/configuration/esapi/ESAPI.properties

http://owasp-esapi-java.googlecode.com/ · Properties File · 459 lines · 93 code · 39 blank · 327 comment · 0 complexity · 2aa68ac0e1432054790310124d0364c0 MD5 · raw file

  1. #
  2. # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
  3. #
  4. # This file is part of the Open Web Application Security Project (OWASP)
  5. # Enterprise Security API (ESAPI) project. For details, please see
  6. # http://www.owasp.org/index.php/ESAPI.
  7. #
  8. # Copyright (c) 2008,2009 - The OWASP Foundation
  9. #
  10. # DISCUSS: This may cause a major backwards compatibility issue, etc. but
  11. # from a name space perspective, we probably should have prefaced
  12. # all the property names with ESAPI or at least OWASP. Otherwise
  13. # there could be problems is someone loads this properties file into
  14. # the System properties. We could also put this file into the
  15. # esapi.jar file (perhaps as a ResourceBundle) and then allow an external
  16. # ESAPI properties be defined that would overwrite these defaults.
  17. # That keeps the application's properties relatively simple as usually
  18. # they will only want to override a few properties. If looks like we
  19. # already support multiple override levels of this in the
  20. # DefaultSecurityConfiguration class, but I'm suggesting placing the
  21. # defaults in the esapi.jar itself. That way, if the jar is signed,
  22. # we could detect if those properties had been tampered with. (The
  23. # code to check the jar signatures is pretty simple... maybe 70-90 LOC,
  24. # but off course there is an execution penalty (similar to the way
  25. # that the separate sunjce.jar used to be when a class from it was
  26. # first loaded). Thoughts?
  27. ###############################################################################
  28. #
  29. # WARNING: Operating system protection should be used to lock down the .esapi
  30. # resources directory and all the files inside and all the directories all the
  31. # way up to the root directory of the file system. Note that if you are using
  32. # file-based implementations, that some files may need to be read-write as they
  33. # get updated dynamically.
  34. #
  35. # Before using, be sure to update the MasterKey and MasterSalt as described below.
  36. # N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,
  37. # you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)
  38. # re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be
  39. # able to decrypt your data with ESAPI 2.0.
  40. #
  41. # YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.
  42. #
  43. #===========================================================================
  44. # ESAPI Configuration
  45. #
  46. # If true, then print all the ESAPI properties set here when they are loaded.
  47. # If false, they are not printed. Useful to reduce output when running JUnit tests.
  48. # If you need to troubleshoot a properties related problem, turning this on may help.
  49. # This is 'false' in the src/test/resources/.esapi version. It is 'true' by
  50. # default for reasons of backward compatibility with earlier ESAPI versions.
  51. ESAPI.printProperties=true
  52. # ESAPI is designed to be easily extensible. You can use the reference implementation
  53. # or implement your own providers to take advantage of your enterprise's security
  54. # infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
  55. #
  56. # String ciphertext =
  57. # ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0
  58. # CipherText cipherText =
  59. # ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
  60. #
  61. # Below you can specify the classname for the provider that you wish to use in your
  62. # application. The only requirement is that it implement the appropriate ESAPI interface.
  63. # This allows you to switch security implementations in the future without rewriting the
  64. # entire application.
  65. #
  66. # ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
  67. ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
  68. # FileBasedAuthenticator requires users.txt file in .esapi directory
  69. ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
  70. ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
  71. ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
  72. ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
  73. ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
  74. ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
  75. # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
  76. ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
  77. #ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
  78. ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
  79. ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
  80. #===========================================================================
  81. # ESAPI Authenticator
  82. #
  83. Authenticator.AllowedLoginAttempts=3
  84. Authenticator.MaxOldPasswordHashes=13
  85. Authenticator.UsernameParameterName=username
  86. Authenticator.PasswordParameterName=password
  87. # RememberTokenDuration (in days)
  88. Authenticator.RememberTokenDuration=14
  89. # Session Timeouts (in minutes)
  90. Authenticator.IdleTimeoutDuration=20
  91. Authenticator.AbsoluteTimeoutDuration=120
  92. #===========================================================================
  93. # ESAPI Encoder
  94. #
  95. # ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
  96. # Failure to canonicalize input is a very common mistake when implementing validation schemes.
  97. # Canonicalization is automatic when using the ESAPI Validator, but you can also use the
  98. # following code to canonicalize data.
  99. #
  100. # ESAPI.Encoder().canonicalize( "%22hello world"" );
  101. #
  102. # Multiple encoding is when a single encoding format is applied multiple times. Allowing
  103. # multiple encoding is strongly discouraged.
  104. Encoder.AllowMultipleEncoding=false
  105. # Mixed encoding is when multiple different encoding formats are applied, or when
  106. # multiple formats are nested. Allowing multiple encoding is strongly discouraged.
  107. Encoder.AllowMixedEncoding=false
  108. # The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
  109. # for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
  110. # inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
  111. Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
  112. #===========================================================================
  113. # ESAPI Encryption
  114. #
  115. # The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
  116. # To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
  117. # There is not currently any support for key rotation, so be careful when changing your key and salt as it
  118. # will invalidate all signed, encrypted, and hashed data.
  119. #
  120. # WARNING: Not all combinations of algorithms and key lengths are supported.
  121. # If you choose to use a key length greater than 128, you MUST download the
  122. # unlimited strength policy files and install in the lib directory of your JRE/JDK.
  123. # See http://java.sun.com/javase/downloads/index.jsp for more information.
  124. #
  125. # Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
  126. # methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
  127. # possible, these methods should be avoided as they use ECB cipher mode, which in almost
  128. # all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
  129. # for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you
  130. # should only use this compatibility setting if you have persistent data encrypted with
  131. # version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
  132. # you have decrypted all of your old encrypted data and then re-encrypted it with
  133. # ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
  134. # with the new 2.0 methods, make sure that you use the same cipher algorithm for both
  135. # (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
  136. # more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
  137. # where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
  138. # that requires downloading the special jurisdiction policy files mentioned above.)
  139. #
  140. # ***** IMPORTANT: Do NOT forget to replace these with your own values! *****
  141. # To calculate these values, you can run:
  142. # java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
  143. #
  144. #Encryptor.MasterKey=
  145. #Encryptor.MasterSalt=
  146. # Provides the default JCE provider that ESAPI will "prefer" for its symmetric
  147. # encryption and hashing. (That is it will look to this provider first, but it
  148. # will defer to other providers if the requested algorithm is not implemented
  149. # by this provider.) If left unset, ESAPI will just use your Java VM's current
  150. # preferred JCE provider, which is generally set in the file
  151. # "$JAVA_HOME/jre/lib/security/java.security".
  152. #
  153. # The main intent of this is to allow ESAPI symmetric encryption to be
  154. # used with a FIPS 140-2 compliant crypto-module. For details, see the section
  155. # "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
  156. # the ESAPI 2.0 Symmetric Encryption User Guide, at:
  157. # http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
  158. # However, this property also allows you to easily use an alternate JCE provider
  159. # such as "Bouncy Castle" without having to make changes to "java.security".
  160. # See Javadoc for SecurityProviderLoader for further details. If you wish to use
  161. # a provider that is not known to SecurityProviderLoader, you may specify the
  162. # fully-qualified class name of the JCE provider class that implements
  163. # java.security.Provider. If the name contains a '.', this is interpreted as
  164. # a fully-qualified class name that implements java.security.Provider.
  165. #
  166. # NOTE: Setting this property has the side-effect of changing it in your application
  167. # as well, so if you are using JCE in your application directly rather than
  168. # through ESAPI (you wouldn't do that, would you? ;-), it will change the
  169. # preferred JCE provider there as well.
  170. #
  171. # Default: Keeps the JCE provider set to whatever JVM sets it to.
  172. Encryptor.PreferredJCEProvider=
  173. # AES is the most widely used and strongest encryption algorithm. This
  174. # should agree with your Encryptor.CipherTransformation property.
  175. # By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is
  176. # very weak. It is essentially a password-based encryption key, hashed
  177. # with MD5 around 1K times and then encrypted with the weak DES algorithm
  178. # (56-bits) using ECB mode and an unspecified padding (it is
  179. # JCE provider specific, but most likely "NoPadding"). However, 2.0 uses
  180. # "AES/CBC/PKCSPadding". If you want to change these, change them here.
  181. # Warning: This property does not control the default reference implementation for
  182. # ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
  183. # in the future.
  184. # @deprecated
  185. Encryptor.EncryptionAlgorithm=AES
  186. # For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
  187. Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
  188. # Applies to ESAPI 2.0 and later only!
  189. # Comma-separated list of cipher modes that provide *BOTH*
  190. # confidentiality *AND* message authenticity. (NIST refers to such cipher
  191. # modes as "combined modes" so that's what we shall call them.) If any of these
  192. # cipher modes are used then no MAC is calculated and stored
  193. # in the CipherText upon encryption. Likewise, if one of these
  194. # cipher modes is used with decryption, no attempt will be made
  195. # to validate the MAC contained in the CipherText object regardless
  196. # of whether it contains one or not. Since the expectation is that
  197. # these cipher modes support support message authenticity already,
  198. # injecting a MAC in the CipherText object would be at best redundant.
  199. #
  200. # Note that as of JDK 1.5, the SunJCE provider does not support *any*
  201. # of these cipher modes. Of these listed, only GCM and CCM are currently
  202. # NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
  203. # GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
  204. # padding modes.
  205. Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
  206. # Applies to ESAPI 2.0 and later only!
  207. # Additional cipher modes allowed for ESAPI 2.0 encryption. These
  208. # cipher modes are in _addition_ to those specified by the property
  209. # 'Encryptor.cipher_modes.combined_modes'.
  210. # Note: We will add support for streaming modes like CFB & OFB once
  211. # we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
  212. # (probably in ESAPI 2.1).
  213. # DISCUSS: Better name?
  214. Encryptor.cipher_modes.additional_allowed=CBC
  215. # 128-bit is almost always sufficient and appears to be more resistant to
  216. # related key attacks than is 256-bit AES. Use '_' to use default key size
  217. # for cipher algorithms (where it makes sense because the algorithm supports
  218. # a variable key size). Key length must agree to what's provided as the
  219. # cipher transformation, otherwise this will be ignored after logging a
  220. # warning.
  221. #
  222. # NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
  223. Encryptor.EncryptionKeyLength=128
  224. # Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
  225. # (All cipher modes except ECB require an IV.) There are two choices: we can either
  226. # use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
  227. # the IV does not need to be hidden from adversaries, it is important that the
  228. # adversary not be allowed to choose it. Also, random IVs are generally much more
  229. # secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
  230. # such as CFB and OFB use a different IV for each encryption with a given key so
  231. # in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
  232. # IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
  233. # uncomment the Encryptor.fixedIV.
  234. #
  235. # Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1
  236. Encryptor.ChooseIVMethod=random
  237. # If you choose to use a fixed IV, then you must place a fixed IV here that
  238. # is known to all others who are sharing your secret key. The format should
  239. # be a hex string that is the same length as the cipher block size for the
  240. # cipher algorithm that you are using. The following is an *example* for AES
  241. # from an AES test vector for AES-128/CBC as described in:
  242. # NIST Special Publication 800-38A (2001 Edition)
  243. # "Recommendation for Block Cipher Modes of Operation".
  244. # (Note that the block size for AES is 16 bytes == 128 bits.)
  245. #
  246. Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
  247. # Whether or not CipherText should use a message authentication code (MAC) with it.
  248. # This prevents an adversary from altering the IV as well as allowing a more
  249. # fool-proof way of determining the decryption failed because of an incorrect
  250. # key being supplied. This refers to the "separate" MAC calculated and stored
  251. # in CipherText, not part of any MAC that is calculated as a result of a
  252. # "combined mode" cipher mode.
  253. #
  254. # If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
  255. # set this property to false.
  256. Encryptor.CipherText.useMAC=true
  257. # Whether or not the PlainText object may be overwritten and then marked
  258. # eligible for garbage collection. If not set, this is still treated as 'true'.
  259. Encryptor.PlainText.overwrite=true
  260. # Do not use DES except in a legacy situations. 56-bit is way too small key size.
  261. #Encryptor.EncryptionKeyLength=56
  262. #Encryptor.EncryptionAlgorithm=DES
  263. # TripleDES is considered strong enough for most purposes.
  264. # Note: There is also a 112-bit version of DESede. Using the 168-bit version
  265. # requires downloading the special jurisdiction policy from Sun.
  266. #Encryptor.EncryptionKeyLength=168
  267. #Encryptor.EncryptionAlgorithm=DESede
  268. Encryptor.HashAlgorithm=SHA-512
  269. Encryptor.HashIterations=1024
  270. Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
  271. Encryptor.DigitalSignatureKeyLength=1024
  272. Encryptor.RandomAlgorithm=SHA1PRNG
  273. Encryptor.CharacterEncoding=UTF-8
  274. # This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function
  275. # (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and
  276. # *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for
  277. # the MAC, mostly to keep the overall size at a minimum.)
  278. #
  279. # Currently supported choices for JDK 1.5 and 1.6 are:
  280. # HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and
  281. # HmacSHA512 (512 bits).
  282. # Note that HmacMD5 is *not* supported for the PRF used by the KDF even though
  283. # the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide
  284. # further details.
  285. Encryptor.KDF.PRF=HmacSHA256
  286. #===========================================================================
  287. # ESAPI HttpUtilties
  288. #
  289. # The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
  290. # protect against malicious data from attackers, such as unprintable characters, escaped characters,
  291. # and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
  292. # headers, and CSRF tokens.
  293. #
  294. # Default file upload location (remember to escape backslashes with \\)
  295. HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
  296. HttpUtilities.UploadTempDir=C:\\temp
  297. # Force flags on cookies, if you use HttpUtilities to set cookies
  298. HttpUtilities.ForceHttpOnlySession=false
  299. HttpUtilities.ForceSecureSession=false
  300. HttpUtilities.ForceHttpOnlyCookies=true
  301. HttpUtilities.ForceSecureCookies=true
  302. # Maximum size of HTTP headers
  303. HttpUtilities.MaxHeaderSize=4096
  304. # File upload configuration
  305. HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
  306. HttpUtilities.MaxUploadFileBytes=500000000
  307. # Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
  308. # container, and any other technologies you may be using. Failure to do this may expose you
  309. # to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
  310. HttpUtilities.ResponseContentType=text/html; charset=UTF-8
  311. # This is the name of the cookie used to represent the HTTP session
  312. # Typically this will be the default "JSESSIONID"
  313. HttpUtilities.HttpSessionIdName=JSESSIONID
  314. #===========================================================================
  315. # ESAPI Executor
  316. # CHECKME - This should be made OS independent. Don't use unsafe defaults.
  317. # # Examples only -- do NOT blindly copy!
  318. # For Windows:
  319. # Executor.WorkingDirectory=C:\\Windows\\Temp
  320. # Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
  321. # For *nux, MacOS:
  322. # Executor.WorkingDirectory=/tmp
  323. # Executor.ApprovedExecutables=/bin/bash
  324. Executor.WorkingDirectory=
  325. Executor.ApprovedExecutables=
  326. #===========================================================================
  327. # ESAPI Logging
  328. # Set the application name if these logs are combined with other applications
  329. Logger.ApplicationName=ExampleApplication
  330. # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
  331. Logger.LogEncodingRequired=false
  332. # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
  333. Logger.LogApplicationName=true
  334. # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
  335. Logger.LogServerIP=true
  336. # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
  337. # want to place it in a specific directory.
  338. Logger.LogFileName=ESAPI_logging_file
  339. # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
  340. Logger.MaxLogFileSize=10000000
  341. #===========================================================================
  342. # ESAPI Intrusion Detection
  343. #
  344. # Each event has a base to which .count, .interval, and .action are added
  345. # The IntrusionException will fire if we receive "count" events within "interval" seconds
  346. # The IntrusionDetector is configurable to take the following actions: log, logout, and disable
  347. # (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
  348. #
  349. # Custom Events
  350. # Names must start with "event." as the base
  351. # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
  352. # You can also disable intrusion detection completely by changing
  353. # the following parameter to true
  354. #
  355. IntrusionDetector.Disable=false
  356. #
  357. IntrusionDetector.event.test.count=2
  358. IntrusionDetector.event.test.interval=10
  359. IntrusionDetector.event.test.actions=disable,log
  360. # Exception Events
  361. # All EnterpriseSecurityExceptions are registered automatically
  362. # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
  363. # Use the fully qualified classname of the exception as the base
  364. # any intrusion is an attack
  365. IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
  366. IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
  367. IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
  368. # for test purposes
  369. # CHECKME: Shouldn't there be something in the property name itself that designates
  370. # that these are for testing???
  371. IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
  372. IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
  373. IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
  374. # rapid validation errors indicate scans or attacks in progress
  375. # org.owasp.esapi.errors.ValidationException.count=10
  376. # org.owasp.esapi.errors.ValidationException.interval=10
  377. # org.owasp.esapi.errors.ValidationException.actions=log,logout
  378. # sessions jumping between hosts indicates session hijacking
  379. IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
  380. IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
  381. IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
  382. #===========================================================================
  383. # ESAPI Validation
  384. #
  385. # The ESAPI Validator works on regular expressions with defined names. You can define names
  386. # either here, or you may define application specific patterns in a separate file defined below.
  387. # This allows enterprises to specify both organizational standards as well as application specific
  388. # validation rules.
  389. #
  390. Validator.ConfigurationFile=validation.properties
  391. # Validators used by ESAPI
  392. Validator.AccountName=^[a-zA-Z0-9]{3,20}$
  393. Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
  394. Validator.RoleName=^[a-z]{1,20}$
  395. #the word TEST below should be changed to your application
  396. #name - only relative URL's are supported
  397. Validator.Redirect=^\\/test.*$
  398. # Global HTTP Validation Rules
  399. # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
  400. Validator.HTTPScheme=^(http|https)$
  401. Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
  402. Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
  403. Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$
  404. Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
  405. Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
  406. Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
  407. Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
  408. Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$
  409. Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
  410. Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
  411. Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$
  412. Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
  413. Validator.HTTPURL=^.*$
  414. Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$
  415. # Validation of file related input
  416. Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
  417. Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
  418. # Validation of dates. Controls whether or not 'lenient' dates are accepted.
  419. # See DataFormat.setLenient(boolean flag) for further details.
  420. Validator.AcceptLenientDates=false