Deprecated
boolean useMACforCipherText()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Determines whether the CipherText should be used with a Message Authentication Code (MAC). Generally this makes for a more robust cryptographic scheme, but there are some minor performance implications. Controlled by the ESAPI property Encryptor.CipherText.useMAC.

For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".

Returns:

true if a you want a MAC to be used, otherwise false.

overwritePlainText

@Deprecated
boolean overwritePlainText()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Indicates whether the PlainText objects may be overwritten after they have been encrypted. Generally this is a good idea, especially if your VM is shared by multiple applications (e.g., multiple applications running in the same J2EE container) or if there is a possibility that your VM may leave a core dump (say because it is running non-native Java code.

Controlled by the property Encryptor.PlainText.overwrite in the ESAPI.properties file.

Returns:

True if it is OK to overwrite the PlainText objects after encrypting, false otherwise.

getIVType

@Deprecated
String getIVType()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead. This method will be removed in a future release as it is now moot since it can only legitimately have the single value of "random".

Get a string indicating how to compute an Initialization Vector (IV). Currently supported modes are "random" to generate a random IV or "fixed" to use a fixed (static) IV. WARNING: 'fixed' was only intended to support legacy applications with fixed IVs, but the use of non-random IVs is inherently insecure, especially for any supported cipher mode that is considered a streaming mode (which is basically anything except CBC for modes that support require an IV). For this reason, 'fixed' has now been removed (it was considered deprecated since release 2.2.0.0). An ESAPI.properties value of fixed for the property Encryptor.ChooseIVMethod will now result in a ConfigurationException being thrown.

Returns:

A string specifying the IV type. Should be "random". Anything else should fail with a ConfigurationException being thrown.

getCombinedCipherModes

List<String> getCombinedCipherModes()

Return a List of strings of combined cipher modes that support both confidentiality and authenticity. These would be preferred cipher modes to use if your JCE provider supports them. If such a cipher mode is used, no explicit separate MAC is calculated as part of the CipherText object upon encryption nor is any attempt made to verify the same on decryption.

The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.combined_modes.

Returns:

The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.

getAdditionalAllowedCipherModes

List<String> getAdditionalAllowedCipherModes()

Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by getCombinedCipherModes()) to be used for encryption and decryption operations.

The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.additional_allowed.

Returns:

The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.

See Also:

getCombinedCipherModes()

getHashAlgorithm

@Deprecated
String getHashAlgorithm()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the hashing algorithm used by ESAPI to hash data.

Returns:

the current hashing algorithm

getHashIterations

@Deprecated
int getHashIterations()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the hash iterations used by ESAPI to hash data.

Returns:

the current hashing algorithm

getKDFPseudoRandomFunction

@Deprecated
String getKDFPseudoRandomFunction()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).

Returns:

The KDF PRF algorithm name.

getCharacterEncoding

@Deprecated
String getCharacterEncoding()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the character encoding scheme supported by this application. This is used to set the character encoding scheme on requests and responses when setCharacterEncoding() is called on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs and any other place where the current encoding scheme needs to be known.

Note: This does not get the configured response content type. That is accessed by calling getResponseContentType().

Returns:

the current character encoding scheme

getAllowMultipleEncoding

@Deprecated
boolean getAllowMultipleEncoding()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Return true if multiple encoding is allowed

Returns:

whether multiple encoding is allowed when canonicalizing data

getAllowMixedEncoding

@Deprecated
boolean getAllowMixedEncoding()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Return true if mixed encoding is allowed

Returns:

whether mixed encoding is allowed when canonicalizing data

getDefaultCanonicalizationCodecs

List<String> getDefaultCanonicalizationCodecs()

Returns the List of Codecs to use when canonicalizing data

Returns:

the codec list

getDigitalSignatureAlgorithm

@Deprecated
String getDigitalSignatureAlgorithm()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the digital signature algorithm used by ESAPI to generate and verify signatures.

Returns:

the current digital signature algorithm

getDigitalSignatureKeyLength

@Deprecated
int getDigitalSignatureKeyLength()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the digital signature key length used by ESAPI to generate and verify signatures.

Returns:

the current digital signature key length

getRandomAlgorithm

@Deprecated
String getRandomAlgorithm()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the random number generation algorithm used to generate random numbers where needed.

Returns:

the current random number generation algorithm

getAllowedLoginAttempts

@Deprecated
int getAllowedLoginAttempts()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the number of login attempts allowed before the user's account is locked. If this many failures are detected within the alloted time period, the user's account will be locked.

Returns:

the number of failed login attempts that cause an account to be locked

getMaxOldPasswordHashes

@Deprecated
int getMaxOldPasswordHashes()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the maximum number of old password hashes that should be retained. These hashes can be used to ensure that the user doesn't reuse the specified number of previous passwords when they change their password.

Returns:

the number of old hashed passwords to retain

getDisableIntrusionDetection

@Deprecated
boolean getDisableIntrusionDetection()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Allows for complete disabling of all intrusion detection mechanisms

Returns:

true if intrusion detection should be disabled

getQuota

SecurityConfiguration.Threshold getQuota(String eventName)

Gets the intrusion detection quota for the specified event.

Parameters:

eventName - the name of the event whose quota is desired

Returns:

the Quota that has been configured for the specified type of event

getResourceFile

File getResourceFile(String filename)

Gets a file from the resource directory

Parameters:

filename - The file name resource.

Returns:

A File object representing the specified file name or null if not found.

getForceHttpOnlySession

@Deprecated
boolean getForceHttpOnlySession()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Returns true if session cookies are required to have HttpOnly flag set.

getForceSecureSession

@Deprecated
boolean getForceSecureSession()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Returns true if session cookies are required to have Secure flag set.

getForceHttpOnlyCookies

@Deprecated
boolean getForceHttpOnlyCookies()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Returns true if new cookies are required to have HttpOnly flag set.

getForceSecureCookies

@Deprecated
boolean getForceSecureCookies()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Returns true if new cookies are required to have Secure flag set.

getMaxHttpHeaderSize

@Deprecated
int getMaxHttpHeaderSize()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Returns the maximum allowable HTTP header size.

getResourceStream

InputStream getResourceStream(String filename)
                       throws IOException

Gets an InputStream to a file in the resource directory

Parameters:

filename - A file name in the resource directory.

Returns:

An InputStream to the specified file name in the resource directory.

Throws:

IOException - If the specified file name cannot be found or opened for reading.

setResourceDirectory

void setResourceDirectory(String dir)

Sets the ESAPI resource directory.

Parameters:

dir - The location of the resource directory.

getResponseContentType

@Deprecated
String getResponseContentType()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

Gets the content type for responses used when setSafeContentType() is called.

Note: This does not get the configured character encoding scheme. That is accessed by calling getCharacterEncoding().

Returns:

The current content-type set for responses.

getHttpSessionIdName

@Deprecated
String getHttpSessionIdName()

Deprecated. Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.

This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.

Returns:

The name of the session identifier, like "JSESSIONID"

getRememberTokenDuration

long getRememberTokenDuration()

Gets the length of the time to live window for remember me tokens (in milliseconds).

Returns:

The time to live length for generated "remember me" tokens.

getSessionIdleTimeoutLength

@Deprecated
int getSessionIdleTimeoutLength()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.

Returns:

The session idle timeout length.

getSessionAbsoluteTimeoutLength

@Deprecated
int getSessionAbsoluteTimeoutLength()

Deprecated. Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires regardless of the amount of user activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.

Returns:

The session absolute timeout length.

getLogEncodingRequired

@Deprecated
boolean getLogEncodingRequired()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Returns whether HTML entity encoding should be applied to log entries.

Returns:

True if log entries are to be HTML Entity encoded. False otherwise.

getLogApplicationName

@Deprecated
boolean getLogApplicationName()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Returns whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.

Returns:

True if ESAPI should log the application name, False otherwise

getLogServerIP

@Deprecated
boolean getLogServerIP()

Deprecated. Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.

Returns whether ESAPI should log the server IP. This might be clutter in some single-server environments.

Returns:

True if ESAPI should log the server IP and port, False otherwise

getWorkingDirectory

File getWorkingDirectory()

Returns the default working directory for executing native processes with Runtime.exec().