4356. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 6/9/2017 3:51:30 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

4356.1 Files compared

#	Location	File	Last Modified
1			Fri Jun 9 19:51:30 2017 UTC
2	eHealth_Exch (eHealth Exchange Enhancements) Build 3 docs & code_May_2017.zip\VAP_CIF_CODE0502.zip\VAP_CIF_CODE0502\VAP_CIF_CODE0502\nvap-web\src\main\resources\esapi	esapi.properties	Fri Apr 21 20:03:30 2017 UTC

4356.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	0	0
Changed	0	0
Inserted	1	459
Removed	0	0

4356.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

4356.4 Active regular expressions

No regular expressions were active.

4356.5 Comparison detail

				1		#
				2		# OWASP En terprise S ecurity AP I (ESAPI) Properties file -- P RODUCTION Version
				3		#
				4		# This fil e is part of the Ope n Web Appl ication Se curity Pro ject (OWAS P)
				5		# Enterpri se Securit y API (ESA PI) projec t. For det ails, plea se see
				6		# http://w ww.owasp.o rg/index.p hp/ESAPI.
				7		#
				8		# Copyrigh t (c) 2008 ,2009 - Th e OWASP Fo undation
				9		#
				10		# DISCUSS: This may cause a ma jor backwa rds compat ibility is sue, etc. but
				11		# f rom a name space per spective, we probabl y should h ave prefac ed
				12		# a ll the pro perty name s with ESA PI or at l east OWASP . Otherwis e
				13		# t here could be proble ms is some one loads this prope rties file into
				14		# t he System properties . We coul d also put this file into the
				15		# e sapi.jar f ile (perha ps as a Re sourceBund le) and th en allow a n external
				16		# E SAPI prope rties be d efined tha t would ov erwrite th ese defaul ts.
				17		# T hat keeps the applic ation's pr operties r elatively simple as usually
				18		# t hey will o nly want t o override a few pro perties. I f looks li ke we
				19		# a lready sup port multi ple overri de levels of this in the
				20		# D efaultSecu rityConfig uration cl ass, but I 'm suggest ing placin g the
				21		# d efaults in the esapi .jar itsel f. That wa y, if the jar is sig ned,
				22		# w e could de tect if th ose proper ties had b een tamper ed with. ( The
				23		# c ode to che ck the jar signature s is prett y simple.. . maybe 70 -90 LOC,
				24		# b ut off cou rse there is an exec ution pena lty (simil ar to the way
				25		# t hat the se parate sun jce.jar us ed to be w hen a clas s from it was
				26		# f irst loade d). Though ts?
				27		########## ########## ########## ########## ########## ########## ########## #########
				28		#
				29		# WARNING: Operating system pr otection s hould be u sed to loc k down the .esapi
				30		# resource s director y and all the files inside and all the d irectories all the
				31		# way up t o the root directory of the fi le system. Note tha t if you a re using
				32		# file-bas ed impleme ntations, that some files may need to be read-writ e as they
				33		# get upda ted dynami cally.
				34		#
				35		# Before u sing, be s ure to upd ate the Ma sterKey an d MasterSa lt as desc ribed belo w.
				36		# N.B.: If you had s tored data that you have previ ously encr ypted with ESAPI 1.4 ,
				37		# you must FIR ST decrypt it using ESAPI 1.4 and then ( if so desi red)
				38		# re-e ncrypt it with ESAPI 2.0. If y ou fail to do this, you will N OT be
				39		# able to decryp t your dat a with ESA PI 2.0.
				40		#
				41		# YOU HAVE BEEN WARNED!!! More detai ls are in the ESAPI 2.0 Releas e Notes.
				42		#
				43		#========= ========== ========== ========== ========== ========== ========== ======
				44		# ESAPI Co nfiguratio n
				45		#
				46		# If true, then prin t all the ESAPI prop erties set here when they are loaded.
				47		# If false , they are not print ed. Useful to reduce output wh en running JUnit tes ts.
				48		# If you n eed to tro ubleshoot a properti es related problem, turning th is on may help.
				49		# This is 'false' in the src/t est/resour ces/.esapi version. It is 'tru e' by
				50		# default for reason s of backw ard compat ibility wi th earlier ESAPI ver sions.
				51		ESAPI.prin tPropertie s=true
				52
				53		# ESAPI is designed to be easi ly extensi ble. You c an use the reference implement ation
				54		# or imple ment your own provid ers to tak e advantag e of your enterprise 's securit y
				55		# infrastr ucture. Th e function s in ESAPI are refer enced usin g the ESAP I locator, like:
				56		#
				57		# Strin g cipherte xt =
				58		# ESAP I.encrypto r().encryp t("Secret message"); // Depr ecated in 2.0
				59		# Ciphe rText ciph erText =
				60		# ESAP I.encrypto r().encryp t(new Plai nText("Sec ret messag e")); // P referred
				61		#
				62		# Below yo u can spec ify the cl assname fo r the prov ider that you wish t o use in y our
				63		# applicat ion. The o nly requir ement is t hat it imp lement the appropria te ESAPI i nterface.
				64		# This all ows you to switch se curity imp lementatio ns in the future wit hout rewri ting the
				65		# entire a pplication .
				66		#
				67		# Experime ntalAccess Controller requires ESAPI-Acce ssControlP olicy.xml in .esapi directory
				68		ESAPI.Acce ssControl= org.owasp. esapi.refe rence.Defa ultAccessC ontroller
				69		# FileBase dAuthentic ator requi res users. txt file i n .esapi d irectory
				70		ESAPI.Auth enticator= org.owasp. esapi.refe rence.File BasedAuthe nticator
				71		ESAPI.Enco der=org.ow asp.esapi. reference. DefaultEnc oder
				72		ESAPI.Encr yptor=org. owasp.esap i.referenc e.crypto.J avaEncrypt or
				73
				74		ESAPI.Exec utor=org.o wasp.esapi .reference .DefaultEx ecutor
				75		ESAPI.HTTP Utilities= org.owasp. esapi.refe rence.Defa ultHTTPUti lities
				76		ESAPI.Intr usionDetec tor=org.ow asp.esapi. reference. DefaultInt rusionDete ctor
				77		# Log4JFac tory Requi res log4j. xml or log 4j.propert ies in cla sspath - h ttp://www. laliluna.d e/log4j-tu torial.htm l
				78		ESAPI.Logg er=org.owa sp.esapi.r eference.L og4JLogFac tory
				79		#ESAPI.Log ger=org.ow asp.esapi. reference. JavaLogFac tory
				80		ESAPI.Rand omizer=org .owasp.esa pi.referen ce.Default Randomizer
				81		ESAPI.Vali dator=org. owasp.esap i.referenc e.DefaultV alidator
				82
				83		#========= ========== ========== ========== ========== ========== ========== ======
				84		# ESAPI Au thenticato r
				85		#
				86		Authentica tor.Allowe dLoginAtte mpts=3
				87		Authentica tor.MaxOld PasswordHa shes=13
				88		Authentica tor.Userna meParamete rName=user name
				89		Authentica tor.Passwo rdParamete rName=pass word
				90		# Remember TokenDurat ion (in da ys)
				91		Authentica tor.Rememb erTokenDur ation=14
				92		# Session Timeouts ( in minutes )
				93		Authentica tor.IdleTi meoutDurat ion=20
				94		Authentica tor.Absolu teTimeoutD uration=12 0
				95
				96		#========= ========== ========== ========== ========== ========== ========== ======
				97		# ESAPI En coder
				98		#
				99		# ESAPI ca nonicalize s input be fore valid ation to p revent byp assing fil ters with encoded at tacks.
				100		# Failure to canonic alize inpu t is a ver y common m istake whe n implemen ting valid ation sche mes.
				101		# Canonica lization i s automati c when usi ng the ESA PI Validat or, but yo u can also use the
				102		# followin g code to canonicali ze data.
				103		#
				104		# ESA PI.Encoder ().canonic alize( "%2 2hello wor ld"" );
				105		#
				106		# Multiple encoding is when a single enc oding form at is appl ied multip le times. Allowing
				107		# multiple encoding is strongl y discoura ged.
				108		Encoder.Al lowMultipl eEncoding= false
				109
				110		# Mixed en coding is when multi ple differ ent encodi ng formats are appli ed, or whe n
				111		# multiple formats a re nested. Allowing multiple e ncoding is strongly discourage d.
				112		Encoder.Al lowMixedEn coding=fal se
				113
				114		# The defa ult list o f codecs t o apply wh en canonic alizing un trusted da ta. The li st should include th e codecs
				115		# for all downstream interpret ers or dec oders. For example, if the dat a is likel y to end u p in a URL , HTML, or
				116		# inside J avaScript, then the list of co decs below is approp riate. The order of the list i s not terr ibly impor tant.
				117		Encoder.De faultCodec List=HTMLE ntityCodec ,PercentCo dec,JavaSc riptCodec
				118
				119
				120		#========= ========== ========== ========== ========== ========== ========== ======
				121		# ESAPI En cryption
				122		#
				123		# The ESAP I Encrypto r provides basic cry ptographic functions with a si mplified A PI.
				124		# To get s tarted, ge nerate a n ew key usi ng java -c lasspath e sapi.jar o rg.owasp.e sapi.refer ence.crypt o.JavaEncr yptor
				125		# There is not curre ntly any s upport for key rotat ion, so be careful w hen changi ng your ke y and salt as it
				126		# will inv alidate al l signed, encrypted, and hashe d data.
				127		#
				128		# WARNING: Not all c ombination s of algor ithms and key length s are supp orted.
				129		# If you c hoose to u se a key l ength grea ter than 1 28, you MU ST downloa d the
				130		# unlimite d strength policy fi les and in stall in t he lib dir ectory of your JRE/J DK.
				131		# See http ://java.su n.com/java se/downloa ds/index.j sp for mor e informat ion.
				132		#
				133		# Backward compatibi lity with ESAPI Java 1.4 is su pported by the two d eprecated API
				134		# methods, Encryptor .encrypt(S tring) and Encryptor .decrypt(S tring). Ho wever, whe never
				135		# possible , these me thods shou ld be avoi ded as the y use ECB cipher mod e, which i n almost
				136		# all circ umstances a poor cho ice becaus e of it's weakness. CBC cipher mode is t he default
				137		# for the new Encryp tor encryp t / decryp t methods for ESAPI Java 2.0. In genera l, you
				138		# should o nly use th is compati bility set ting if yo u have per sistent da ta encrypt ed with
				139		# version 1.4 and ev en then, y ou should ONLY set t his compat ibility mo de UNTIL
				140		# you have decrypted all of yo ur old enc rypted dat a and then re-encryp ted it wit h
				141		# ESAPI 2. 0 using CB C mode. If you have some reaso n to mix t he depreca ted 1.4 mo de
				142		# with the new 2.0 m ethods, ma ke sure th at you use the same cipher alg orithm for both
				143		# (256-bit AES was t he default for 1.4; 128-bit is the defau lt for 2.0 ; see belo w for
				144		# more det ails.) Oth erwise, yo u will hav e to use t he new 2.0 encrypt / decrypt m ethods
				145		# where yo u can spec ify a Secr etKey. (No te that if you are u sing the 2 56-bit AES ,
				146		# that req uires down loading th e special jurisdicti on policy files ment ioned abov e.)
				147		#
				148		# **** * IMPORTAN T: Do NOT forget to replace th ese with y our own va lues! **** *
				149		# To calcu late these values, y ou can run :
				150		# java -classpat h esapi.ja r org.owas p.esapi.re ference.cr ypto.JavaE ncryptor
				151		#
				152		#Encryptor .MasterKey =
				153		#Encryptor .MasterSal t=
				154
				155		# Provides the defau lt JCE pro vider that ESAPI wil l "prefer" for its s ymmetric
				156		# encrypti on and has hing. (Tha t is it wi ll look to this prov ider first , but it
				157		# will def er to othe r provider s if the r equested a lgorithm i s not impl emented
				158		# by this provider.) If left u nset, ESAP I will jus t use your Java VM's current
				159		# preferre d JCE prov ider, whic h is gener ally set i n the file
				160		# "$JAVA_H OME/jre/li b/security /java.secu rity".
				161		#
				162		# The main intent of this is t o allow ES API symmet ric encryp tion to be
				163		# used wit h a FIPS 1 40-2 compl iant crypt o-module. For detail s, see the section
				164		# "Using E SAPI Symme tric Encry ption with FIPS 140- 2 Cryptogr aphic Modu les" in
				165		# the ESAP I 2.0 Symm etric Encr yption Use r Guide, a t:
				166		# http://o wasp-esapi -java.goog lecode.com /svn/trunk /documenta tion/esapi 4java-core -2.0-symme tric-crypt o-user-gui de.html
				167		# However, this prop erty also allows you to easily use an al ternate JC E provider
				168		# such as "Bouncy Ca stle" with out having to make c hanges to "java.secu rity".
				169		# See Java doc for Se curityProv iderLoader for furth er details . If you w ish to use
				170		# a provid er that is not known to Securi tyProvider Loader, yo u may spec ify the
				171		# fully-qu alified cl ass name o f the JCE provider c lass that implements
				172		# java.sec urity.Prov ider. If t he name co ntains a ' .', this i s interpre ted as
				173		# a fully- qualified class name that impl ements jav a.security .Provider.
				174		#
				175		# NOTE: Se tting this property has the si de-effect of changin g it in yo ur applica tion
				176		# as well, so if you are using JCE in your a pplication directly rather tha n
				177		# th rough ESAP I (you wou ldn't do t hat, would you? ;-), it will c hange the
				178		# pr eferred JC E provider there as well.
				179		#
				180		# Default: Keeps the JCE provi der set to whatever JVM sets i t to.
				181		Encryptor. PreferredJ CEProvider =
				182
				183		# AES is t he most wi dely used and strong est encryp tion algor ithm. This
				184		# should a gree with your Encry ptor.Ciphe rTransform ation prop erty.
				185		# By defau lt, ESAPI Java 1.4 u ses "PBEWi thMD5AndDE S" and whi ch is
				186		# very wea k. It is e ssentially a passwor d-based en cryption k ey, hashed
				187		# with MD5 around 1K times and then encr ypted with the weak DES algori thm
				188		# (56-bits ) using EC B mode and an unspec ified padd ing (it is
				189		# JCE prov ider speci fic, but m ost likely "NoPaddin g"). Howev er, 2.0 us es
				190		# "AES/CBC /PKCSPaddi ng". If yo u want to change the se, change them here .
				191		# Warning: This prop erty does not contro l the defa ult refere nce implem entation f or
				192		# E SAPI 2.0 u sing JavaE ncryptor. Also, this property will be dr opped
				193		# i n the futu re.
				194		# @depreca ted
				195		Encryptor. Encryption Algorithm= AES
				196		# For ESAPI Java 2.0 - New encrypt / decrypt m ethods use this.
				197		Encryptor. CipherTran sformation =AES/CBC/P KCS5Paddin g
				198
				199		# Applies to ESAPI 2 .0 and lat er only!
				200		# Comma-se parated li st of ciph er modes t hat provid e BOTH
				201		# confiden tiality A ND messag e authenti city. (NIS T refers t o such cip her
				202		# modes as "combined modes" so that's wh at we shal l call the m.) If any of these
				203		# cipher m odes are u sed then n o MAC is c alculated and stored
				204		# in the C ipherText upon encry ption. Lik ewise, if one of the se
				205		# cipher m odes is us ed with de cryption, no attempt will be m ade
				206		# to valid ate the MA C containe d in the C ipherText object reg ardless
				207		# of wheth er it cont ains one o r not. Sin ce the exp ectation i s that
				208		# these ci pher modes support s upport mes sage authe nticity al ready,
				209		# injectin g a MAC in the Ciphe rText obje ct would b e at best redundant.
				210		#
				211		# Note tha t as of JD K 1.5, the SunJCE pr ovider doe s not supp ort any
				212		# of these cipher mo des. Of th ese listed , only GCM and CCM a re current ly
				213		# NIST app roved. YMM V for othe r JCE prov iders. E.g ., Bouncy Castle sup ports
				214		# GCM and CCM with " NoPadding" mode, but not with "PKCS5Padd ing" or ot her
				215		# padding modes.
				216		Encryptor. cipher_mod es.combine d_modes=GC M,CCM,IAPM ,EAX,OCB,C WC
				217
				218		# Applies to ESAPI 2 .0 and lat er only!
				219		# Addition al cipher modes allo wed for ES API 2.0 en cryption. These
				220		# cipher m odes are i n _additio n_ to thos e specifie d by the p roperty
				221		# 'Encrypt or.cipher_ modes.comb ined_modes '.
				222		# Note: We will add support fo r streamin g modes li ke CFB & O FB once
				223		# we add s upport for 'specifie d' to the property ' Encryptor. ChooseIVMe thod'
				224		# (probabl y in ESAPI 2.1).
				225		# DISCUSS: Better na me?
				226		Encryptor. cipher_mod es.additio nal_allowe d=CBC
				227
				228		# 128-bit is almost always suf ficient an d appears to be more resistant to
				229		# related key attack s than is 256-bit AE S. Use '_' to use de fault key size
				230		# for ciph er algorit hms (where it makes sense beca use the al gorithm su pports
				231		# a variab le key siz e). Key le ngth must agree to w hat's prov ided as th e
				232		# cipher t ransformat ion, other wise this will be ig nored afte r logging a
				233		# warning.
				234		#
				235		# NOTE: Th is is what applies B OTH ESAPI 1.4 and 2. 0. See war ning above about mix ing!
				236		Encryptor. Encryption KeyLength= 128
				237
				238		# Because 2.0 uses C BC mode by default, it require s an initi alization vector (IV ).
				239		# (All cip her modes except ECB require a n IV.) The re are two choices: we can eit her
				240		# use a fi xed IV kno wn to both parties o r allow ES API to cho ose a rand om IV. Whi le
				241		# the IV d oes not ne ed to be h idden from adversari es, it is important that the
				242		# adversar y not be a llowed to choose it. Also, ran dom IVs ar e generall y much mor e
				243		# secure t han fixed IVs. (In f act, it is essential that feed -back ciph er modes
				244		# such as CFB and OF B use a di fferent IV for each encryption with a gi ven key so
				245		# in such cases, ran dom IVs ar e much pre ferred. By default, ESAPI 2.0 uses rando m
				246		# IVs. If you wish t o use 'fix ed' IVs, s et 'Encryp tor.Choose IVMethod=f ixed' and
				247		# uncommen t the Encr yptor.fixe dIV.
				248		#
				249		# Valid va lues: random \|fixed\|spe cified 'spe cified' no t yet impl emented; p lanned for 2.1
				250		Encryptor. ChooseIVMe thod=rando m
				251		# If you c hoose to u se a fixed IV, then you must p lace a fix ed IV here that
				252		# is known to all ot hers who a re sharing your secr et key. Th e format s hould
				253		# be a hex string th at is the same lengt h as the c ipher bloc k size for the
				254		# cipher a lgorithm t hat you ar e using. T he followi ng is an * example* f or AES
				255		# from an AES test v ector for AES-128/CB C as descr ibed in:
				256		# NIST Spe cial Publi cation 800 -38A (2001 Edition)
				257		# "Recomme ndation fo r Block Ci pher Modes of Operat ion".
				258		# (Note th at the blo ck size fo r AES is 1 6 bytes == 128 bits. )
				259		#
				260		Encryptor. fixedIV=0x 0001020304 0506070809 0a0b0c0d0e 0f
				261
				262		# Whether or not Cip herText sh ould use a message a uthenticat ion code ( MAC) with it.
				263		# This pre vents an a dversary f rom alteri ng the IV as well as allowing a more
				264		# fool-pro of way of determinin g the decr yption fai led becaus e of an in correct
				265		# key bein g supplied . This ref ers to the "separate " MAC calc ulated and stored
				266		# in Ciphe rText, not part of a ny MAC tha t is calcu lated as a result of a
				267		# "combine d mode" ci pher mode.
				268		#
				269		# If you a re using E SAPI with a FIPS 140 -2 cryptog raphic mod ule, you * must* also
				270		# set this property to false.
				271		Encryptor. CipherText .useMAC=tr ue
				272
				273		# Whether or not the PlainText object ma y be overw ritten and then mark ed
				274		# eligible for garba ge collect ion. If no t set, thi s is still treated a s 'true'.
				275		Encryptor. PlainText. overwrite= true
				276
				277		# Do not u se DES exc ept in a l egacy situ ations. 56 -bit is wa y too smal l key size .
				278		#Encryptor .Encryptio nKeyLength =56
				279		#Encryptor .Encryptio nAlgorithm =DES
				280
				281		# TripleDE S is consi dered stro ng enough for most p urposes.
				282		# No te: Ther e is also a 112-bit version of DESede. U sing the 1 68-bit ver sion
				283		# requir es downloa ding the s pecial jur isdiction policy fro m Sun.
				284		#Encryptor .Encryptio nKeyLength =168
				285		#Encryptor .Encryptio nAlgorithm =DESede
				286
				287		Encryptor. HashAlgori thm=SHA-51 2
				288		Encryptor. HashIterat ions=1024
				289		Encryptor. DigitalSig natureAlgo rithm=SHA1 withDSA
				290		Encryptor. DigitalSig natureKeyL ength=1024
				291		Encryptor. RandomAlgo rithm=SHA1 PRNG
				292		Encryptor. CharacterE ncoding=UT F-8
				293
				294		# This is the Pseudo Random Fu nction (PR F) that ES API's Key Derivation Function
				295		# (KDF) no rmally use s. Note th is is onl y the PRF used for ESAPI's KD F and
				296		# not wh at is used for ESAPI 's MAC. (C urrently, HmacSHA1 i s always u sed for
				297		# the MAC, mostly to keep the overall si ze at a mi nimum.)
				298		#
				299		# Currentl y supporte d choices for JDK 1. 5 and 1.6 are:
				300		# Hm acSHA1 (16 0 bits), H macSHA256 (256 bits) , HmacSHA3 84 (384 bi ts), and
				301		# Hm acSHA512 ( 512 bits).
				302		# Note tha t HmacMD5 is not s upported f or the PRF used by t he KDF eve n though
				303		# the JDKs support i t. See th e ESAPI 2. 0 Symmetri c Encrypti on User Gu ide
				304		# further details.
				305		Encryptor. KDF.PRF=Hm acSHA256
				306		#========= ========== ========== ========== ========== ========== ========== ======
				307		# ESAPI Ht tpUtilties
				308		#
				309		# The Http Utilities provide ba sic protec tions to H TTP reques ts and res ponses. Pr imarily th ese method s
				310		# protect against ma licious da ta from at tackers, s uch as unp rintable c haracters, escaped c haracters,
				311		# and othe r simple a ttacks. Th e HttpUtil ities also provides utility me thods for dealing wi th cookies ,
				312		# headers, and CSRF tokens.
				313		#
				314		# Default file uploa d location (remember to escape backslash es with \\ )
				315		HttpUtilit ies.Upload Dir=C:\\ES API\\testU pload
				316		HttpUtilit ies.Upload TempDir=C: \\temp
				317		# Force fl ags on coo kies, if y ou use Htt pUtilities to set co okies
				318		HttpUtilit ies.ForceH ttpOnlySes sion=false
				319		HttpUtilit ies.ForceS ecureSessi on=false
				320		HttpUtilit ies.ForceH ttpOnlyCoo kies=true
				321		HttpUtilit ies.ForceS ecureCooki es=true
				322		# Maximum size of HT TP headers
				323		HttpUtilit ies.MaxHea derSize=40 96
				324		# File upl oad config uration
				325		HttpUtilit ies.Approv edUploadEx tensions=. zip,.pdf,. doc,.docx, .ppt,.pptx ,.tar,.gz, .tgz,.rar, .war,.jar, .ear,.xls, .rtf,.prop erties,.ja va,.class, .txt,.xml, .jsp,.jsf, .exe,.dll
				326		HttpUtilit ies.MaxUpl oadFileByt es=5000000 00
				327		# Using UT F-8 throug hout your stack is h ighly reco mmended. T hat includ es your da tabase dri ver,
				328		# containe r, and any other tec hnologies you may be using. Fa ilure to d o this may expose yo u
				329		# to Unico de transco ding injec tion attac ks. Use of UTF-8 doe s not hind er interna tionalizat ion.
				330		HttpUtilit ies.Respon seContentT ype=text/h tml; chars et=UTF-8
				331		# This is the name o f the cook ie used to represent the HTTP session
				332		# Typicall y this wil l be the d efault "JS ESSIONID"
				333		HttpUtilit ies.HttpSe ssionIdNam e=JSESSION ID
				334
				335
				336
				337		#========= ========== ========== ========== ========== ========== ========== ======
				338		# ESAPI Ex ecutor
				339		# CHECKME - This sho uld be mad e OS indep endent. Do n't use un safe defau lts.
				340		# # Exampl es only -- do NOT bl indly copy !
				341		# For Wi ndows:
				342		# Exec utor.Worki ngDirector y=C:\\Wind ows\\Temp
				343		# Exec utor.Appro vedExecuta bles=C:\\W indows\\Sy stem32\\cm d.exe,C:\\ Windows\\S ystem32\\r unas.exe
				344		# For *n ux, MacOS:
				345		# Exec utor.Worki ngDirector y=/tmp
				346		# Exec utor.Appro vedExecuta bles=/bin/ bash
				347		Executor.W orkingDire ctory=
				348		Executor.A pprovedExe cutables=
				349
				350
				351		#========= ========== ========== ========== ========== ========== ========== ======
				352		# ESAPI Lo gging
				353		# Set the applicatio n name if these logs are combi ned with o ther appli cations
				354		Logger.App licationNa me=Example Applicatio n
				355		# If you u se an HTML log viewe r that doe s not prop erly HTML escape log data, you can set L ogEncoding Required t o true
				356		Logger.Log EncodingRe quired=fal se
				357		# Determin es whether ESAPI sho uld log th e applicat ion name. This might be clutte r in some single-ser ver/single -app envir onments.
				358		Logger.Log Applicatio nName=true
				359		# Determin es whether ESAPI sho uld log th e server I P and port . This mig ht be clut ter in som e single-s erver envi ronments.
				360		Logger.Log ServerIP=t rue
				361		# LogFileN ame, the n ame of the logging f ile. Provi de a full directory path (e.g. , C:\\ESAP I\\ESAPI_l ogging_fil e) if you
				362		# want to place it i n a specif ic directo ry.
				363		Logger.Log FileName=E SAPI_loggi ng_file
				364		# MaxLogFi leSize, th e max size (in bytes ) of a sin gle log fi le before it cuts ov er to a ne w one (def ault is 10 ,000,000)
				365		Logger.Max LogFileSiz e=10000000
				366
				367
				368		#========= ========== ========== ========== ========== ========== ========== ======
				369		# ESAPI In trusion De tection
				370		#
				371		# Each eve nt has a b ase to whi ch .count, .interval , and .act ion are ad ded
				372		# The Intr usionExcep tion will fire if we receive " count" eve nts within "interval " seconds
				373		# The Intr usionDetec tor is con figurable to take th e followin g actions: log, logo ut, and di sable
				374		# (multip le actions separated by commas are allow ed e.g. ev ent.test.a ctions=log ,disable
				375		#
				376		# Custom E vents
				377		# Names mu st start w ith "event ." as the base
				378		# Use Intr usionDetec tor.addEve nt( "test" ) in your code to t rigger "ev ent.test" here
				379		# You can also disab le intrusi on detecti on complet ely by cha nging
				380		# the foll owing para meter to t rue
				381		#
				382		IntrusionD etector.Di sable=fals e
				383		#
				384		IntrusionD etector.ev ent.test.c ount=2
				385		IntrusionD etector.ev ent.test.i nterval=10
				386		IntrusionD etector.ev ent.test.a ctions=dis able,log
				387
				388		# Exceptio n Events
				389		# All Ente rpriseSecu rityExcept ions are r egistered automatica lly
				390		# Call Int rusionDete ctor.getIn stance().a ddExceptio n(e) for E xceptions that do no t extend E nterpriseS ecurityExc eption
				391		# Use the fully qual ified clas sname of t he excepti on as the base
				392
				393		# any intr usion is a n attack
				394		IntrusionD etector.or g.owasp.es api.errors .Intrusion Exception. count=1
				395		IntrusionD etector.or g.owasp.es api.errors .Intrusion Exception. interval=1
				396		IntrusionD etector.or g.owasp.es api.errors .Intrusion Exception. actions=lo g,disable, logout
				397
				398		# for test purposes
				399		# CHECKME: Shouldn't there be something in the pro perty name itself th at designa tes
				400		# t hat these are for te sting???
				401		IntrusionD etector.or g.owasp.es api.errors .Integrity Exception. count=10
				402		IntrusionD etector.or g.owasp.es api.errors .Integrity Exception. interval=5
				403		IntrusionD etector.or g.owasp.es api.errors .Integrity Exception. actions=lo g,disable, logout
				404
				405		# rapid va lidation e rrors indi cate scans or attack s in progr ess
				406		# org.owas p.esapi.er rors.Valid ationExcep tion.count =10
				407		# org.owas p.esapi.er rors.Valid ationExcep tion.inter val=10
				408		# org.owas p.esapi.er rors.Valid ationExcep tion.actio ns=log,log out
				409
				410		# sessions jumping b etween hos ts indicat es session hijacking
				411		IntrusionD etector.or g.owasp.es api.errors .Authentic ationHostE xception.c ount=2
				412		IntrusionD etector.or g.owasp.es api.errors .Authentic ationHostE xception.i nterval=10
				413		IntrusionD etector.or g.owasp.es api.errors .Authentic ationHostE xception.a ctions=log ,logout
				414
				415
				416		#========= ========== ========== ========== ========== ========== ========== ======
				417		# ESAPI Va lidation
				418		#
				419		# The ESAP I Validato r works on regular e xpressions with defi ned names. You can d efine name s
				420		# either h ere, or yo u may defi ne applica tion speci fic patter ns in a se parate fil e defined below.
				421		# This all ows enterp rises to s pecify bot h organiza tional sta ndards as well as ap plication specific
				422		# validati on rules.
				423		#
				424		Validator. Configurat ionFile=va lidation.p roperties
				425
				426		# Validato rs used by ESAPI
				427		Validator. AccountNam e=^[a-zA-Z 0-9]{3,20} $
				428		Validator. SystemComm and=^[a-zA -Z\\-\\/]{ 1,64}$
				429		Validator. RoleName=^ [a-z]{1,20 }$
				430
				431		#the word TEST below should be changed t o your app lication
				432		#name - on ly relativ e URL's ar e supporte d
				433		Validator. Redirect=^ \\/test.*$
				434
				435		# Global H TTP Valida tion Rules
				436		# Values w ith Base64 encoded d ata (e.g. encrypted state) wil l need at least [a-z A-Z0-9\/+= ]
				437		Validator. HTTPScheme =^(http\|ht tps)$
				438		Validator. HTTPServer Name=^[a-z A-Z0-9_.\\ -]*$
				439		Validator. HTTPParame terName=^[ a-zA-Z0-9_ ]{1,32}$
				440		Validator. HTTPParame terValue=^ [a-zA-Z0-9 .\\-\\/+=@ _ ]*$
				441		Validator. HTTPCookie Name=^[a-z A-Z0-9\\-_ ]{1,32}$
				442		Validator. HTTPCookie Value=^[a- zA-Z0-9\\- \\/+=_ ]*$
				443		Validator. HTTPHeader Name=^[a-z A-Z0-9\\-_ ]{1,32}$
				444		Validator. HTTPHeader Value=^[a- zA-Z0-9()\ \-=\\\\.\ \?;,+\\/:& _ ]$
				445		Validator. HTTPContex tPath=^\\/ ?[a-zA-Z0- 9.\\-\\/_] *$
				446		Validator. HTTPServle tPath=^[a- zA-Z0-9.\\ -\\/_]*$
				447		Validator. HTTPPath=^ [a-zA-Z0-9 .\\-_]*$
				448		Validator. HTTPQueryS tring=^[a- zA-Z0-9()\ \-=\\\\.\ \?;,+\\/:& _ %]$
				449		Validator. HTTPURI=^[ a-zA-Z0-9( )\\-=\\\\ .\\?;,+\\/ :&_ ]$
				450		Validator. HTTPURL=^. *$
				451		Validator. HTTPJSESSI ONID=^[A-Z 0-9]{10,30 }$
				452
				453		# Validati on of file related i nput
				454		Validator. FileName=^ [a-zA-Z0-9 !@#$%^&{}\ \[\\]()_+\ \-=,.~'` ] {1,255}$
				455		Validator. DirectoryN ame=^[a-zA -Z0-9:/\\\ \!@#$%^&{} \\[\\]()_+ \\-=,.~'` ]{1,255}$
				456
				457		# Validati on of date s. Control s whether or not 'le nient' dat es are acc epted.
				458		# See Data Format.set Lenient(bo olean flag ) for furt her detail s.
				459		Validator. AcceptLeni entDates=f alse