Skip to content

Commit 26a4994

Browse files
kwwallkwwall
committed
Issue ESAPI#620. Reorganize source to get stuff out of implementatiopn class.
Moved ESAPI propery variables ('public static final String') from DefaultSecurityConfiguration to here. Moved DefaultSearchPath enum from DefaultSecurityConfiguration to here.
1 parent 85ce010 commit 26a4994

File tree

1 file changed

+201
-0
lines changed

1 file changed

+201
-0
lines changed

src/main/java/org/owasp/esapi/PropNames.java

Lines changed: 201 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,201 @@
1+
// TODO: Discuss: Should the name of this be PropConstants or PropertConstants
2+
// since there are some property values included here? I don't
3+
// really like that as much as PropNames, but I could live with
4+
// it.
5+
/*
6+
* OWASP Enterprise Security API (ESAPI)
7+
*
8+
* This file is part of the Open Web Application Security Project (OWASP)
9+
* Enterprise Security API (ESAPI) project. For details, please see
10+
* https://owasp.org/www-project-enterprise-security-api/.
11+
*
12+
* Copyright (c) 2022 - The OWASP Foundation
13+
*
14+
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
15+
* LICENSE before you use, modify, and/or redistribute this software.
16+
*
17+
*/
18+
package org.owasp.esapi;
19+
20+
21+
/**
22+
* This non-constructable class of public constants defines all the property names used in {@code ESAPI.properties} as
23+
* well as some of the default property values for some of those properties. This class is not intended
24+
* to be extended or instantiated. Technically, an interface would have worked here, but we
25+
* also wanted to be able to prevent 'implements PropNames', which really does not make much
26+
* sense since no specific behavior is promised here. Another alternative would have
27+
* been to place all of these in the {@code org.owasp.esapi.SecurityConfiguration} interface,
28+
* but that interface is already overly bloated. Hence this was decided as a compromise.
29+
* </p><p>
30+
* Note that the constants herein were originally all defined within
31+
* {@code org.owasp.esapi.reference.DefaultSecurityConfiguration}, but those
32+
* values are now marked deprecated and they are candidates for removal 2 years
33+
* from the date of this release.
34+
* </p><p>
35+
* Mostly this is intended to prevent having to hard-code property names all
36+
* over the place in implementation-level classes (e.g.,
37+
* {@code org.owasp.esapi.reference.DefaultSecurityConfiguration}).
38+
* It is suggested that this file be used as a 'static import';
39+
* e.g.,
40+
* <pre>
41+
* import static org.owasp.esapi.PropNames.*; // Import all properties, en masse
42+
* or
43+
* import static org.owasp.esapi.PropNames.SomeSpecificPropName; // Import specific property name
44+
* </pre>
45+
* This can be extremely useful when used with methods such as
46+
* {@code SecurityConfiguration.getIntProp(String propName)},
47+
* {@code SecurityConfiguration.getBooleanProp(String propName)},
48+
* {@code SecurityConfiguration.getStringProp(String propName)}, etc.
49+
*
50+
* @author Kevin W. Wall (kevin.w.wall .at. gmail.com)
51+
* @since 2.4.1.0
52+
* @see org.owasp.esapi.reference.DefaultSecurityConfiguration
53+
*/
54+
55+
public final class PropNames {
56+
57+
public static final String REMEMBER_TOKEN_DURATION = "Authenticator.RememberTokenDuration";
58+
public static final String IDLE_TIMEOUT_DURATION = "Authenticator.IdleTimeoutDuration";
59+
public static final String ABSOLUTE_TIMEOUT_DURATION = "Authenticator.AbsoluteTimeoutDuration";
60+
public static final String ALLOWED_LOGIN_ATTEMPTS = "Authenticator.AllowedLoginAttempts";
61+
public static final String USERNAME_PARAMETER_NAME = "Authenticator.UsernameParameterName";
62+
public static final String PASSWORD_PARAMETER_NAME = "Authenticator.PasswordParameterName";
63+
public static final String MAX_OLD_PASSWORD_HASHES = "Authenticator.MaxOldPasswordHashes";
64+
65+
public static final String ALLOW_MULTIPLE_ENCODING = "Encoder.AllowMultipleEncoding";
66+
public static final String ALLOW_MIXED_ENCODING = "Encoder.AllowMixedEncoding";
67+
public static final String CANONICALIZATION_CODECS = "Encoder.DefaultCodecList";
68+
69+
public static final String DISABLE_INTRUSION_DETECTION = "IntrusionDetector.Disable";
70+
71+
public static final String MASTER_KEY = "Encryptor.MasterKey";
72+
public static final String MASTER_SALT = "Encryptor.MasterSalt";
73+
public static final String KEY_LENGTH = "Encryptor.EncryptionKeyLength";
74+
public static final String ENCRYPTION_ALGORITHM = "Encryptor.EncryptionAlgorithm";
75+
public static final String HASH_ALGORITHM = "Encryptor.HashAlgorithm";
76+
public static final String HASH_ITERATIONS = "Encryptor.HashIterations";
77+
public static final String CHARACTER_ENCODING = "Encryptor.CharacterEncoding";
78+
public static final String RANDOM_ALGORITHM = "Encryptor.RandomAlgorithm";
79+
public static final String DIGITAL_SIGNATURE_ALGORITHM = "Encryptor.DigitalSignatureAlgorithm";
80+
public static final String DIGITAL_SIGNATURE_KEY_LENGTH = "Encryptor.DigitalSignatureKeyLength";
81+
public static final String PREFERRED_JCE_PROVIDER = "Encryptor.PreferredJCEProvider";
82+
public static final String CIPHER_TRANSFORMATION_IMPLEMENTATION = "Encryptor.CipherTransformation";
83+
public static final String CIPHERTEXT_USE_MAC = "Encryptor.CipherText.useMAC";
84+
public static final String PLAINTEXT_OVERWRITE = "Encryptor.PlainText.overwrite";
85+
public static final String IV_TYPE = "Encryptor.ChooseIVMethod"; // Will be removed in future release.
86+
public static final String COMBINED_CIPHER_MODES = "Encryptor.cipher_modes.combined_modes";
87+
public static final String ADDITIONAL_ALLOWED_CIPHER_MODES = "Encryptor.cipher_modes.additional_allowed";
88+
public static final String KDF_PRF_ALG = "Encryptor.KDF.PRF";
89+
public static final String PRINT_PROPERTIES_WHEN_LOADED = "ESAPI.printProperties";
90+
91+
public static final String WORKING_DIRECTORY = "Executor.WorkingDirectory";
92+
public static final String APPROVED_EXECUTABLES = "Executor.ApprovedExecutables";
93+
94+
public static final String FORCE_HTTPONLYSESSION = "HttpUtilities.ForceHttpOnlySession";
95+
public static final String FORCE_SECURESESSION = "HttpUtilities.SecureSession";
96+
public static final String FORCE_HTTPONLYCOOKIES = "HttpUtilities.ForceHttpOnlyCookies";
97+
public static final String FORCE_SECURECOOKIES = "HttpUtilities.ForceSecureCookies";
98+
public static final String MAX_HTTP_HEADER_SIZE = "HttpUtilities.MaxHeaderSize";
99+
public static final String UPLOAD_DIRECTORY = "HttpUtilities.UploadDir";
100+
public static final String UPLOAD_TEMP_DIRECTORY = "HttpUtilities.UploadTempDir";
101+
public static final String APPROVED_UPLOAD_EXTENSIONS = "HttpUtilities.ApprovedUploadExtensions";
102+
public static final String MAX_UPLOAD_FILE_BYTES = "HttpUtilities.MaxUploadFileBytes";
103+
public static final String RESPONSE_CONTENT_TYPE = "HttpUtilities.ResponseContentType";
104+
public static final String HTTP_SESSION_ID_NAME = "HttpUtilities.HttpSessionIdName";
105+
106+
public static final String APPLICATION_NAME = "Logger.ApplicationName";
107+
public static final String LOG_USER_INFO = "Logger.UserInfo";
108+
public static final String LOG_CLIENT_INFO = "Logger.ClientInfo";
109+
public static final String LOG_ENCODING_REQUIRED = "Logger.LogEncodingRequired";
110+
public static final String LOG_APPLICATION_NAME = "Logger.LogApplicationName";
111+
public static final String LOG_SERVER_IP = "Logger.LogServerIP";
112+
113+
public static final String VALIDATION_PROPERTIES = "Validator.ConfigurationFile";
114+
public static final String VALIDATION_PROPERTIES_MULTIVALUED = "Validator.ConfigurationFile.MultiValued";
115+
public static final String ACCEPT_LENIENT_DATES = "Validator.AcceptLenientDates";
116+
public static final String VALIDATOR_HTML_VALIDATION_ACTION = "Validator.HtmlValidationAction";
117+
public static final String VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE = "Validator.HtmlValidationConfigurationFile";
118+
119+
/**
120+
* Special {@code java.lang.System} property that, if set to {@code true}, will
121+
* disable logging from {@code DefaultSecurityConfiguration.logToStdout()}
122+
* methods, which is called from various {@code logSpecial()} methods.
123+
*
124+
* @see org.owasp.esapi.reference.DefaultSecurityConfiguration#logToStdout(String msg, Throwable t)
125+
*/
126+
public static final String DISCARD_LOGSPECIAL = "org.owasp.esapi.logSpecial.discard";
127+
128+
/*
129+
* Implementation Keys
130+
*/
131+
public static final String LOG_IMPLEMENTATION = "ESAPI.Logger";
132+
public static final String AUTHENTICATION_IMPLEMENTATION = "ESAPI.Authenticator";
133+
public static final String ENCODER_IMPLEMENTATION = "ESAPI.Encoder";
134+
public static final String ACCESS_CONTROL_IMPLEMENTATION = "ESAPI.AccessControl";
135+
public static final String ENCRYPTION_IMPLEMENTATION = "ESAPI.Encryptor";
136+
public static final String INTRUSION_DETECTION_IMPLEMENTATION = "ESAPI.IntrusionDetector";
137+
public static final String RANDOMIZER_IMPLEMENTATION = "ESAPI.Randomizer";
138+
public static final String EXECUTOR_IMPLEMENTATION = "ESAPI.Executor";
139+
public static final String VALIDATOR_IMPLEMENTATION = "ESAPI.Validator";
140+
public static final String HTTP_UTILITIES_IMPLEMENTATION = "ESAPI.HTTPUtilities";
141+
142+
143+
//////////////////////////////////////////////////////////////////////////////
144+
// //
145+
// These are not really property names, but the shouldn't really be in an //
146+
// implementation class that we want to only deal with via the //
147+
// SecurityConfiguration interface. //
148+
// //
149+
//////////////////////////////////////////////////////////////////////////////
150+
151+
152+
/*
153+
* These are default implementation classes.
154+
*/
155+
public static final String DEFAULT_LOG_IMPLEMENTATION = "org.owasp.esapi.logging.java.JavaLogFactory";
156+
public static final String DEFAULT_AUTHENTICATION_IMPLEMENTATION = "org.owasp.esapi.reference.FileBasedAuthenticator";
157+
public static final String DEFAULT_ENCODER_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultEncoder";
158+
public static final String DEFAULT_ACCESS_CONTROL_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultAccessController";
159+
public static final String DEFAULT_ENCRYPTION_IMPLEMENTATION = "org.owasp.esapi.reference.crypto.JavaEncryptor";
160+
public static final String DEFAULT_INTRUSION_DETECTION_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultIntrusionDetector";
161+
public static final String DEFAULT_RANDOMIZER_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultRandomizer";
162+
public static final String DEFAULT_EXECUTOR_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultExecutor";
163+
public static final String DEFAULT_HTTP_UTILITIES_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultHTTPUtilities";
164+
public static final String DEFAULT_VALIDATOR_IMPLEMENTATION = "org.owasp.esapi.reference.DefaultValidator";
165+
166+
/** The name of the ESAPI property file */
167+
public static final String DEFAULT_RESOURCE_FILE = "ESAPI.properties";
168+
169+
//
170+
// Private CTOR to prevent creation of PropName objects. We wouldn't need
171+
// this if this were an interface, nor would we need the explict 'public static final'.
172+
//
173+
private PropNames() {
174+
throw new AssertionError("Thought you'd cheat using reflection or JNI, huh? :)");
175+
}
176+
177+
178+
/** Enum used with the search paths used to locate an
179+
* {@code ESAPI.properties} and/or a {@code validation.properties}
180+
* file.
181+
*/
182+
public enum DefaultSearchPath {
183+
184+
RESOURCE_DIRECTORY("resourceDirectory/"),
185+
SRC_MAIN_RESOURCES("src/main/resources/"),
186+
ROOT(""),
187+
DOT_ESAPI(".esapi/"),
188+
ESAPI("esapi/"),
189+
RESOURCES("resources/");
190+
191+
private final String path;
192+
193+
private DefaultSearchPath(String s){
194+
this.path = s;
195+
}
196+
197+
public String value(){
198+
return path;
199+
}
200+
}
201+
}

0 commit comments

Comments
 (0)