# | |
# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version | |
# | |
# This file is part of the Open Web Application Security Project (OWASP) | |
# Enterprise Security API (ESAPI) project. For details, please see | |
# http://www.owasp.org/index.php/ESAPI. | |
# | |
# Copyright (c) 2008,2009 - The OWASP Foundation | |
# | |
# DISCUSS: This may cause a major backwards compatibility issue, etc. but | |
# from a name space perspective, we probably should have prefaced | |
# all the property names with ESAPI or at least OWASP. Otherwise | |
# there could be problems is someone loads this properties file into | |
# the System properties. We could also put this file into the | |
# esapi.jar file (perhaps as a ResourceBundle) and then allow an external | |
# ESAPI properties be defined that would overwrite these defaults. | |
# That keeps the application's properties relatively simple as usually | |
# they will only want to override a few properties. If looks like we | |
# already support multiple override levels of this in the | |
# DefaultSecurityConfiguration class, but I'm suggesting placing the | |
# defaults in the esapi.jar itself. That way, if the jar is signed, | |
# we could detect if those properties had been tampered with. (The | |
# code to check the jar signatures is pretty simple... maybe 70-90 LOC, | |
# but off course there is an execution penalty (similar to the way | |
# that the separate sunjce.jar used to be when a class from it was | |
# first loaded). Thoughts? | |
############################################################################### | |
# | |
# WARNING: Operating system protection should be used to lock down the .esapi | |
# resources directory and all the files inside and all the directories all the | |
# way up to the root directory of the file system. Note that if you are using | |
# file-based implementations, that some files may need to be read-write as they | |
# get updated dynamically. | |
# | |
# Before using, be sure to update the MasterKey and MasterSalt as described below. | |
# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4, | |
# you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired) | |
# re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be | |
# able to decrypt your data with ESAPI 2.0. | |
# | |
# YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes. | |
# | |
#=========================================================================== | |
# ESAPI Configuration | |
# | |
# If true, then print all the ESAPI properties set here when they are loaded. | |
# If false, they are not printed. Useful to reduce output when running JUnit tests. | |
# If you need to troubleshoot a properties related problem, turning this on may help. | |
# This is 'false' in the src/test/resources/.esapi version. It is 'true' by | |
# default for reasons of backward compatibility with earlier ESAPI versions. | |
ESAPI.printProperties=true | |
# ESAPI is designed to be easily extensible. You can use the reference implementation | |
# or implement your own providers to take advantage of your enterprise's security | |
# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: | |
# | |
# String ciphertext = | |
# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 | |
# CipherText cipherText = | |
# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred | |
# | |
# Below you can specify the classname for the provider that you wish to use in your | |
# application. The only requirement is that it implement the appropriate ESAPI interface. | |
# This allows you to switch security implementations in the future without rewriting the | |
# entire application. | |
# | |
# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory | |
ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController | |
# FileBasedAuthenticator requires users.txt file in .esapi directory | |
ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator | |
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder | |
ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor | |
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor | |
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities | |
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector | |
# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html | |
#ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory | |
ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory | |
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer | |
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator | |
#=========================================================================== | |
# ESAPI Authenticator | |
# | |
Authenticator.AllowedLoginAttempts=3 | |
Authenticator.MaxOldPasswordHashes=13 | |
Authenticator.UsernameParameterName=username | |
Authenticator.PasswordParameterName=password | |
# RememberTokenDuration (in days) | |
Authenticator.RememberTokenDuration=14 | |
# Session Timeouts (in minutes) | |
Authenticator.IdleTimeoutDuration=20 | |
Authenticator.AbsoluteTimeoutDuration=120 | |
#=========================================================================== | |
# ESAPI Encoder | |
# | |
# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. | |
# Failure to canonicalize input is a very common mistake when implementing validation schemes. | |
# Canonicalization is automatic when using the ESAPI Validator, but you can also use the | |
# following code to canonicalize data. | |
# | |
# ESAPI.Encoder().canonicalize( "%22hello world"" ); | |
# | |
# Multiple encoding is when a single encoding format is applied multiple times. Allowing | |
# multiple encoding is strongly discouraged. | |
Encoder.AllowMultipleEncoding=false | |
# Mixed encoding is when multiple different encoding formats are applied, or when | |
# multiple formats are nested. Allowing multiple encoding is strongly discouraged. | |
Encoder.AllowMixedEncoding=false | |
# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs | |
# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or | |
# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. | |
Encoder.DefaultCodecList=HTMLEntityCodec,XMLEntityCodec,PercentCodec,JavaScriptCodec | |
#=========================================================================== | |
# ESAPI Encryption | |
# | |
# The ESAPI Encryptor provides basic cryptographic functions with a simplified API. | |
# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor | |
# There is not currently any support for key rotation, so be careful when changing your key and salt as it | |
# will invalidate all signed, encrypted, and hashed data. | |
# | |
# WARNING: Not all combinations of algorithms and key lengths are supported. | |
# If you choose to use a key length greater than 128, you MUST download the | |
# unlimited strength policy files and install in the lib directory of your JRE/JDK. | |
# See http://java.sun.com/javase/downloads/index.jsp for more information. | |
# | |
# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API | |
# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever | |
# possible, these methods should be avoided as they use ECB cipher mode, which in almost | |
# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default | |
# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you | |
# should only use this compatibility setting if you have persistent data encrypted with | |
# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL | |
# you have decrypted all of your old encrypted data and then re-encrypted it with | |
# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode | |
# with the new 2.0 methods, make sure that you use the same cipher algorithm for both | |
# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for | |
# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods | |
# where you can specify a SecretKey. (Note that if you are using the 256-bit AES, | |
# that requires downloading the special jurisdiction policy files mentioned above.) | |
# | |
# ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** | |
# To calculate these values, you can run: | |
# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor | |
# | |
#Encryptor.MasterKey= | |
#Encryptor.MasterSalt= | |
# Provides the default JCE provider that ESAPI will "prefer" for its symmetric | |
# encryption and hashing. (That is it will look to this provider first, but it | |
# will defer to other providers if the requested algorithm is not implemented | |
# by this provider.) If left unset, ESAPI will just use your Java VM's current | |
# preferred JCE provider, which is generally set in the file | |
# "$JAVA_HOME/jre/lib/security/java.security". | |
# | |
# The main intent of this is to allow ESAPI symmetric encryption to be | |
# used with a FIPS 140-2 compliant crypto-module. For details, see the section | |
# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in | |
# the ESAPI 2.0 Symmetric Encryption User Guide, at: | |
# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html | |
# However, this property also allows you to easily use an alternate JCE provider | |
# such as "Bouncy Castle" without having to make changes to "java.security". | |
# See Javadoc for SecurityProviderLoader for further details. If you wish to use | |
# a provider that is not known to SecurityProviderLoader, you may specify the | |
# fully-qualified class name of the JCE provider class that implements | |
# java.security.Provider. If the name contains a '.', this is interpreted as | |
# a fully-qualified class name that implements java.security.Provider. | |
# | |
# NOTE: Setting this property has the side-effect of changing it in your application | |
# as well, so if you are using JCE in your application directly rather than | |
# through ESAPI (you wouldn't do that, would you? ;-), it will change the | |
# preferred JCE provider there as well. | |
# | |
# Default: Keeps the JCE provider set to whatever JVM sets it to. | |
Encryptor.PreferredJCEProvider= | |
# AES is the most widely used and strongest encryption algorithm. This | |
# should agree with your Encryptor.CipherTransformation property. | |
# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is | |
# very weak. It is essentially a password-based encryption key, hashed | |
# with MD5 around 1K times and then encrypted with the weak DES algorithm | |
# (56-bits) using ECB mode and an unspecified padding (it is | |
# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses | |
# "AES/CBC/PKCSPadding". If you want to change these, change them here. | |
# Warning: This property does not control the default reference implementation for | |
# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped | |
# in the future. | |
# @deprecated | |
Encryptor.EncryptionAlgorithm=AES | |
# For ESAPI Java 2.0 - New encrypt / decrypt methods use this. | |
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding | |
# Applies to ESAPI 2.0 and later only! | |
# Comma-separated list of cipher modes that provide *BOTH* | |
# confidentiality *AND* message authenticity. (NIST refers to such cipher | |
# modes as "combined modes" so that's what we shall call them.) If any of these | |
# cipher modes are used then no MAC is calculated and stored | |
# in the CipherText upon encryption. Likewise, if one of these | |
# cipher modes is used with decryption, no attempt will be made | |
# to validate the MAC contained in the CipherText object regardless | |
# of whether it contains one or not. Since the expectation is that | |
# these cipher modes support support message authenticity already, | |
# injecting a MAC in the CipherText object would be at best redundant. | |
# | |
# Note that as of JDK 1.5, the SunJCE provider does not support *any* | |
# of these cipher modes. Of these listed, only GCM and CCM are currently | |
# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports | |
# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other | |
# padding modes. | |
Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC | |
# Applies to ESAPI 2.0 and later only! | |
# Additional cipher modes allowed for ESAPI 2.0 encryption. These | |
# cipher modes are in _addition_ to those specified by the property | |
# 'Encryptor.cipher_modes.combined_modes'. | |
# Note: We will add support for streaming modes like CFB & OFB once | |
# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' | |
# (probably in ESAPI 2.1). | |
# DISCUSS: Better name? | |
Encryptor.cipher_modes.additional_allowed=CBC | |
# 128-bit is almost always sufficient and appears to be more resistant to | |
# related key attacks than is 256-bit AES. Use '_' to use default key size | |
# for cipher algorithms (where it makes sense because the algorithm supports | |
# a variable key size). Key length must agree to what's provided as the | |
# cipher transformation, otherwise this will be ignored after logging a | |
# warning. | |
# | |
# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing! | |
Encryptor.EncryptionKeyLength=128 | |
# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). | |
# (All cipher modes except ECB require an IV.) There are two choices: we can either | |
# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While | |
# the IV does not need to be hidden from adversaries, it is important that the | |
# adversary not be allowed to choose it. Also, random IVs are generally much more | |
# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes | |
# such as CFB and OFB use a different IV for each encryption with a given key so | |
# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random | |
# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and | |
# uncomment the Encryptor.fixedIV. | |
# | |
# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 | |
Encryptor.ChooseIVMethod=random | |
# If you choose to use a fixed IV, then you must place a fixed IV here that | |
# is known to all others who are sharing your secret key. The format should | |
# be a hex string that is the same length as the cipher block size for the | |
# cipher algorithm that you are using. The following is an *example* for AES | |
# from an AES test vector for AES-128/CBC as described in: | |
# NIST Special Publication 800-38A (2001 Edition) | |
# "Recommendation for Block Cipher Modes of Operation". | |
# (Note that the block size for AES is 16 bytes == 128 bits.) | |
# | |
Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f | |
# Whether or not CipherText should use a message authentication code (MAC) with it. | |
# This prevents an adversary from altering the IV as well as allowing a more | |
# fool-proof way of determining the decryption failed because of an incorrect | |
# key being supplied. This refers to the "separate" MAC calculated and stored | |
# in CipherText, not part of any MAC that is calculated as a result of a | |
# "combined mode" cipher mode. | |
# | |
# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also | |
# set this property to false. | |
Encryptor.CipherText.useMAC=true | |
# Whether or not the PlainText object may be overwritten and then marked | |
# eligible for garbage collection. If not set, this is still treated as 'true'. | |
Encryptor.PlainText.overwrite=true | |
# Do not use DES except in a legacy situations. 56-bit is way too small key size. | |
#Encryptor.EncryptionKeyLength=56 | |
#Encryptor.EncryptionAlgorithm=DES | |
# TripleDES is considered strong enough for most purposes. | |
# Note: There is also a 112-bit version of DESede. Using the 168-bit version | |
# requires downloading the special jurisdiction policy from Sun. | |
#Encryptor.EncryptionKeyLength=168 | |
#Encryptor.EncryptionAlgorithm=DESede | |
Encryptor.HashAlgorithm=SHA-512 | |
Encryptor.HashIterations=1024 | |
Encryptor.DigitalSignatureAlgorithm=SHA1withDSA | |
Encryptor.DigitalSignatureKeyLength=1024 | |
Encryptor.RandomAlgorithm=SHA1PRNG | |
Encryptor.CharacterEncoding=UTF-8 | |
# This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function | |
# (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and | |
# *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for | |
# the MAC, mostly to keep the overall size at a minimum.) | |
# | |
# Currently supported choices for JDK 1.5 and 1.6 are: | |
# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and | |
# HmacSHA512 (512 bits). | |
# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though | |
# the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide | |
# further details. | |
Encryptor.KDF.PRF=HmacSHA256 | |
#=========================================================================== | |
# ESAPI HttpUtilties | |
# | |
# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods | |
# protect against malicious data from attackers, such as unprintable characters, escaped characters, | |
# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies, | |
# headers, and CSRF tokens. | |
# | |
# Default file upload location (remember to escape backslashes with \\) | |
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload | |
HttpUtilities.UploadTempDir=C:\\temp | |
# Force flags on cookies, if you use HttpUtilities to set cookies | |
HttpUtilities.ForceHttpOnlySession=false | |
HttpUtilities.ForceSecureSession=false | |
HttpUtilities.ForceHttpOnlyCookies=true | |
HttpUtilities.ForceSecureCookies=true | |
# Maximum size of HTTP headers | |
HttpUtilities.MaxHeaderSize=4096 | |
# File upload configuration | |
HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll | |
HttpUtilities.MaxUploadFileBytes=500000000 | |
# Using UTF-8 throughout your stack is highly recommended. That includes your database driver, | |
# container, and any other technologies you may be using. Failure to do this may expose you | |
# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization. | |
HttpUtilities.ResponseContentType=text/html; charset=UTF-8 | |
# This is the name of the cookie used to represent the HTTP session | |
# Typically this will be the default "JSESSIONID" | |
HttpUtilities.HttpSessionIdName=JSESSIONID | |
#=========================================================================== | |
# ESAPI Executor | |
# CHECKME - Not sure what this is used for, but surely it should be made OS independent. | |
Executor.WorkingDirectory=C:\\Windows\\Temp | |
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe | |
#=========================================================================== | |
# ESAPI Logging | |
# Set the application name if these logs are combined with other applications | |
Logger.ApplicationName=ExampleApplication | |
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true | |
Logger.LogEncodingRequired=false | |
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. | |
Logger.LogApplicationName=true | |
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. | |
Logger.LogServerIP=true | |
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you | |
# want to place it in a specific directory. | |
Logger.LogFileName=ESAPI_logging_file | |
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) | |
Logger.MaxLogFileSize=10000000 | |
#=========================================================================== | |
# ESAPI Intrusion Detection | |
# | |
# Each event has a base to which .count, .interval, and .action are added | |
# The IntrusionException will fire if we receive "count" events within "interval" seconds | |
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable | |
# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable | |
# | |
# Custom Events | |
# Names must start with "event." as the base | |
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here | |
# You can also disable intrusion detection completely by changing | |
# the following parameter to true | |
# | |
IntrusionDetector.Disable=false | |
# | |
IntrusionDetector.event.test.count=2 | |
IntrusionDetector.event.test.interval=10 | |
IntrusionDetector.event.test.actions=disable,log | |
# Exception Events | |
# All EnterpriseSecurityExceptions are registered automatically | |
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException | |
# Use the fully qualified classname of the exception as the base | |
# any intrusion is an attack | |
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 | |
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 | |
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout | |
# for test purposes | |
# CHECKME: Shouldn't there be something in the property name itself that designates | |
# that these are for testing??? | |
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 | |
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 | |
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout | |
# rapid validation errors indicate scans or attacks in progress | |
# org.owasp.esapi.errors.ValidationException.count=10 | |
# org.owasp.esapi.errors.ValidationException.interval=10 | |
# org.owasp.esapi.errors.ValidationException.actions=log,logout | |
# sessions jumping between hosts indicates session hijacking | |
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 | |
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 | |
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout | |
#=========================================================================== | |
# ESAPI Validation | |
# | |
# The ESAPI Validator works on regular expressions with defined names. You can define names | |
# either here, or you may define application specific patterns in a separate file defined below. | |
# This allows enterprises to specify both organizational standards as well as application specific | |
# validation rules. | |
# | |
Validator.ConfigurationFile=validation.properties | |
# Validators used by ESAPI | |
Validator.AccountName=^[a-zA-Z0-9]{3,20}$ | |
Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ | |
Validator.RoleName=^[a-z]{1,20}$ | |
#the word TEST below should be changed to your application | |
#name - only relative URL's are supported | |
Validator.Redirect=^\\/test.*$ | |
# Global HTTP Validation Rules | |
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] | |
Validator.HTTPScheme=^(http|https)$ | |
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ | |
Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ | |
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$ | |
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ | |
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ | |
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ | |
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ | |
Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$ | |
Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ | |
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ | |
Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ | |
Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ | |
Validator.HTTPURL=^.*$ | |
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ | |
# Validation of file related input | |
Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ | |
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ | |
# Validation of dates. Controls whether or not 'lenient' dates are accepted. | |
# See DataFormat.setLenient(boolean flag) for further details. | |
Validator.AcceptLenientDates=false |