framework/security/config/security.properties - ofbiz-framework - Git at Google

 ###############################################################################
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 ###############################################################################
 ####
 # OFBiz Security Settings
 ####

 # -- define the password restrictions --
 password.length.min=5

 ###  -- pattern based password OFBIZ-4958
 security.login.password.pattern.enable=true
 security.login.password.pattern=^.*(?=.{5,}).*$
 # This is a mix to handle the localisation of the OOTB pattern which is only a fixed length
 security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
 # -- For More restrictive pattern you can use the following, no localisation-
 #security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
 #security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
 #    Only contains alphanumeric and the following special characters: !@#$%^&*
 #    Contains at least 1 of the special characters in the list above
 #    The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
 #    minimum length 5 digit.
 # HELP
 # Start of group
 # (
 #   (?=.*\d)         #   must contains one digit from 0-9
 #   (?=.*[a-z])      #   must contains one lowercase characters
 #   (?=.*[A-Z])      #   must contains one uppercase characters
 #   (?=.*[!@#$%^&*]) #   must contains one special symbols in the list "!@#$%^&*"
 #   .                #   match anything with previous condition checking
 #   {5,20}           #   length at least 5 characters and maximum of 20
 #   {5,}             #   minimum length 5 chars and no linitation to max length.
 # )
 # End of group
 # For further password patterns look at
 # http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum

 # -- disable the account after this many logins --
 max.failed.logins=3

 # -- number of password change to be saved in UserLoginPasswordHistory.
 # -- passwords saved in history of userLoginId will not be allowed to be reused.
 # -- 0 to not save history at all
 password.change.history.limit=0

 # Security Policy : Force user to reset login password in fix number of days -
 # To enable this functionality <password.change.history.limit> need to be a non zero number. And <user.auto.change.password.enable> need to set as true.
 user.auto.change.password.enable=false
 user.change.password.days=90
 user.change.password.notification.days=5

 # -- disable the account for this many minutes (if 0, then indefinite) --
 login.disable.minutes=5

 # -- disable global logout --
 login.disable.global.logout=false

 # -- store a record for each login attempt? --
 store.login.history=true
 store.login.history.on.service.auth=false
 store.login.history.incorrect.password=true

 # -- should we encrypt (SHA Hash) the password? --
 password.encrypt=true

 # -- set requirePasswordChange to true, after emailPassword --
 password.email_password.require_password_change=true

 # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
 # -- options may include: SHA, MD5, PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA384, PBKDF2WithHmacSHA512 and etc
 password.encrypt.hash.type=SHA

 # -- if the type of hash to use for one-way encryption is PBKDF2WithHmacSHA1 or PBKDF2WithHmacSHA256 or PBKDF2WithHmacSHA384 or PBKDF2WithHmacSHA512
 # -- the type of hash to use for one-way encryption needs iteration
 password.encrypt.pbkdf2.iterations=10000

 # -- this is helpful to recover old accounts or to be able to login at all sometimes --
 # -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --
 password.accept.encrypted.and.plain=false

 # -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
 username.lowercase=false
 password.lowercase=false

 # -- Use LDAP for user authentication? --
 security.ldap.enable=false

 # -- Fail login if LDAP authentication fails? --
 security.ldap.fail.login=false

 # -- should we allow x509 certificate login
 security.login.cert.allow=true

 # -- HTTP header based ID (for integrations; uncomment to enable)
 #security.login.http.header=REMOTE_USER

 # -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
 # Use for external authentication solutions like CAS which overload the getRemoteUser method.
 #security.login.http.servlet.remoteuserlogin.allow=true

 # -- pattern for the userlogin id in CN section of certificate
 security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$

 # -- use Tomcat SingleSignOn valve
 security.login.tomcat.sso=false

 # -- Hours after which EmailAdressVerification should expire
 email_verification.expire.hours=48

 # -- Name of the protect-view preprocessor method (this should not change, but in case...)
 protect-view.preprocessor=java.org.apache.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView

 # -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
 #default.error.response.view=none:
 default.error.response.view=view:viewBlocked

 # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
 security.login.externalLoginKey.enabled=true

 # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
 login.secret_key_string=Secret Key

 # -- List of domains or IP addresses to be checked to prevent Host Header Injection,
 # -- no spaces after commas,no wildcard, can be extended of course...
 host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org

 # -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
 SameSiteCookieAttribute=

 # -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
 # -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes
 # -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime.
 # -- If you need to use one to these classes you need to change the TemplateClassResolver
 # -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read
 # -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
 templateClassResolver=


 #-- UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
 #--
 #-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
 #-- They can be handled by custom projects using  https://github.com/righettod/document-upload-protection:
 #-- https://github.com/OWASP/www-projectchapter-example/blob/master/cheatsheets/Protect_FileUpload_Against_Malicious_File.md
 #-- Also Tika is an option, but you have to check Tika code, to be sure it's secure enough (ie don't use only metadata)
 #--
 #-- Apache Commons Imaging is used for images.
 #-- For supported formats see https://commons.apache.org/proper/commons-imaging/formatsupport.html
 #-- Notably https://commons.apache.org/proper/commons-imaging/formatsupport.html#Metadata_Format_Support
 #-- OOTB OFBiz only supports PNG, GIF, TIFF and JPEG, it's a breeze to extend using more:
 #-- commonsImagingSupportedFormats=BMP,GIF,JPEG/JFIF,ICNS,ICO/CUR,PCX/DCX,PNM/PGM/PBM/PPM/PAMPortablePixmap,PNG,PSD/Photoshop,RGBE/RadianceHDR,TIFF,WBMP,XBM,XPM
 #-- You should then modify SupportedImageFormats label.
 #--
 #-- If you want to get more image formats then use imageJ:
 #-- For imagejSupportedFormats see https://imagejdocu.tudor.lu/faq/general/which_file_formats_are_supported_by_imagej. NOTE: plugins support is important here
 #-- imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lut,.bmp),IPLAB(.ipl),BrukerNMR(.fid,.ser,.2dseq,.2rr,.2ii,.3rrr,.3iii),FDF(.fdf),VFF(.vff),SIF(.sif),AxioVisionZVI(.zvi),DM3(.dm3),Deltavision(.dv,.r3d),MI,NII,NIII,IMG(.img),UNC,PerkinElmer(.tif,.tim,.zpo,.csv,.htm,.ano,.rec,.cfg,.2,.3,.4,.5,.6,.7,.8,\u2026),EPS(.eps,.epsi),SEQ(.seq),IPW(.ipw),OpenLabLIFF(.liff),OpenLabRAW(.raw),Metamorph(.stk),ICS(.ics,.ids),LeicaLif(.lif),Imaris(.ims),OME-XML(.ome),OME-TIFF(.tiff),ABD-TIFF(.tiff),GEL(.gel),Nikon(.nef,.tiff),Slidebook(.sld),SPCImage(.sdt),AL3D(.al3d),ND2(.nd2),µManager(.tif,.txt),MRC(.mrc),JPEG2000(.jp2),MNG(.mng),Flex(.flex),NRRD(.nrrd,.nhdr),VIFFbitmapimage(.xv),ROI(.roi),ERS(.ers),RS(.rs),HPGL
 #--
 #-- PDFBox and PDFReader are used for PDF files
 #--
 #-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads
 #-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile
 #--
 #-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions),
 #-- people may like to allow more than what is allowed OOTB
 #-- As it name says, allowAllUploads opens all possibilities
 allowAllUploads=

 #-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can uncomment the allowedProtocols property, here given as an example
 #-- You may also put other protocols you want to use, instead or with those
 allowedProtocols=localhost,127.0.0.1
	###############################################################################
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	###############################################################################
	####
	# OFBiz Security Settings
	####

	# -- define the password restrictions --
	password.length.min=5

	### -- pattern based password OFBIZ-4958
	security.login.password.pattern.enable=true
	security.login.password.pattern=^.(?=.{5,}).$
	# This is a mix to handle the localisation of the OOTB pattern which is only a fixed length
	security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
	# -- For More restrictive pattern you can use the following, no localisation-
	#security.login.password.pattern=^.(?=.{5,})(?=.[a-zA-Z])(?=.[!@#$%^&]).*$
	#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
	# Only contains alphanumeric and the following special characters: !@#$%^&*
	# Contains at least 1 of the special characters in the list above
	# The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
	# minimum length 5 digit.
	# HELP
	# Start of group
	# (
	# (?=.*\d) # must contains one digit from 0-9
	# (?=.*[a-z]) # must contains one lowercase characters
	# (?=.*[A-Z]) # must contains one uppercase characters
	# (?=.[!@#$%^&]) # must contains one special symbols in the list "!@#$%^&*"
	# . # match anything with previous condition checking
	# {5,20} # length at least 5 characters and maximum of 20
	# {5,} # minimum length 5 chars and no linitation to max length.
	# )
	# End of group
	# For further password patterns look at
	# http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum

	# -- disable the account after this many logins --
	max.failed.logins=3

	# -- number of password change to be saved in UserLoginPasswordHistory.
	# -- passwords saved in history of userLoginId will not be allowed to be reused.
	# -- 0 to not save history at all
	password.change.history.limit=0

	# Security Policy : Force user to reset login password in fix number of days -
	# To enable this functionality <password.change.history.limit> need to be a non zero number. And <user.auto.change.password.enable> need to set as true.
	user.auto.change.password.enable=false
	user.change.password.days=90
	user.change.password.notification.days=5

	# -- disable the account for this many minutes (if 0, then indefinite) --
	login.disable.minutes=5

	# -- disable global logout --
	login.disable.global.logout=false

	# -- store a record for each login attempt? --
	store.login.history=true
	store.login.history.on.service.auth=false
	store.login.history.incorrect.password=true

	# -- should we encrypt (SHA Hash) the password? --
	password.encrypt=true

	# -- set requirePasswordChange to true, after emailPassword --
	password.email_password.require_password_change=true

	# -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
	# -- options may include: SHA, MD5, PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA384, PBKDF2WithHmacSHA512 and etc
	password.encrypt.hash.type=SHA

	# -- if the type of hash to use for one-way encryption is PBKDF2WithHmacSHA1 or PBKDF2WithHmacSHA256 or PBKDF2WithHmacSHA384 or PBKDF2WithHmacSHA512
	# -- the type of hash to use for one-way encryption needs iteration
	password.encrypt.pbkdf2.iterations=10000

	# -- this is helpful to recover old accounts or to be able to login at all sometimes --
	# -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --
	password.accept.encrypted.and.plain=false

	# -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
	username.lowercase=false
	password.lowercase=false

	# -- Use LDAP for user authentication? --
	security.ldap.enable=false

	# -- Fail login if LDAP authentication fails? --
	security.ldap.fail.login=false

	# -- should we allow x509 certificate login
	security.login.cert.allow=true

	# -- HTTP header based ID (for integrations; uncomment to enable)
	#security.login.http.header=REMOTE_USER

	# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
	# Use for external authentication solutions like CAS which overload the getRemoteUser method.
	#security.login.http.servlet.remoteuserlogin.allow=true

	# -- pattern for the userlogin id in CN section of certificate
	security.login.cert.pattern=^(\\w\\s?\\w)\\W.$

	# -- use Tomcat SingleSignOn valve
	security.login.tomcat.sso=false

	# -- Hours after which EmailAdressVerification should expire
	email_verification.expire.hours=48

	# -- Name of the protect-view preprocessor method (this should not change, but in case...)
	protect-view.preprocessor=java.org.apache.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView

	# -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
	#default.error.response.view=none:
	default.error.response.view=view:viewBlocked

	# -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
	security.login.externalLoginKey.enabled=true

	# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
	login.secret_key_string=Secret Key

	# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
	# -- no spaces after commas,no wildcard, can be extended of course...
	host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org

	# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
	SameSiteCookieAttribute=

	# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
	# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes
	# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime.
	# -- If you need to use one to these classes you need to change the TemplateClassResolver
	# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read
	# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
	templateClassResolver=


	#-- UPLOAD: supported file formats are safe PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
	#--
	#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
	#-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection:
	#-- https://github.com/OWASP/www-projectchapter-example/blob/master/cheatsheets/Protect_FileUpload_Against_Malicious_File.md
	#-- Also Tika is an option, but you have to check Tika code, to be sure it's secure enough (ie don't use only metadata)
	#--
	#-- Apache Commons Imaging is used for images.
	#-- For supported formats see https://commons.apache.org/proper/commons-imaging/formatsupport.html
	#-- Notably https://commons.apache.org/proper/commons-imaging/formatsupport.html#Metadata_Format_Support
	#-- OOTB OFBiz only supports PNG, GIF, TIFF and JPEG, it's a breeze to extend using more:
	#-- commonsImagingSupportedFormats=BMP,GIF,JPEG/JFIF,ICNS,ICO/CUR,PCX/DCX,PNM/PGM/PBM/PPM/PAMPortablePixmap,PNG,PSD/Photoshop,RGBE/RadianceHDR,TIFF,WBMP,XBM,XPM
	#-- You should then modify SupportedImageFormats label.
	#--
	#-- If you want to get more image formats then use imageJ:
	#-- For imagejSupportedFormats see https://imagejdocu.tudor.lu/faq/general/which_file_formats_are_supported_by_imagej. NOTE: plugins support is important here
	#-- imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lut,.bmp),IPLAB(.ipl),BrukerNMR(.fid,.ser,.2dseq,.2rr,.2ii,.3rrr,.3iii),FDF(.fdf),VFF(.vff),SIF(.sif),AxioVisionZVI(.zvi),DM3(.dm3),Deltavision(.dv,.r3d),MI,NII,NIII,IMG(.img),UNC,PerkinElmer(.tif,.tim,.zpo,.csv,.htm,.ano,.rec,.cfg,.2,.3,.4,.5,.6,.7,.8,\u2026),EPS(.eps,.epsi),SEQ(.seq),IPW(.ipw),OpenLabLIFF(.liff),OpenLabRAW(.raw),Metamorph(.stk),ICS(.ics,.ids),LeicaLif(.lif),Imaris(.ims),OME-XML(.ome),OME-TIFF(.tiff),ABD-TIFF(.tiff),GEL(.gel),Nikon(.nef,.tiff),Slidebook(.sld),SPCImage(.sdt),AL3D(.al3d),ND2(.nd2),µManager(.tif,.txt),MRC(.mrc),JPEG2000(.jp2),MNG(.mng),Flex(.flex),NRRD(.nrrd,.nhdr),VIFFbitmapimage(.xv),ROI(.roi),ERS(.ers),RS(.rs),HPGL
	#--
	#-- PDFBox and PDFReader are used for PDF files
	#--
	#-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads
	#-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile
	#--
	#-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions),
	#-- people may like to allow more than what is allowed OOTB
	#-- As it name says, allowAllUploads opens all possibilities
	allowAllUploads=

	#-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can uncomment the allowedProtocols property, here given as an example
	#-- You may also put other protocols you want to use, instead or with those
	allowedProtocols=localhost,127.0.0.1