Interface SecurityConfiguration

  • All Superinterfaces:
    EsapiPropertyLoader
    All Known Implementing Classes:
    DefaultSecurityConfiguration

    public interface SecurityConfiguration
    extends EsapiPropertyLoader
    The SecurityConfiguration interface stores all configuration information that directs the behavior of the ESAPI implementation.

    Protection of this configuration information is critical to the secure operation of the application using the ESAPI. You should use operating system access controls to limit access to wherever the configuration information is stored.

    Please note that adding another layer of encryption does not make the attackers job much more difficult. Somewhere there must be a master "secret" that is stored unencrypted on the application platform (unless you are willing to prompt for some passphrase when you application starts or insert a USB thumb drive or an HSM card, etc., in which case this master "secret" it would only be in memory). Creating another layer of indirection provides additional obfuscation, but doesn't provide any real additional security. It's up to the reference implementation to decide whether this file should be encrypted or not.

    The ESAPI reference implementation (DefaultSecurityConfiguration.java) does not encrypt its properties file.
    Since:
    June 1, 2007
    Author:
    Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
    • Nested Class Summary

      Nested Classes 
      Modifier and Type Interface Description
      static class  SecurityConfiguration.Threshold
      Models a simple threshold as a count and an interval, along with a set of actions to take if the threshold is exceeded.
    • Method Summary

      All Methods Instance Methods Abstract Methods Deprecated Methods 
      Modifier and Type Method Description
      java.lang.String getAccessControlImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
      Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by getCombinedCipherModes()) to be used for encryption and decryption operations.
      java.util.List<java.lang.String> getAllowedExecutables()
      Gets the allowed executables to run with the Executor.
      java.util.List<java.lang.String> getAllowedFileExtensions()
      Gets the allowed file extensions for files that are uploaded to this application.
      int getAllowedFileUploadSize()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      int getAllowedLoginAttempts()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      boolean getAllowMixedEncoding()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      boolean getAllowMultipleEncoding()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      java.lang.String getApplicationName()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getAuthenticationImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getCharacterEncoding()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getCipherTransformation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.util.List<java.lang.String> getCombinedCipherModes()
      Return a List of strings of combined cipher modes that support both confidentiality and authenticity.
      java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
      Returns the List of Codecs to use when canonicalizing data
      java.lang.String getDigitalSignatureAlgorithm()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      int getDigitalSignatureKeyLength()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      boolean getDisableIntrusionDetection()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      java.lang.String getEncoderImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getEncryptionAlgorithm()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getEncryptionImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      int getEncryptionKeyLength()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      java.lang.String getExecutorImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getFixedIV()
      Deprecated.
      Short term: use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
      boolean getForceHttpOnlyCookies()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      boolean getForceHttpOnlySession()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      boolean getForceSecureCookies()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      boolean getForceSecureSession()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      java.lang.String getHashAlgorithm()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      int getHashIterations()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      java.lang.String getHttpSessionIdName()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getHTTPUtilitiesImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getIntrusionDetectionImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getIVType()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getKDFPseudoRandomFunction()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      boolean getLenientDatesAccepted()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      boolean getLogApplicationName()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      boolean getLogEncodingRequired()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      java.lang.String getLogImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      boolean getLogServerIP()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      byte[] getMasterKey()
      Deprecated.
      Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
      byte[] getMasterSalt()
      Deprecated.
      Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
      int getMaxHttpHeaderSize()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      int getMaxOldPasswordHashes()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      java.lang.String getPasswordParameterName()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getPreferredJCEProvider()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      SecurityConfiguration.Threshold getQuota​(java.lang.String eventName)
      Gets the intrusion detection quota for the specified event.
      java.lang.String getRandomAlgorithm()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getRandomizerImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      long getRememberTokenDuration()
      Gets the length of the time to live window for remember me tokens (in milliseconds).
      java.io.File getResourceFile​(java.lang.String filename)
      Gets a file from the resource directory
      java.io.InputStream getResourceStream​(java.lang.String filename)
      Gets an InputStream to a file in the resource directory
      java.lang.String getResponseContentType()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      int getSessionAbsoluteTimeoutLength()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      int getSessionIdleTimeoutLength()
      Deprecated.
      Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
      java.io.File getUploadDirectory()
      Retrieves the upload directory as specified in the ESAPI.properties file.
      java.io.File getUploadTempDirectory()
      Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
      java.lang.String getUsernameParameterName()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.lang.String getValidationImplementation()
      Deprecated.
      Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
      java.util.regex.Pattern getValidationPattern​(java.lang.String typeName)
      Returns the validation pattern for a particular type
      java.io.File getWorkingDirectory()
      Returns the default working directory for executing native processes with Runtime.exec().
      boolean overwritePlainText()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
      java.lang.String setCipherTransformation​(java.lang.String cipherXform)
      Deprecated.
      To be replaced by new class in ESAPI 2.1, but here if you need it until then.
      void setResourceDirectory​(java.lang.String dir)
      Sets the ESAPI resource directory.
      boolean useMACforCipherText()
      Deprecated.
      Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
    • Method Detail

      • getApplicationName

        @Deprecated
        java.lang.String getApplicationName()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the application name, used for logging
        Returns:
        the name of the current application
      • getLogImplementation

        @Deprecated
        java.lang.String getLogImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Logging implementation.
      • getAuthenticationImplementation

        @Deprecated
        java.lang.String getAuthenticationImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Authentication implementation.
      • getEncoderImplementation

        @Deprecated
        java.lang.String getEncoderImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Encoder implementation.
      • getAccessControlImplementation

        @Deprecated
        java.lang.String getAccessControlImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Access Control implementation.
      • getIntrusionDetectionImplementation

        @Deprecated
        java.lang.String getIntrusionDetectionImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Intrusion Detection implementation.
      • getRandomizerImplementation

        @Deprecated
        java.lang.String getRandomizerImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Randomizer implementation.
      • getEncryptionImplementation

        @Deprecated
        java.lang.String getEncryptionImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Encryption implementation.
      • getValidationImplementation

        @Deprecated
        java.lang.String getValidationImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI Validation implementation.
      • getValidationPattern

        java.util.regex.Pattern getValidationPattern​(java.lang.String typeName)
        Returns the validation pattern for a particular type
        Parameters:
        typeName -
        Returns:
        the validation pattern
      • getLenientDatesAccepted

        @Deprecated
        boolean getLenientDatesAccepted()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Determines whether ESAPI will accept "lenient" dates when attempt to parse dates. Controlled by ESAPI property Validator.AcceptLenientDates, which defaults to false if unset.
        Returns:
        True if lenient dates are accepted; false otherwise.
        See Also:
        DateFormat.setLenient(boolean)
      • getExecutorImplementation

        @Deprecated
        java.lang.String getExecutorImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI OS Execution implementation.
      • getHTTPUtilitiesImplementation

        @Deprecated
        java.lang.String getHTTPUtilitiesImplementation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Returns the fully qualified classname of the ESAPI HTTPUtilities implementation.
      • getMasterKey

        @Deprecated
        byte[] getMasterKey()
        Deprecated.
        Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
        Gets the master key. This password is used to encrypt/decrypt other files or types of data that need to be protected by your application.
        Returns:
        the current master key
      • getUploadDirectory

        java.io.File getUploadDirectory()
        Retrieves the upload directory as specified in the ESAPI.properties file.
        Returns:
        the upload directory
      • getUploadTempDirectory

        java.io.File getUploadTempDirectory()
        Retrieves the temp directory to use when uploading files, as specified in ESAPI.properties.
        Returns:
        the temp directory
      • getEncryptionKeyLength

        @Deprecated
        int getEncryptionKeyLength()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the key length to use in cryptographic operations declared in the ESAPI properties file. Note that this corresponds to the ESAPI property Encryptor.EncryptionKeyLength which is considered the default key size that ESAPI will use for symmetric ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength, which is the minimum key size (in bits) that ESAPI will support for encryption. (There is no miminimum for decryption.)
        Returns:
        the key length (in bits)
      • getMasterSalt

        @Deprecated
        byte[] getMasterSalt()
        Deprecated.
        Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
        Gets the master salt that is used to salt stored password hashes and any other location where a salt is needed.
        Returns:
        the current master salt
      • getAllowedExecutables

        java.util.List<java.lang.String> getAllowedExecutables()
        Gets the allowed executables to run with the Executor.
        Returns:
        a list of the current allowed file extensions
      • getAllowedFileExtensions

        java.util.List<java.lang.String> getAllowedFileExtensions()
        Gets the allowed file extensions for files that are uploaded to this application.
        Returns:
        a list of the current allowed file extensions
      • getAllowedFileUploadSize

        @Deprecated
        int getAllowedFileUploadSize()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the maximum allowed file upload size.
        Returns:
        the current allowed file upload size
      • getPasswordParameterName

        @Deprecated
        java.lang.String getPasswordParameterName()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the name of the password parameter used during user authentication.
        Returns:
        the name of the password parameter
      • getUsernameParameterName

        @Deprecated
        java.lang.String getUsernameParameterName()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the name of the username parameter used during user authentication.
        Returns:
        the name of the username parameter
      • getEncryptionAlgorithm

        @Deprecated
        java.lang.String getEncryptionAlgorithm()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the encryption algorithm used by ESAPI to protect data. This is mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to use "cipher transformation" since it supports multiple cipher modes and padding schemes.
        Returns:
        the current encryption algorithm
      • getCipherTransformation

        @Deprecated
        java.lang.String getCipherTransformation()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Retrieve the cipher transformation. In general, the cipher transformation is a specification of cipher algorithm, cipher mode, and padding scheme and in general, is a String that takes the following form:
                        cipher_alg/cipher_mode[bits]/padding_scheme
         
        where cipher_alg is the JCE cipher algorithm (e.g., "DESede"), cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.), and padding_scheme is the cipher padding scheme (e.g., "NONE" for no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where [bits] is an optional bit size that applies to certain cipher modes such as CFB and OFB. Using modes such as CFB and OFB, block ciphers can encrypt data in units smaller than the cipher's actual block size. When requesting such a mode, you may optionally specify the number of bits to be processed at a time. This generally must be an integral multiple of 8-bits so that it can specify a whole number of octets.

        Examples are:

                        "AES/ECB/NoPadding"             // Default for ESAPI Java 1.4 (insecure)
                        "AES/CBC/PKCS5Padding"  // Default for ESAPI Java 2.0
                        "DESede/OFB32/PKCS5Padding"
         
        NOTE: Occasionally, in cryptographic literature, you may also see the key size (in bits) specified after the cipher algorithm in the cipher transformation. Generally, this is done to account for cipher algorithms that have variable key sizes. The Blowfish cipher for example supports key sizes from 32 to 448 bits. So for Blowfish, you might see a cipher transformation something like this:
                        "Blowfish-192/CFB8/PKCS5Padding"
         
        in the cryptographic literature. It should be noted that the Java Cryptography Extensions (JCE) do not generally support this (at least not the reference JCE implementation of "SunJCE"), and therefore it should be avoided.
        Returns:
        The cipher transformation.
      • setCipherTransformation

        @Deprecated
        java.lang.String setCipherTransformation​(java.lang.String cipherXform)
        Deprecated.
        To be replaced by new class in ESAPI 2.1, but here if you need it until then. Details of replacement forthcoming to ESAPI-Dev list. Most likely to be replaced by a new CTOR for JavaEncryptor that takes a list of properties to override.
        Set the cipher transformation. This allows a different cipher transformation to be used without changing the ESAPI.properties file. For instance you may normally want to use AES/CBC/PKCS5Padding, but have some legacy encryption where you have ciphertext that was encrypted using 3DES.
        Parameters:
        cipherXform - The new cipher transformation. See getCipherTransformation() for format. If null is passed as the parameter, the cipher transformation will be set to the the default taken from the property Encryptor.CipherTransformation in the ESAPI.properties file. BEWARE: there is NO sanity checking here (other than the empty string, and then, only if Java assertions are enabled), so if you set this wrong, you will not get any errors until you later try to use it to encrypt or decrypt data.
        Returns:
        The previous cipher transformation is returned for convenience, with the assumption that you may wish to restore it once you have completed the encryption / decryption with the new cipher transformation.
      • getPreferredJCEProvider

        @Deprecated
        java.lang.String getPreferredJCEProvider()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Retrieve the preferred JCE provider for ESAPI and your application. ESAPI 2.0 now allows setting the property Encryptor.PreferredJCEProvider in the ESAPI.properties file, which will cause the specified JCE provider to be automatically and dynamically loaded (assuming that SecurityManager permissions allow) as the Ii>preferred JCE provider. (Note this only happens if the JCE provider is not already loaded.) This method returns the property Encryptor.PreferredJCEProvider. By default, this Encryptor.PreferredJCEProvider property is set to an empty string, which means that the preferred JCE provider is not changed.
        Returns:
        The property Encryptor.PreferredJCEProvider is returned.
        See Also:
        SecurityProviderLoader
      • useMACforCipherText

        @Deprecated
        boolean useMACforCipherText()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Determines whether the CipherText should be used with a Message Authentication Code (MAC). Generally this makes for a more robust cryptographic scheme, but there are some minor performance implications. Controlled by the ESAPI property Encryptor.CipherText.useMAC.

        For further details, see the "Advanced Usage" section of "Why Is OWASP Changing ESAPI Encryption?".

        Returns:
        true if a you want a MAC to be used, otherwise false.
      • overwritePlainText

        @Deprecated
        boolean overwritePlainText()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Indicates whether the PlainText objects may be overwritten after they have been encrypted. Generally this is a good idea, especially if your VM is shared by multiple applications (e.g., multiple applications running in the same J2EE container) or if there is a possibility that your VM may leave a core dump (say because it is running non-native Java code.

        Controlled by the property Encryptor.PlainText.overwrite in the ESAPI.properties file.

        Returns:
        True if it is OK to overwrite the PlainText objects after encrypting, false otherwise.
      • getIVType

        @Deprecated
        java.lang.String getIVType()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Get a string indicating how to compute an Initialization Vector (IV). Currently supported modes are "random" to generate a random IV or "fixed" to use a fixed (static) IV. WARNING: 'fixed' was only intended to support legacy applications with fixed IVs, but the use of non-random IVs is inherently insecure, especially for any supported cipher mode that is considered a streaming mode (which is basically anything except CBC for modes that support require an IV). For this reason, 'fixed' is considered deprecated and will be removed during the next ESAPI point release (tentatively, 2.3). However, note that if a "fixed" IV is chosen, then the the value of this fixed IV must be specified as the property Encryptor.fixedIV and be of the appropriate length.
        Returns:
        A string specifying the IV type. Should be "random" or "fixed" (dereprected).
        See Also:
        getFixedIV()
      • getFixedIV

        @Deprecated
        java.lang.String getFixedIV()
        Deprecated.
        Short term: use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead. Longer term: There will be a more general method in JavaEncryptor to explicitly set an IV. This whole concept of a single fixed IV has always been a kludge at best, as a concession to those who have used a single fixed IV in the past to support legacy applications. This method will be killed off in the next ESAPI point release (likely 2.3). It's time to put it to death as it was never intended for production in the first place.
        If a "fixed" (i.e., static) Initialization Vector (IV) is to be used, this will return the IV value as a hex-encoded string.
        Returns:
        The fixed IV as a hex-encoded string.
      • getCombinedCipherModes

        java.util.List<java.lang.String> getCombinedCipherModes()
        Return a List of strings of combined cipher modes that support both confidentiality and authenticity. These would be preferred cipher modes to use if your JCE provider supports them. If such a cipher mode is used, no explicit separate MAC is calculated as part of the CipherText object upon encryption nor is any attempt made to verify the same on decryption.

        The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.combined_modes.

        Returns:
        The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.
      • getAdditionalAllowedCipherModes

        java.util.List<java.lang.String> getAdditionalAllowedCipherModes()
        Return List of strings of additional cipher modes that are permitted (i.e., in addition to those returned by getCombinedCipherModes()) to be used for encryption and decryption operations.

        The list is taken from the comma-separated list of cipher modes specified by the ESAPI property Encryptor.cipher_modes.additional_allowed.

        Returns:
        The parsed list of comma-separated cipher modes if the property was specified in ESAPI.properties; otherwise the empty list is returned.
        See Also:
        getCombinedCipherModes()
      • getHashAlgorithm

        @Deprecated
        java.lang.String getHashAlgorithm()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the hashing algorithm used by ESAPI to hash data.
        Returns:
        the current hashing algorithm
      • getHashIterations

        @Deprecated
        int getHashIterations()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the hash iterations used by ESAPI to hash data.
        Returns:
        the current hashing algorithm
      • getKDFPseudoRandomFunction

        @Deprecated
        java.lang.String getKDFPseudoRandomFunction()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Retrieve the Pseudo Random Function (PRF) used by the ESAPI Key Derivation Function (KDF).
        Returns:
        The KDF PRF algorithm name.
      • getCharacterEncoding

        @Deprecated
        java.lang.String getCharacterEncoding()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the character encoding scheme supported by this application. This is used to set the character encoding scheme on requests and responses when setCharacterEncoding() is called on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs and any other place where the current encoding scheme needs to be known.

        Note: This does not get the configured response content type. That is accessed by calling getResponseContentType().
        Returns:
        the current character encoding scheme
      • getAllowMultipleEncoding

        @Deprecated
        boolean getAllowMultipleEncoding()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Return true if multiple encoding is allowed
        Returns:
        whether multiple encoding is allowed when canonicalizing data
      • getAllowMixedEncoding

        @Deprecated
        boolean getAllowMixedEncoding()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Return true if mixed encoding is allowed
        Returns:
        whether mixed encoding is allowed when canonicalizing data
      • getDefaultCanonicalizationCodecs

        java.util.List<java.lang.String> getDefaultCanonicalizationCodecs()
        Returns the List of Codecs to use when canonicalizing data
        Returns:
        the codec list
      • getDigitalSignatureAlgorithm

        @Deprecated
        java.lang.String getDigitalSignatureAlgorithm()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the digital signature algorithm used by ESAPI to generate and verify signatures.
        Returns:
        the current digital signature algorithm
      • getDigitalSignatureKeyLength

        @Deprecated
        int getDigitalSignatureKeyLength()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the digital signature key length used by ESAPI to generate and verify signatures.
        Returns:
        the current digital signature key length
      • getRandomAlgorithm

        @Deprecated
        java.lang.String getRandomAlgorithm()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the random number generation algorithm used to generate random numbers where needed.
        Returns:
        the current random number generation algorithm
      • getAllowedLoginAttempts

        @Deprecated
        int getAllowedLoginAttempts()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the number of login attempts allowed before the user's account is locked. If this many failures are detected within the alloted time period, the user's account will be locked.
        Returns:
        the number of failed login attempts that cause an account to be locked
      • getMaxOldPasswordHashes

        @Deprecated
        int getMaxOldPasswordHashes()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the maximum number of old password hashes that should be retained. These hashes can be used to ensure that the user doesn't reuse the specified number of previous passwords when they change their password.
        Returns:
        the number of old hashed passwords to retain
      • getDisableIntrusionDetection

        @Deprecated
        boolean getDisableIntrusionDetection()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Allows for complete disabling of all intrusion detection mechanisms
        Returns:
        true if intrusion detection should be disabled
      • getQuota

        SecurityConfiguration.Threshold getQuota​(java.lang.String eventName)
        Gets the intrusion detection quota for the specified event.
        Parameters:
        eventName - the name of the event whose quota is desired
        Returns:
        the Quota that has been configured for the specified type of event
      • getResourceFile

        java.io.File getResourceFile​(java.lang.String filename)
        Gets a file from the resource directory
        Parameters:
        filename - The file name resource.
        Returns:
        A File object representing the specified file name or null if not found.
      • getForceHttpOnlySession

        @Deprecated
        boolean getForceHttpOnlySession()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Returns true if session cookies are required to have HttpOnly flag set.
      • getForceSecureSession

        @Deprecated
        boolean getForceSecureSession()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Returns true if session cookies are required to have Secure flag set.
      • getForceHttpOnlyCookies

        @Deprecated
        boolean getForceHttpOnlyCookies()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Returns true if new cookies are required to have HttpOnly flag set.
      • getForceSecureCookies

        @Deprecated
        boolean getForceSecureCookies()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Returns true if new cookies are required to have Secure flag set.
      • getMaxHttpHeaderSize

        @Deprecated
        int getMaxHttpHeaderSize()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Returns the maximum allowable HTTP header size.
      • getResourceStream

        java.io.InputStream getResourceStream​(java.lang.String filename)
                                       throws java.io.IOException
        Gets an InputStream to a file in the resource directory
        Parameters:
        filename - A file name in the resource directory.
        Returns:
        An InputStream to the specified file name in the resource directory.
        Throws:
        java.io.IOException - If the specified file name cannot be found or opened for reading.
      • setResourceDirectory

        void setResourceDirectory​(java.lang.String dir)
        Sets the ESAPI resource directory.
        Parameters:
        dir - The location of the resource directory.
      • getResponseContentType

        @Deprecated
        java.lang.String getResponseContentType()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        Gets the content type for responses used when setSafeContentType() is called.

        Note: This does not get the configured character encoding scheme. That is accessed by calling getCharacterEncoding().
        Returns:
        The current content-type set for responses.
      • getHttpSessionIdName

        @Deprecated
        java.lang.String getHttpSessionIdName()
        Deprecated.
        Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
        This method returns the configured name of the session identifier, likely "JSESSIONID" though this can be overridden.
        Returns:
        The name of the session identifier, like "JSESSIONID"
      • getRememberTokenDuration

        long getRememberTokenDuration()
        Gets the length of the time to live window for remember me tokens (in milliseconds).
        Returns:
        The time to live length for generated "remember me" tokens.
      • getSessionIdleTimeoutLength

        @Deprecated
        int getSessionIdleTimeoutLength()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.
        Returns:
        The session idle timeout length.
      • getSessionAbsoluteTimeoutLength

        @Deprecated
        int getSessionAbsoluteTimeoutLength()
        Deprecated.
        Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
        Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session can live before it expires regardless of the amount of user activity. Applications or frameworks could provide a reauthenticate function that enables a session to continue after reauthentication.
        Returns:
        The session absolute timeout length.
      • getLogEncodingRequired

        @Deprecated
        boolean getLogEncodingRequired()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Returns whether HTML entity encoding should be applied to log entries.
        Returns:
        True if log entries are to be HTML Entity encoded. False otherwise.
      • getLogApplicationName

        @Deprecated
        boolean getLogApplicationName()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Returns whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
        Returns:
        True if ESAPI should log the application name, False otherwise
      • getLogServerIP

        @Deprecated
        boolean getLogServerIP()
        Deprecated.
        Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
        Returns whether ESAPI should log the server IP. This might be clutter in some single-server environments.
        Returns:
        True if ESAPI should log the server IP and port, False otherwise
      • getWorkingDirectory

        java.io.File getWorkingDirectory()
        Returns the default working directory for executing native processes with Runtime.exec().