|
1 | 1 | # |
2 | | -# OWASP Enterprise Security API (ESAPI) Properties file |
| 2 | +# OWASP Enterprise Security API (ESAPI) Properties file -- TEST Version |
3 | 3 | # |
4 | 4 | # This file is part of the Open Web Application Security Project (OWASP) |
5 | 5 | # Enterprise Security API (ESAPI) project. For details, please see |
|
35 | 35 | # Before using, be sure to update the MasterKey and MasterSalt as described below. |
36 | 36 | # N.B.: If you are trying to use ESAPI 2.0 with the same MasterKey and MasterSalt |
37 | 37 | # as you did with some earlier version (e.g., 1.4), these may not work unless |
38 | | -# you set 'Encryptor.ESAPICompatibilityVersion=1.4' (see below). The preferred |
39 | | -# approach is to simply regenerate the MasterKey and MasterSalt by running |
40 | | -# java -jar org.owasp.esapi.ESAPI |
| 38 | +# you set 'ESAPI.Encryptor=org.owasp.esapi.reference.LegacyJavaEncryptor' |
| 39 | +# (see below). The preferred approach is to simply regenerate the |
| 40 | +# ENcryptor.MasterKey and Encryptor.MasterSalt (left unset by default |
| 41 | +# install in ESAPI 2.0) by running |
| 42 | +# |
| 43 | +# java -classpath ...:esapi.jar -jar org.owasp.esapi.ESAPI [-print] |
| 44 | +# |
41 | 45 | # with the default ESAPI.properties file and use the new encrypt() / |
42 | 46 | # decrypt() methods in the Encryptor interface. (The older encrypt() / |
43 | 47 | # decrypt() methods have been deprecated and likely will be removed in |
|
46 | 50 | #=========================================================================== |
47 | 51 | # ESAPI Configuration |
48 | 52 | # |
| 53 | +# |
| 54 | +# If true, then print all the ESAPI properties set here when they are loaded. |
| 55 | +# If false, they are not printed. Useful to reduce output when running JUnit tests. |
| 56 | +# If you need to troubleshoot a properties related problem, turning this on may help, |
| 57 | +# but we leave it off for running JUnit tests. (It will be 'true' in the one delivered |
| 58 | +# as part of production ESAPI, mostly for backward compatibility.) |
| 59 | +ESAPI.printProperties=false |
| 60 | + |
49 | 61 | # ESAPI is designed to be easily extensible. You can use the reference implementation |
50 | 62 | # or implement your own providers to take advantage of your enterprise's security |
51 | 63 | # infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: |
@@ -145,18 +157,27 @@ Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec |
145 | 157 | # where you can specify a SecretKey. (Note that if you are using the 256-bit AES, |
146 | 158 | # that requires downloading the special jurisdiction policy files mentioned above.) |
147 | 159 | # |
148 | | -# ***** IMPORTANT: These are for JUNIT testing. Encrypted test files |
149 | | -# encrypted using these so do not change them or |
150 | | -# those tests will fail. |
151 | | -# If Maven changes this when run, that needs to be fixed. |
| 160 | +# ***** IMPORTANT: These are for JUnit testing. Test files may have been |
| 161 | +# encrypted using these values so do not change these or |
| 162 | +# those tests will fail. The version under |
| 163 | +# src/main/resources/.esapi/ESAPI.properties |
| 164 | +# will be delivered with Encryptor.MasterKey and |
| 165 | +# Encryptor.MasterSalt set to the empty string. |
| 166 | +# |
| 167 | +# FINAL NOTE: |
| 168 | +# If Maven changes these when run, that needs to be fixed. |
152 | 169 | Encryptor.MasterKey=pJhlri8JbuFYDgkqtHmm9s0Ziug2PE7ovZDyEPm4j14= |
| 170 | +# Encryptor.MasterKey= |
153 | 171 | Encryptor.MasterSalt=SbftnvmEWD5ZHHP+pX3fqugNysc= |
| 172 | +# Encryptor.MasterSalt= |
154 | 173 |
|
155 | 174 | # AES is the most widely used and strongest encryption algorithm. This |
156 | 175 | # should agree with your Encryptor.CipherTransformation property. |
157 | | -# By default, ESAPI Java 1.4 uses "AES/ECB/NoPadding", and 2.0 uses |
| 176 | +# By default, ESAPI Java 1.4 uses "AES/ECB" and unspecified padding (it is |
| 177 | +# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses |
158 | 178 | # "AES/CBC/PKCSPadding". If you want to change these, change them here. |
159 | 179 | # For ESAPI Java 1.4 - Deprecated encrypt / decrypt methods use this. |
| 180 | +# Used only if 'ESAPI.Encryptor=org.owasp.esapi.reference.LegacyJavaEncryptor'. |
160 | 181 | Encryptor.EncryptionAlgorithm=AES |
161 | 182 | # For ESAPI Java 2.0 - New encrypt / decrypt methods use this. |
162 | 183 | Encryptor.CipherTransformation=AES/CBC/PKCS5Padding |
@@ -194,11 +215,15 @@ Encryptor.ChooseIVMethod=random |
194 | 215 | # |
195 | 216 | Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f |
196 | 217 |
|
197 | | -# Whether or not CipherText should use a message integrity code (MIC) with it. |
| 218 | +# Whether or not CipherText should use a message authentication code (MAC) with it. |
198 | 219 | # This prevents an adversary from altering the IV as well as allowing a more |
199 | 220 | # fool-proof way of determining the decryption failed because of an incorrect |
200 | 221 | # key being supplied. |
201 | | -Encryptor.CipherText.useMIC=true |
| 222 | +Encryptor.CipherText.useMAC=true |
| 223 | + |
| 224 | +# Whether or not the PlainText object may be overwritten and then marked |
| 225 | +# eligible for garbage collection. If not set, this is still treated as 'true'. |
| 226 | +Encryptor.PlainText.overwrite=true |
202 | 227 |
|
203 | 228 | # Do not use DES except in a legacy situation. 56-bit is way too small key size. |
204 | 229 | #Encryptor.EncryptionKeyLength=56 |
|
0 commit comments