• Home
• org.owasp.esapi
• esapi
• 2.2.1.0-RC1
• source code
• AppGuardianConfiguration.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.owasp.esapi.waf.configuration.AppGuardianConfiguration Maven / Gradle / Ivy

/**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2009 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @author Arshan Dabirsiaghi Aspect Security
 * @created 2009
 */
package org.owasp.esapi.waf.configuration;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;

import org.apache.log4j.Level;
import org.owasp.esapi.waf.rules.Rule;

/**
 * This class is the object model of the policy file. Also holds a number of constants
 * used throughout the WAF.
 * 
 * @author Arshan Dabirsiaghi
 *
 */
public class AppGuardianConfiguration {

	/*
	 * Fail modes (BLOCK blocks and logs the request, DONT_BLOCK simply logs)
	 */
	public static final int LOG = 0;
	public static final int REDIRECT = 1;
	public static final int BLOCK = 2;

	/*
	 * The operators.
	 */
	public static final int OPERATOR_EQ = 0;
	public static final int OPERATOR_CONTAINS = 1;
	public static final int OPERATOR_IN_LIST = 2;
	public static final int OPERATOR_EXISTS = 3;

	/*
	 * We have static copies of the log settings so that the Rule objects
	 * can access them, because they don't have access to the instance of
	 * the configuration object.
	 */
	public static Level LOG_LEVEL = Level.INFO;	
	public static String LOG_DIRECTORY = "/WEB-INF/logs";

	/*
	 * Logging settings.
	 */
	private Level logLevel = Level.INFO;
	private String logDirectory = "/WEB-INF/logs";

	/*
	 * Default settings.
	 */
	public static int DEFAULT_FAIL_ACTION = LOG;

	// TODO: use UTF-8
	public static String DEFAULT_CHARACTER_ENCODING = "ISO-8859-1";
	public static String DEFAULT_CONTENT_TYPE = "text/html; charset=" + DEFAULT_CHARACTER_ENCODING;

	/*
	 * The JavaScript to redirect users to the default error page. Have
	 * to use this because response.sendRedirect() can't have an arbitrary
	 * response code and that is a requirement.
	 */
	public static final String JAVASCRIPT_TARGET_TOKEN = "##1##";
	public static final String JAVASCRIPT_REDIRECT = "";

	/*
	 * Fail response settings.
	 */
	private String defaultErrorPage;
	private int defaultResponseCode;

	private boolean forceHttpOnlyFlagToSession = false;
	private boolean forceSecureFlagToSession = false;

	private String sessionCookieName;
	
	public String getSessionCookieName() {
		return sessionCookieName;
	}

	public void setSessionCookieName(String sessionCookieName) {
		this.sessionCookieName = sessionCookieName;
	}

	/*
	 * The object-level rules encapsulated by the stage in which they are executed.
	 */
	private List beforeBodyRules;
	private List afterBodyRules;
	private List beforeResponseRules;
	private List cookieRules;

	public AppGuardianConfiguration() {
		beforeBodyRules = new ArrayList();
		afterBodyRules = new ArrayList();
		beforeResponseRules = new ArrayList();
		cookieRules = new ArrayList();
	}

	/*
	 * The following methods are all deprecated because
	 * we use ESAPI logging structures now.
	 */
	@Deprecated
	public Level getLogLevel() {
		return logLevel;
	}
	
	@Deprecated
	public void setLogLevel(Level level) {
		LOG_LEVEL = level;
		this.logLevel = level;
	}
	
	@Deprecated
	public void setLogDirectory(String dir) {
		LOG_DIRECTORY = dir;
		this.logDirectory = dir;
	}
	
	@Deprecated
	public String getLogDirectory() {
		return logDirectory;
	}
	
	public String getDefaultErrorPage() {
		return defaultErrorPage;
	}

	public void setDefaultErrorPage(String defaultErrorPage) {
		this.defaultErrorPage = defaultErrorPage;
	}

	public int getDefaultResponseCode() {
		return defaultResponseCode;
	}

	public void setDefaultResponseCode(int defaultResponseCode) {
		this.defaultResponseCode = defaultResponseCode;
	}


	public List getBeforeBodyRules() {
		return beforeBodyRules;
	}

	public List getAfterBodyRules() {
		return afterBodyRules;
	}

	public List getBeforeResponseRules() {
		return beforeResponseRules;
	}

	public List getCookieRules() {
		return cookieRules;
	}

	public void addBeforeBodyRule(Rule r) {
		beforeBodyRules.add(r);
	}

	public void addAfterBodyRule(Rule r) {
		afterBodyRules.add(r);
	}

	public void addBeforeResponseRule(Rule r) {
		beforeResponseRules.add(r);
	}

	public void addCookieRule(Rule r) {
		cookieRules.add(r);
	}

	public void setApplyHTTPOnlyFlagToSessionCookie(boolean shouldApply) {
		forceHttpOnlyFlagToSession = shouldApply;
	}

	public void setApplySecureFlagToSessionCookie(boolean shouldApply) {
		forceSecureFlagToSession = shouldApply;
	}
	
	public boolean isUsingHttpOnlyFlagOnSessionCookie() {
		return forceHttpOnlyFlagToSession;
	}

	public boolean isUsingSecureFlagOnSessionCookie() {
		return forceSecureFlagToSession;
	}
	
	public String toString() {
		StringBuilder sb = new StringBuilder( "WAF Configuration\n" );
		sb.append( "Before body rules:\n" );
		for ( Rule rule : beforeBodyRules ) sb.append( "  " + rule.toString() + "\n" );
		sb.append( "After body rules:\n" );
		for ( Rule rule : afterBodyRules ) sb.append( "  " + rule.toString() + "\n" );
		sb.append( "Before response rules:\n" );
		for ( Rule rule : beforeResponseRules ) sb.append( "  " + rule.toString() + "\n" );
		sb.append( "Cookie rules:\n" );
		for ( Rule rule : cookieRules ) sb.append( "  " + rule.toString() + "\n" );
		return sb.toString();
	}
}