From 5de373b6c23a9c21e24ba6699927e4f38c25b65f Mon Sep 17 00:00:00 2001 From: Harshan Liyanage Date: Fri, 16 Dec 2016 10:56:50 +0530 Subject: [PATCH] Added OWASP configurations to IoT pack. --- .../core/distribution/src/assembly/bin.xml | 6 + .../Owasp.CsrfGuard.Carbon.properties | 16 +- .../conf/tomcat/carbon/WEB-INF/web.xml | 185 ++++++++++++++++++ 3 files changed, 199 insertions(+), 8 deletions(-) create mode 100755 modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml diff --git a/modules/core/distribution/src/assembly/bin.xml b/modules/core/distribution/src/assembly/bin.xml index a1851be3..7c006567 100644 --- a/modules/core/distribution/src/assembly/bin.xml +++ b/modules/core/distribution/src/assembly/bin.xml @@ -113,6 +113,7 @@ **/conf/log4j.properties **/repository/conf/security/Owasp.CsrfGuard.Carbon.properties **/repository/components/plugins/httpclient_4.3.2.wso2v1.jar + **/conf/tomcat/carbon/WEB-INF/web.xml @@ -701,6 +702,11 @@ + + src/repository/conf/tomcat/carbon/WEB-INF/web.xml + ${pom.artifactId}-${pom.version}/repository/conf/tomcat/carbon/WEB-INF + 755 + src/repository/bin/wso2server.sh ${pom.artifactId}-${pom.version}/bin diff --git a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties index 4daf5c71..2b65f620 100644 --- a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties +++ b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties @@ -450,15 +450,15 @@ org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60 org.owasp.csrfguard.unprotected.Services=%servletContext%/services/* org.owasp.csrfguard.unprotected.oauth=%servletContext%/commonauth/* org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/* -org.owasp.csrfguard.unprotected.authenticationendpoint=%servletContext%/authenticationendpoint/* +org.owasp.csrfguard.unprotected.authenticationEndpoint=%servletContext%/authenticationendpoint/* org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/* org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/* -org.owasp.csrfguard.unprotected.openid=%servletContext%/openid/* -org.owasp.csrfguard.unprotected.openidserver=%servletContext%/openidserver/* +org.owasp.csrfguard.unprotected.openId=%servletContext%/openid/* +org.owasp.csrfguard.unprotected.openIdServer=%servletContext%/openidserver/* org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/* org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/* -org.owasp.csrfguard.unprotected.publisher.rest.api=%servletContext%/api/appm/publisher/* -org.owasp.csrfguard.unprotected.store.rest.api=%servletContext%/api/appm/store/* -org.owasp.csrfguard.unprotected.certificate.mgt.rest.api=%servletContext%/api/certificate-mgt/* -org.owasp.csrfguard.unprotected.device.mgt.rest.api=%servletContext%/api/device-mgt/* -org.owasp.csrfguard.unprotected.dcr.rest.api=%servletContext%/dynamic-client-web/* \ No newline at end of file +org.owasp.csrfguard.unprotected.publisherRestApi=%servletContext%/api/appm/publisher/* +org.owasp.csrfguard.unprotected.storeRestApi=%servletContext%/api/appm/store/* +org.owasp.csrfguard.unprotected.certificateMgtRestApi=%servletContext%/api/certificate-mgt/* +org.owasp.csrfguard.unprotected.deviceMgtRestApi=%servletContext%/api/device-mgt/* +org.owasp.csrfguard.unprotected.dcrRestApi=%servletContext%/dynamic-client-web/* \ No newline at end of file diff --git a/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml b/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml new file mode 100755 index 00000000..fffa6b5c --- /dev/null +++ b/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml @@ -0,0 +1,185 @@ + + + + + + + + Owasp.CsrfGuard.Config + repository/conf/security/Owasp.CsrfGuard.Carbon.properties + + + bridgeservlet + Carbon Bridge Servlet + Carbon Bridge Servlet + org.wso2.carbon.tomcat.ext.servlet.DelegationServlet + 1 + + + + JavaScriptServlet + org.owasp.csrfguard.servlet.JavaScriptServlet + + + bridgeservlet + /* + + + + bridgeservlet + *.jsp + + + JavaScriptServlet + /carbon/admin/js/csrfPrevention.js + + + + CharsetFilter + org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter + + requestEncoding + UTF-8 + + + + + CSRFGuard + org.owasp.csrfguard.CsrfGuardFilter + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + HttpHeaderSecurityFilter + * + + + HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL + org.apache.catalina.filters.HttpHeaderSecurityFilter + + + hstsEnabled + false + + + blockContentTypeSniffingEnabled + false + + + xssProtectionEnabled + false + + + antiClickJackingOption + SAMEORIGIN + + + + URLBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter + + + HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL + /samlsso + + + CharsetFilter + /* + + + CSRFGuard + /* + + + URLBasedCachePreventionFilter + *.jsp + + + + org.owasp.csrfguard.CsrfGuardServletContextListener + + + + org.owasp.csrfguard.CsrfGuardHttpSessionListener + + + 15 + + true + + + + + 400 + /carbon/errors/error_400.html + + + 401 + /carbon/errors/error_401.html + + + 403 + /carbon/errors/error_403.html + + + 404 + /carbon/errors/error_404.html + + + 405 + /carbon/errors/error_405.html + + + 408 + /carbon/errors/error_408.html + + + 410 + /carbon/errors/error_410.html + + + 500 + /carbon/errors/error_500.html + + + 502 + /carbon/errors/error_502.html + + + 503 + /carbon/errors/error_503.html + + + 504 + /carbon/errors/error_504.html + + + /carbon/errors/error.html + +