Added OWASP configurations to IoT pack.

application-manager-new
Harshan Liyanage 8 years ago
parent e35560f703
commit 5de373b6c2

@ -113,6 +113,7 @@
<exclude>**/conf/log4j.properties</exclude> <exclude>**/conf/log4j.properties</exclude>
<exclude>**/repository/conf/security/Owasp.CsrfGuard.Carbon.properties</exclude> <exclude>**/repository/conf/security/Owasp.CsrfGuard.Carbon.properties</exclude>
<exclude>**/repository/components/plugins/httpclient_4.3.2.wso2v1.jar</exclude> <exclude>**/repository/components/plugins/httpclient_4.3.2.wso2v1.jar</exclude>
<exclude>**/conf/tomcat/carbon/WEB-INF/web.xml</exclude>
</excludes> </excludes>
</fileSet> </fileSet>
@ -701,6 +702,11 @@
</dependencySets> </dependencySets>
<files> <files>
<file>
<source>src/repository/conf/tomcat/carbon/WEB-INF/web.xml</source>
<outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/tomcat/carbon/WEB-INF</outputDirectory>
<fileMode>755</fileMode>
</file>
<file> <file>
<source>src/repository/bin/wso2server.sh</source> <source>src/repository/bin/wso2server.sh</source>
<outputDirectory>${pom.artifactId}-${pom.version}/bin</outputDirectory> <outputDirectory>${pom.artifactId}-${pom.version}/bin</outputDirectory>

@ -450,15 +450,15 @@ org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
org.owasp.csrfguard.unprotected.Services=%servletContext%/services/* org.owasp.csrfguard.unprotected.Services=%servletContext%/services/*
org.owasp.csrfguard.unprotected.oauth=%servletContext%/commonauth/* org.owasp.csrfguard.unprotected.oauth=%servletContext%/commonauth/*
org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/* org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/*
org.owasp.csrfguard.unprotected.authenticationendpoint=%servletContext%/authenticationendpoint/* org.owasp.csrfguard.unprotected.authenticationEndpoint=%servletContext%/authenticationendpoint/*
org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/* org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/*
org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/* org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/*
org.owasp.csrfguard.unprotected.openid=%servletContext%/openid/* org.owasp.csrfguard.unprotected.openId=%servletContext%/openid/*
org.owasp.csrfguard.unprotected.openidserver=%servletContext%/openidserver/* org.owasp.csrfguard.unprotected.openIdServer=%servletContext%/openidserver/*
org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/* org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/*
org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/* org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/*
org.owasp.csrfguard.unprotected.publisher.rest.api=%servletContext%/api/appm/publisher/* org.owasp.csrfguard.unprotected.publisherRestApi=%servletContext%/api/appm/publisher/*
org.owasp.csrfguard.unprotected.store.rest.api=%servletContext%/api/appm/store/* org.owasp.csrfguard.unprotected.storeRestApi=%servletContext%/api/appm/store/*
org.owasp.csrfguard.unprotected.certificate.mgt.rest.api=%servletContext%/api/certificate-mgt/* org.owasp.csrfguard.unprotected.certificateMgtRestApi=%servletContext%/api/certificate-mgt/*
org.owasp.csrfguard.unprotected.device.mgt.rest.api=%servletContext%/api/device-mgt/* org.owasp.csrfguard.unprotected.deviceMgtRestApi=%servletContext%/api/device-mgt/*
org.owasp.csrfguard.unprotected.dcr.rest.api=%servletContext%/dynamic-client-web/* org.owasp.csrfguard.unprotected.dcrRestApi=%servletContext%/dynamic-client-web/*

@ -0,0 +1,185 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
~
~ WSO2 Inc. licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file except
~ in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
<!-- OWASP CSRFGuard per-application configuration property file location-->
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>repository/conf/security/Owasp.CsrfGuard.Carbon.properties</param-value>
</context-param>
<servlet id="bridge">
<servlet-name>bridgeservlet</servlet-name>
<display-name>Carbon Bridge Servlet</display-name>
<description>Carbon Bridge Servlet</description>
<servlet-class>org.wso2.carbon.tomcat.ext.servlet.DelegationServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- OWASP CSRFGuard servlet that serves dynamic token injection JavaScript-->
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>bridgeservlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!--
This is required if your application bundles expose JSPs.
-->
<servlet-mapping>
<servlet-name>bridgeservlet</servlet-name>
<url-pattern>*.jsp</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/carbon/admin/js/csrfPrevention.js</url-pattern>
</servlet-mapping>
<!--This is for performing the character encoding in the JSPs. -->
<filter>
<filter-name>CharsetFilter</filter-name>
<filter-class>org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter</filter-class>
<init-param>
<param-name>requestEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<!-- OWASP CSRFGuard filter used to validate CSRF token-->
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<!-- Tomcat http header security filter -->
<filter>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
<filter>
<filter-name>HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<!-- Disable other headers except X-Frame-Options (not required, but enhances performance)-->
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter>
<filter-name>URLBasedCachePreventionFilter</filter-name>
<filter-class>org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL</filter-name>
<url-pattern>/samlsso</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>URLBasedCachePreventionFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<!-- OWASP CSRFGuard context listener used to read CSRF configuration -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<!-- OWASP CSRFGuard session listener used to generate per-session CSRF token -->
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
<!-- custom error pages -->
<error-page>
<error-code>400</error-code>
<location>/carbon/errors/error_400.html</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/carbon/errors/error_401.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/carbon/errors/error_403.html</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/carbon/errors/error_404.html</location>
</error-page>
<error-page>
<error-code>405</error-code>
<location>/carbon/errors/error_405.html</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/carbon/errors/error_408.html</location>
</error-page>
<error-page>
<error-code>410</error-code>
<location>/carbon/errors/error_410.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/carbon/errors/error_500.html</location>
</error-page>
<error-page>
<error-code>502</error-code>
<location>/carbon/errors/error_502.html</location>
</error-page>
<error-page>
<error-code>503</error-code>
<location>/carbon/errors/error_503.html</location>
</error-page>
<error-page>
<error-code>504</error-code>
<location>/carbon/errors/error_504.html</location>
</error-page>
<error-page>
<location>/carbon/errors/error.html</location>
</error-page>
</web-app>
Loading…
Cancel
Save