forked from community/product-iots
Merge pull request #223 from harshanL/master
Added OWASP configurations to IoT pack.application-manager-new
Hasunie
8 years ago
committed by
GitHub
commit
b0d1c73888
@ -0,0 +1,185 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
~
|
||||
~ WSO2 Inc. licenses this file to you under the Apache License,
|
||||
~ Version 2.0 (the "License"); you may not use this file except
|
||||
~ in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing,
|
||||
~ software distributed under the License is distributed on an
|
||||
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
~ KIND, either express or implied. See the License for the
|
||||
~ specific language governing permissions and limitations
|
||||
~ under the License.
|
||||
-->
|
||||
|
||||
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
|
||||
"http://java.sun.com/dtd/web-app_2_3.dtd">
|
||||
<web-app id="WebApp">
|
||||
<!-- OWASP CSRFGuard per-application configuration property file location-->
|
||||
<context-param>
|
||||
<param-name>Owasp.CsrfGuard.Config</param-name>
|
||||
<param-value>repository/conf/security/Owasp.CsrfGuard.Carbon.properties</param-value>
|
||||
</context-param>
|
||||
<servlet id="bridge">
|
||||
<servlet-name>bridgeservlet</servlet-name>
|
||||
<display-name>Carbon Bridge Servlet</display-name>
|
||||
<description>Carbon Bridge Servlet</description>
|
||||
<servlet-class>org.wso2.carbon.tomcat.ext.servlet.DelegationServlet</servlet-class>
|
||||
<load-on-startup>1</load-on-startup>
|
||||
</servlet>
|
||||
<!-- OWASP CSRFGuard servlet that serves dynamic token injection JavaScript-->
|
||||
<servlet>
|
||||
<servlet-name>JavaScriptServlet</servlet-name>
|
||||
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
|
||||
</servlet>
|
||||
<servlet-mapping>
|
||||
<servlet-name>bridgeservlet</servlet-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</servlet-mapping>
|
||||
<!--
|
||||
This is required if your application bundles expose JSPs.
|
||||
-->
|
||||
<servlet-mapping>
|
||||
<servlet-name>bridgeservlet</servlet-name>
|
||||
<url-pattern>*.jsp</url-pattern>
|
||||
</servlet-mapping>
|
||||
<servlet-mapping>
|
||||
<servlet-name>JavaScriptServlet</servlet-name>
|
||||
<url-pattern>/carbon/admin/js/csrfPrevention.js</url-pattern>
|
||||
</servlet-mapping>
|
||||
<!--This is for performing the character encoding in the JSPs. -->
|
||||
<filter>
|
||||
<filter-name>CharsetFilter</filter-name>
|
||||
<filter-class>org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>requestEncoding</param-name>
|
||||
<param-value>UTF-8</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
<!-- OWASP CSRFGuard filter used to validate CSRF token-->
|
||||
<filter>
|
||||
<filter-name>CSRFGuard</filter-name>
|
||||
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
|
||||
</filter>
|
||||
<!-- Tomcat http header security filter -->
|
||||
<filter>
|
||||
<filter-name>HttpHeaderSecurityFilter</filter-name>
|
||||
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
|
||||
<init-param>
|
||||
<param-name>hstsEnabled</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
<filter-mapping>
|
||||
<filter-name>HttpHeaderSecurityFilter</filter-name>
|
||||
<url-pattern>*</url-pattern>
|
||||
</filter-mapping>
|
||||
<filter>
|
||||
<filter-name>HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL</filter-name>
|
||||
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
|
||||
<!-- Disable other headers except X-Frame-Options (not required, but enhances performance)-->
|
||||
<init-param>
|
||||
<param-name>hstsEnabled</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>blockContentTypeSniffingEnabled</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>xssProtectionEnabled</param-name>
|
||||
<param-value>false</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>antiClickJackingOption</param-name>
|
||||
<param-value>SAMEORIGIN</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
<filter>
|
||||
<filter-name>URLBasedCachePreventionFilter</filter-name>
|
||||
<filter-class>org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter</filter-class>
|
||||
</filter>
|
||||
<filter-mapping>
|
||||
<filter-name>HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL</filter-name>
|
||||
<url-pattern>/samlsso</url-pattern>
|
||||
</filter-mapping>
|
||||
<filter-mapping>
|
||||
<filter-name>CharsetFilter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
<filter-mapping>
|
||||
<filter-name>CSRFGuard</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
<filter-mapping>
|
||||
<filter-name>URLBasedCachePreventionFilter</filter-name>
|
||||
<url-pattern>*.jsp</url-pattern>
|
||||
</filter-mapping>
|
||||
<!-- OWASP CSRFGuard context listener used to read CSRF configuration -->
|
||||
<listener>
|
||||
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
|
||||
</listener>
|
||||
<!-- OWASP CSRFGuard session listener used to generate per-session CSRF token -->
|
||||
<listener>
|
||||
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
|
||||
</listener>
|
||||
<session-config>
|
||||
<session-timeout>15</session-timeout>
|
||||
<cookie-config>
|
||||
<secure>true</secure>
|
||||
</cookie-config>
|
||||
</session-config>
|
||||
<!-- custom error pages -->
|
||||
<error-page>
|
||||
<error-code>400</error-code>
|
||||
<location>/carbon/errors/error_400.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>401</error-code>
|
||||
<location>/carbon/errors/error_401.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>403</error-code>
|
||||
<location>/carbon/errors/error_403.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>404</error-code>
|
||||
<location>/carbon/errors/error_404.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>405</error-code>
|
||||
<location>/carbon/errors/error_405.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>408</error-code>
|
||||
<location>/carbon/errors/error_408.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>410</error-code>
|
||||
<location>/carbon/errors/error_410.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>500</error-code>
|
||||
<location>/carbon/errors/error_500.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>502</error-code>
|
||||
<location>/carbon/errors/error_502.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>503</error-code>
|
||||
<location>/carbon/errors/error_503.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<error-code>504</error-code>
|
||||
<location>/carbon/errors/error_504.html</location>
|
||||
</error-page>
|
||||
<error-page>
|
||||
<location>/carbon/errors/error.html</location>
|
||||
</error-page>
|
||||
</web-app>
|
||||
Loading…
Reference in new issue