Google Git
Sign in
apache / ofbiz-framework / refs/heads/release18.12 / . / framework / security / config / security.properties
blob: 2658815a78c2a4ca51a3e4688af4a098d377e73b [file] [log] [blame]
##############################################################################
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
###############################################################################
####
# OFBiz Security Settings
####
# -- define the password restrictions --
password.length.min=5
### -- pattern based password OFBIZ-4958
security.login.password.pattern.enable=true
security.login.password.pattern=^.*(?=.{5,}).*$
# This is a mix to handle the localisation of the OOTB pattern which is only a fixed length
security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
# -- For More restrictive pattern you can use the following, no localisation-
#security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
# Only contains alphanumeric and the following special characters: !@#$%^&*
# Contains at least 1 of the special characters in the list above
# The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
# minimum length 5 digit.
# HELP
# Start of group
# (
# (?=.*\d) # must contains one digit from 0-9
# (?=.*[a-z]) # must contains one lowercase characters
# (?=.*[A-Z]) # must contains one uppercase characters
# (?=.*[!@#$%^&*]) # must contains one special symbols in the list "!@#$%^&*"
# . # match anything with previous condition checking
# {5,20} # length at least 5 characters and maximum of 20
# {5,} # minimum length 5 chars and no linitation to max length.
# )
# End of group
# For further password patterns look at
# http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum
# -- disable the account after this many logins --
max.failed.logins=3
# -- number of password change to be saved in UserLoginPasswordHistory.
# -- passwords saved in history of userLoginId will not be allowed to be reused.
# -- 0 to not save history at all
password.change.history.limit=0
# Security Policy : Force user to reset login password in fix number of days -
# To enable this functionality <password.change.history.limit> need to be a non zero number. And <user.auto.change.password.enable> need to set as true.
user.auto.change.password.enable=false
user.change.password.days=90
user.change.password.notification.days=5
# -- disable the account for this many minutes (if 0, then indefinite) --
login.disable.minutes=5
# -- disable global logout --
login.disable.global.logout=false
# -- store a record for each login attempt? --
store.login.history=true
store.login.history.on.service.auth=false
store.login.history.incorrect.password=true
# -- disable impersonation
security.disable.impersonation=true
# -- if you want that an user cannot operate during an administrator impersonate his account. If true, it can be helpful for QA and dev site
security.login.authorised.during.impersonate=false
# -- should we encrypt (SHA Hash) the password? --
password.encrypt=true
# -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
# -- options may include: SHA, PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA384, PBKDF2WithHmacSHA512 and etc
password.encrypt.hash.type=SHA
# -- if the type of hash to use for one-way encryption is PBKDF2WithHmacSHA1 or PBKDF2WithHmacSHA256 or PBKDF2WithHmacSHA384 or PBKDF2WithHmacSHA512
# -- the type of hash to use for one-way encryption needs iteration
password.encrypt.pbkdf2.iterations=10000
# -- this is helpful to recover old accounts or to be able to login at all sometimes --
# -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --
password.accept.encrypted.and.plain=false
# -- set request life time after a password change (like email) in hours, set -1 if you want disable it --
password.request.change.timeout=24
# -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
username.lowercase=false
password.lowercase=false
# -- Use LDAP for user authentication? --
security.ldap.enable=false
# -- Fail login if LDAP authentication fails? --
security.ldap.fail.login=false
# -- should we allow x509 certificate login
security.login.cert.allow=true
# -- HTTP header based ID (for integrations; uncomment to enable)
# -- To be used with a Web Access Management products like Oracle Access Manager, or Siteminder.
# -- Before, place a policy enforcement point in front of OFBiz that enables single sign-on to OFBiz by passing secure HTTP Header variables back to OFBiz.
#security.login.http.header=REMOTE_USER
# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
# Use for external authentication solutions like CAS which overload the getRemoteUser method.
#security.login.http.servlet.remoteuserlogin.allow=true
# -- pattern for the userlogin id in CN section of certificate
security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
# -- Use Tomcat SingleSignOn valve to allow single sign on (SSO) and single log out (SLO).
# -- Remember to set security.login.externalLoginKey.enabled to false when using Tomcat SSO.
# -- Note Tomcat SSO is not implemented for cluster as Tomcat ClusterSingleSignOn is not used: OFBIZ-10123
security.login.tomcat.sso=false
# -- Hours after which EmailAdressVerification should expire
email_verification.expire.hours=48
# -- Name of the protect-view preprocessor method (this should not change, but in case...)
protect-view.preprocessor=java.org.apache.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView
# -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
#default.error.response.view=none:
default.error.response.view=view:viewBlocked
# -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
security.login.externalLoginKey.enabled=true
# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
# Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
login.secret_key_string=login.secret_key_string
# -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
security.jwt.token.expireTime=1800
# -- Enables the internal Single Sign On feature which allows a token based login between OFBiz instances
# -- To make this work you also have to configure a secret key with security.token.key
security.internal.sso.enabled=false
# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
security.token.key=security.token.key
# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
# -- no spaces after commas,no wildcard, can be extended of course...
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-next.ofbiz.apache.org
# -- By default the SameSite value in SameSiteFilter is 'strict'.
# -- This property allows to change to 'lax' if needed.
# -- If you use 'lax' we recommend that you set
# -- org.apache.ofbiz.security.CsrfDefenseStrategy
# -- for csrf.defense.strategy (see below)
SameSiteCookieAttribute=
# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes
# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime.
# -- If you need to use one to these classes you need to change the TemplateClassResolver
# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read
# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
templateClassResolver=
#-- ===== UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
#--
#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
#-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection:
#-- https://github.com/OWASP/www-projectchapter-example/blob/master/cheatsheets/Protect_FileUpload_Against_Malicious_File.md
#-- Also Tika is an option, but you have to check Tika code, to be sure it's secure enough (ie don't use only metadata)
#--
#-- Apache Commons Imaging is used for images.
#-- For supported formats see https://commons.apache.org/proper/commons-imaging/formatsupport.html
#-- Notably https://commons.apache.org/proper/commons-imaging/formatsupport.html#Metadata_Format_Support
#-- OOTB OFBiz only supports PNG, GIF, TIFF and JPEG, it's a breeze to extend using more:
#-- commonsImagingSupportedFormats=BMP,GIF,JPEG/JFIF,ICNS,ICO/CUR,PCX/DCX,PNM/PGM/PBM/PPM/PAMPortablePixmap,PNG,PSD/Photoshop,RGBE/RadianceHDR,\
TIFF,WBMP,XBM,XPM
#-- You should then modify SupportedImageFormats label.
#--
#-- If you want to get more image formats then use imageJ:
#-- For imagejSupportedFormats see https://imagejdocu.tudor.lu/faq/general/which_file_formats_are_supported_by_imagej. NOTE: plugins support is important here
#-- imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),\
PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),\
XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),\
AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),\
FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lut,.bmp),IPLAB(.ipl),BrukerNMR(.fid,.ser,.2dseq,.2rr,.2ii,.3rrr,.3iii),FDF(.fdf),\
VFF(.vff),SIF(.sif),AxioVisionZVI(.zvi),DM3(.dm3),Deltavision(.dv,.r3d),MI,NII,NIII,IMG(.img),UNC,PerkinElmer(.tif,.tim,\
.zpo,.csv,.htm,.ano,.rec,.cfg,.2,.3,.4,.5,.6,.7,.8,\u2026),EPS(.eps,.epsi),SEQ(.seq),IPW(.ipw),OpenLabLIFF(.liff),\
OpenLabRAW(.raw),Metamorph(.stk),ICS(.ics,.ids),LeicaLif(.lif),Imaris(.ims),OME-XML(.ome),OME-TIFF(.tiff),\
ABD-TIFF(.tiff),GEL(.gel),Nikon(.nef,.tiff),Slidebook(.sld),SPCImage(.sdt),AL3D(.al3d),ND2(.nd2),μManager(.tif,.txt),\
MRC(.mrc),JPEG2000(.jp2),MNG(.mng),Flex(.flex),NRRD(.nrrd,.nhdr),VIFFbitmapimage(.xv),ROI(.roi),ERS(.ers),RS(.rs),HPGL
#--
#-- PDFBox and PDFReader are used for PDF files
#--
#-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads
#-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile
#--
#-- List of denied files suffixes to be uploaded
#-- OFBiz of course also check contents...
deniedFileExtensions=html,htm,php,php1,php2,hph3,php4,php5,php6,php7,phps,asp,aspx,asa,asax,ascx,ashx,asmx,jsp,jspa,jspx,jsw,jsv,jspf,jtml,cfm,cfc,bat,exe,com,dll,\
vbs,js,reg,cgi,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action
#--
#-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions),
#-- people may like to allow more than what is allowed OOTB
#-- As it name says, allowAllUploads opens all possibilities
allowAllUploads=
#--
#-- CSV format used to upload CSV files, cf. https://commons.apache.org/proper/commons-csv/apidocs/org/apache/commons/csv/CSVFormat.html
csvformat=CSVFormat.DEFAULT
#--
#-- List of denied tokens often part of webshells. Note that, for now at least, most are supposed to be used on a *nix system
#-- TODO.... to be continued with known webshell contents... a complete allow list is impossible anyway...
#--
#-- It could notably be improved by checking for all Javascripts payloads.
#-- As listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet,
#-- at 2022-02-25 there are 8929 of them considering all tags, all events and all browsers...!
#--
#-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax.
#-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows...
#--
#-- If you are sure you are safe for a token you can remove it, etc.
#-- If you add a token beware that it does not content ",". It's the separator.
#--
#-- If you cross issues while loading an image file because of a token found there, you may try to surround the string by spaces, as " tr " below.
#-- Actually most of the tokens should but it's now a bit late for me. I mean to test all of them...
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\
chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require(,gzdeflate,\
execute,println,calc,touch,curl,base64, tcp ,4444,base32, tr , xxd ,bash, od ,|od ,printf,echo
#-- SHA-1 versions of tokens containing (as String) at least one deniedWebShellTokens
#-- This is notably used to allow special values in query parameters.
#-- If you add a token beware that it does not content ",". It's the separator.
allowedTokens=$SHA$OFBiz$2naHrANKTniFcgLJk4oXr3IRQ48
allowStringConcatenationInUploadedFiles=false
#-- Max line length for uploaded files, by default 10000. You can use 0 to allow any line length.
maxLineLength=0
#-- Popup last-visited time from database after user has logged in.
#-- So users can know of any unauthorised access to their accounts.
#-- Default is false.
afterlogin.lastvisit.show=
#-- uri used for login (cf jira OFBIZ-12047)
#-- it's a list, each uri should be separated by comma, without space
login.uris=login
#-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can uncomment the allowedProtocols property, here given as an example
#-- You may also put other protocols you want to use, instead or with those
allowedProtocols=localhost,127.0.0.1
#-- By default (OOTB) OFBiz is protected against Large File Denial of Service because build.gradle defines -Xmx1024M
#-- So you can at most upload a file around 500MB (see OFBIZ-11534 for more info)
#-- If you need to upload larger files then follow https://nightlies.apache.org/ofbiz/trunk/readme/html5/#passing-jvm-runtime-options-to-ofbiz
#-- Prevent Freemarker exploits
#-- eg: allowedURIsForFreemarkerInterpolation=createTextContentCms,updateTextContentCms,...
allowedURIsForFreemarkerInterpolation=