http://git-wip-us.apache.org/repos/asf/airavata/blob/82e57526/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceServiceImpl.java ---------------------------------------------------------------------- diff --git a/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceServiceImpl.java b/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceServiceImpl.java deleted file mode 100755 index a4cc29c..0000000 --- a/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceServiceImpl.java +++ /dev/null @@ -1,343 +0,0 @@ -/** - * - */ -package org.apache.airavata.grouper.resource; - -import edu.internet2.middleware.grouper.*; -import edu.internet2.middleware.grouper.Stem.Scope; -import edu.internet2.middleware.grouper.attr.*; -import edu.internet2.middleware.grouper.attr.assign.AttributeAssignAction; -import edu.internet2.middleware.grouper.attr.finder.AttributeDefFinder; -import edu.internet2.middleware.grouper.attr.finder.AttributeDefNameFinder; -import edu.internet2.middleware.grouper.internal.dao.QueryOptions; -import edu.internet2.middleware.grouper.misc.SaveMode; -import edu.internet2.middleware.grouper.permissions.PermissionAllowed; -import edu.internet2.middleware.grouper.permissions.PermissionEntry; -import edu.internet2.middleware.grouper.permissions.PermissionFinder; -import edu.internet2.middleware.subject.Subject; -import edu.internet2.middleware.subject.SubjectNotFoundException; -import org.apache.airavata.grouper.AiravataGrouperUtil; -import org.apache.airavata.grouper.SubjectType; -import org.apache.airavata.grouper.group.GroupServiceImpl; -import org.apache.airavata.grouper.permission.PermissionAction; -import org.apache.airavata.grouper.permission.PermissionServiceImpl; -import org.apache.airavata.grouper.role.RoleServiceImpl; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import static org.apache.airavata.grouper.AiravataGrouperUtil.*; -import static org.apache.airavata.grouper.permission.PermissionAction.READ; -import static org.apache.airavata.grouper.permission.PermissionAction.WRITE; -import static org.apache.airavata.grouper.resource.ResourceType.*; - -/** - * @author vsachdeva - * - */ -public class ResourceServiceImpl { - - - //TODO: break this method into smaller methods - public void createResource(Resource resource) throws ResourceNotFoundException { - - validateResource(resource); - - GrouperSession grouperSession = null; - try { - grouperSession = GrouperSession.startRootSession(); - AttributeDefName parentAttributeDefName = null; - - // make sure that the parent resource exists in grouper if it is in the request - if (resource.getParentResourceId() != null) { - parentAttributeDefName = AttributeDefNameFinder.findByName(resource.getResourceType().getParentResoruceType() - .getStemFromResourceType()+COLON+resource.getParentResourceId(), false); - if (parentAttributeDefName == null) { - throw new ResourceNotFoundException(resource.getParentResourceId() +" was not found."); - } - } - - Subject subject = SubjectFinder.findByIdAndSource(resource.getOwnerId(), SUBJECT_SOURCE, false); - if (subject == null) { - throw new IllegalArgumentException("Resource owner id "+resource.getOwnerId()+" could not be found."); - } - - // create an attribute def if doesn't exist - AttributeDef attributeDef = AttributeDefFinder.findByName(PERMISSIONS_ATTRIBUTE_DEF, false); - if (attributeDef == null) { - AttributeDefSave attributeDefSave = new AttributeDefSave(grouperSession); - attributeDef = attributeDefSave.assignAttributeDefType(AttributeDefType.perm).assignToGroup(true) - .assignToEffMembership(true).assignName(PERMISSIONS_ATTRIBUTE_DEF).assignCreateParentStemsIfNotExist(true) - .assignSaveMode(SaveMode.INSERT_OR_UPDATE).save(); - AttributeAssignAction read = attributeDef.getAttributeDefActionDelegate().addAction(READ.name()); - AttributeAssignAction write = attributeDef.getAttributeDefActionDelegate().addAction(WRITE.name()); - write.getAttributeAssignActionSetDelegate().addToAttributeAssignActionSet(read); - } - - // create attribute def name - AttributeDefNameSave attributeDefNameSave = new AttributeDefNameSave(grouperSession, attributeDef); - attributeDefNameSave.assignCreateParentStemsIfNotExist(true); - attributeDefNameSave.assignSaveMode(SaveMode.INSERT_OR_UPDATE); - attributeDefNameSave.assignAttributeDefNameNameToEdit(resource.getResourceType().getStemFromResourceType()+COLON+resource.getId()); - attributeDefNameSave.assignName(resource.getResourceType().getStemFromResourceType()+COLON+resource.getId()); - attributeDefNameSave.assignDescription(resource.getDescription()); - attributeDefNameSave.assignDisplayName(resource.getName()); - AttributeDefName attributeDefName = attributeDefNameSave.save(); - - // set the inheritance if parent attribute def name is not null - if (parentAttributeDefName != null) { - parentAttributeDefName.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(attributeDefName); - } - - RoleServiceImpl roleService = new RoleServiceImpl(); - //TODO remove the session being passed - Group readRole = roleService.createRole(resource.getId()+"_"+READ.name(), grouperSession); - Group writeRole = roleService.createRole(resource.getId()+"_"+WRITE.name(), grouperSession); - - readRole.getPermissionRoleDelegate().assignRolePermission(READ.name(), attributeDefName, PermissionAllowed.ALLOWED); - writeRole.getPermissionRoleDelegate().assignRolePermission(WRITE.name(), attributeDefName, PermissionAllowed.ALLOWED); - writeRole.getRoleInheritanceDelegate().addRoleToInheritFromThis(readRole); - - // give the write role to ownerId - roleService.assignRoleToUser(resource.getOwnerId(), resource.getId()+"_"+WRITE.name(), grouperSession); - - } finally { - GrouperSession.stopQuietly(grouperSession); - } - } - - public void deleteResource(String resourceId, ResourceType resourceType) throws ResourceNotFoundException { - if (resourceId == null || resourceType == null) { - throw new IllegalArgumentException("resouceId "+resourceId+" is null or resourceType"+resourceType+" is null."); - } - GrouperSession grouperSession = null; - try { - grouperSession = GrouperSession.startRootSession(); - AttributeDefName attributeDefName = AttributeDefNameFinder.findByName(resourceType.getStemFromResourceType()+COLON+resourceId, false); - if (attributeDefName == null) { - throw new ResourceNotFoundException(resourceId +" was not found."); - } - RoleServiceImpl roleService = new RoleServiceImpl(); - // delete all the children resources and roles - for (AttributeDefName childAttributeDefName: attributeDefName.getAttributeDefNameSetDelegate().getAttributeDefNamesImpliedByThis()) { - childAttributeDefName.delete(); - // don't change the order since write inherits read - roleService.deleteRole(childAttributeDefName.getExtension()+"_"+WRITE.name(), grouperSession); - roleService.deleteRole(childAttributeDefName.getExtension()+"_"+READ.name(), grouperSession); - } - attributeDefName.delete(); - // don't change the order since write inherits read - roleService.deleteRole(resourceId+"_"+WRITE.name(), grouperSession); - roleService.deleteRole(resourceId+"_"+READ.name(), grouperSession); - } finally { - GrouperSession.stopQuietly(grouperSession); - } - } - - public Resource getResource(String resourceId, ResourceType resourceType) throws ResourceNotFoundException { - if (resourceId == null || resourceType == null) { - throw new IllegalArgumentException("resouceId "+resourceId+" is null or resourceType"+resourceType+" is null."); - } - GrouperSession grouperSession = null; - Resource resource = null; - try { - grouperSession = GrouperSession.startRootSession(); - AttributeDefName attributeDefName = AttributeDefNameFinder.findByName(resourceType.getStemFromResourceType()+COLON+resourceId, false); - if (attributeDefName == null) { - throw new ResourceNotFoundException(resourceId +" was not found."); - } - resource = new Resource(resourceId, resourceType); - resource.setDescription(attributeDefName.getDescription()); - resource.setName(attributeDefName.getDisplayExtension()); - Set<AttributeDefName> parentAttributeDefNames = attributeDefName.getAttributeDefNameSetDelegate().getAttributeDefNamesThatImplyThisImmediate(); - if (parentAttributeDefNames != null && parentAttributeDefNames.size() > 0) { - resource.setParentResourceId(parentAttributeDefNames.iterator().next().getExtension()); - } - } finally { - GrouperSession.stopQuietly(grouperSession); - } - return resource; - } - - /** - * - * @param userId - * @param resourceType - * @param actions - write or read - * @param pageNumber - 1 index based - * @param pageSize - items to fetch - * @return - * @throws SubjectNotFoundException - */ - public Set<Resource> getAccessibleResourcesForUser(String userId, ResourceType resourceType, - PermissionAction action, boolean pagination, Integer pageNumber, Integer pageSize) throws SubjectNotFoundException { - - if (userId == null || resourceType == null || action == null) { - throw new IllegalArgumentException("Invalid input"); - } - if (pagination && (pageNumber < 0 || pageSize < 1)) { - throw new IllegalArgumentException("Invalid pagination properties"); - } - - GrouperSession grouperSession = null; - try { - grouperSession = GrouperSession.startRootSession(); - - PermissionFinder permissionFinder = new PermissionFinder(); - permissionFinder.addPermissionDef(PERMISSIONS_ATTRIBUTE_DEF); - permissionFinder.addAction(action.name()); - Subject subject = SubjectFinder.findByIdAndSource(userId, SUBJECT_SOURCE, false); - if (subject == null) { - throw new SubjectNotFoundException("userId "+userId+" was not found."); - } - permissionFinder.addSubject(subject); - - Stem stem = StemFinder.findByName(grouperSession, resourceType.getStemFromResourceType(), true); - permissionFinder.assignPermissionNameFolder(stem); - permissionFinder.assignPermissionNameFolderScope(Scope.ONE); - if (pagination) { - QueryOptions queryOptions = new QueryOptions(); - queryOptions.paging(pageSize, pageNumber, false); - permissionFinder.assignQueryOptions(queryOptions); - } - Set<PermissionEntry> permissions = permissionFinder.findPermissions(); - - Set<Resource> resources = new HashSet<Resource>(); - for (PermissionEntry entry: permissions) { - Resource resource = new Resource(entry.getAttributeDefName().getExtension(), resourceType); - resource.setName(entry.getAttributeDefNameDispName()); - resources.add(resource); - } - return resources; - - } finally { - GrouperSession.stopQuietly(grouperSession); - } - - } - - // action can be read or write only - public Set<String> getAllAccessibleUsers(String resourceId, ResourceType resourceType, PermissionAction action) { - - if (resourceId == null || resourceType == null || action == null) { - throw new IllegalArgumentException("Invalid input"); - } - - GrouperSession grouperSession = null; - Set<String> userIds = new HashSet<String>(); - try { - grouperSession = GrouperSession.startRootSession(); - - PermissionFinder permissionFinder = new PermissionFinder(); - permissionFinder.addPermissionDef(PERMISSIONS_ATTRIBUTE_DEF); - permissionFinder.addAction(action.name()); - - Stem stem = StemFinder.findByName(grouperSession, resourceType.getStemFromResourceType(), true); - permissionFinder.assignPermissionNameFolder(stem); - permissionFinder.assignPermissionNameFolderScope(Scope.ONE); - permissionFinder.addRole(AiravataGrouperUtil.ROLES_STEM_NAME+ ":" + resourceId + "_" + action.toString()); - Set<PermissionEntry> permissions = permissionFinder.findPermissions(); - - for (PermissionEntry entry: permissions) { - if (entry.getSubjectSourceId().equals(SUBJECT_SOURCE)) { - userIds.add(entry.getSubjectId()); - } - } - - return userIds; - - } finally { - GrouperSession.stopQuietly(grouperSession); - } - - } - - private void validateResource(Resource resource) { - if (resource.getResourceType() == null) { - throw new IllegalArgumentException("Resource type is a required field"); - } - if ((resource.getResourceType().equals(EXPERIMENT) || resource.getResourceType().equals(DATA)) && resource.getParentResourceId() == null) { - throw new IllegalArgumentException("Resource type Experiment or Data must provide valid parent resource id"); - } - if (resource.getOwnerId() == null) { - throw new IllegalArgumentException("Resource ownerId is a required field."); - } - } - - public static void main(String[] args) { - ResourceServiceImpl resourceService = new ResourceServiceImpl(); - - // create a Project resource - Resource projectResource = new Resource("project resource id", PROJECT); - projectResource.setDescription("project resource description"); - projectResource.setName("project resource name"); - projectResource.setOwnerId("airavata_id_1"); - resourceService.createResource(projectResource); - - // create an Experiment resource - Resource experimentResource = new Resource("experiment resource id", EXPERIMENT); - experimentResource.setDescription("experiment resource description"); - experimentResource.setName("experiment resource name"); - experimentResource.setParentResourceId("project resource id"); - experimentResource.setOwnerId("airavata_id_1"); - resourceService.createResource(experimentResource); - - //create another experiment resource within the same project resource - Resource experimentResource1 = new Resource("experiment resource id1", ResourceType.EXPERIMENT); - experimentResource1.setDescription("experiment resource description1"); - experimentResource1.setName("experiment resource name1"); - experimentResource1.setParentResourceId("project resource id"); - experimentResource1.setOwnerId("airavata_id_1"); - resourceService.createResource(experimentResource1); - - // create a data file resource - Resource dataResource = new Resource("data resource id", ResourceType.DATA); - dataResource.setDescription("data resource description"); - dataResource.setName("data resource name"); - dataResource.setParentResourceId("experiment resource id1"); - dataResource.setOwnerId("airavata_id_1"); - resourceService.createResource(dataResource); - - // get the experiment resource and it should have parent set to project - Resource resource = resourceService.getResource("experiment resource id1", EXPERIMENT); - System.out.println(resource); - - Set<Resource> accessibleResourcesForUser = resourceService.getAccessibleResourcesForUser("airavata_id_1", EXPERIMENT, WRITE, true, 1, 2); - System.out.println("accessible resources on page 1 are "+accessibleResourcesForUser.size()); - - - //share the experiment with airavata_id_2 - PermissionServiceImpl permissionService = new PermissionServiceImpl(); - permissionService.grantPermission("airavata_id_2", SubjectType.PERSON, "experiment resource id1", EXPERIMENT, WRITE); - - // create a group of users - GroupServiceImpl groupService = new GroupServiceImpl(); - org.apache.airavata.grouper.group.Group group = new org.apache.airavata.grouper.group.Group("airavata test group id", "airavata_id_1"); - group.setName("airavata test group name"); - group.setDescription("airavata test group description"); - List<String> members = new ArrayList<String>(); - members.add("airavata_id_3"); - members.add("airavata_id_4"); - group.setMembers(members); - groupService.createGroup(group); - - // now share the same experiment with this group as well - permissionService.grantPermission("airavata test group id", SubjectType.GROUP, "experiment resource id1", EXPERIMENT, READ); - - accessibleResourcesForUser = resourceService.getAccessibleResourcesForUser("airavata_id_3", EXPERIMENT, READ, true, 1, 2); - System.out.println("accessible resources on page 1 are "+accessibleResourcesForUser.size()); - - // get all resources, or no pagination - accessibleResourcesForUser = resourceService.getAccessibleResourcesForUser("airavata_id_1", EXPERIMENT, READ, false, 1, 2); - System.out.println("accessible resources without pagination are "+accessibleResourcesForUser.size()); - - Set<String> allAccessibleUsers = resourceService.getAllAccessibleUsers("experiment resource id1", EXPERIMENT, READ); - System.out.println("users who have read access on experiment resource id1 are "+allAccessibleUsers); - - //delete the project resource, it will delete all the children/experiment resources and roles as well - resourceService.deleteResource("project resource id", PROJECT); - } - -}
http://git-wip-us.apache.org/repos/asf/airavata/blob/82e57526/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceType.java ---------------------------------------------------------------------- diff --git a/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceType.java b/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceType.java deleted file mode 100755 index 5b80bfa..0000000 --- a/modules/group-manager/src/main/java/org/apache/airavata/grouper/resource/ResourceType.java +++ /dev/null @@ -1,51 +0,0 @@ -/** - * - */ -package org.apache.airavata.grouper.resource; - -import static org.apache.airavata.grouper.AiravataGrouperUtil.DATA_STEM_NAME; -import static org.apache.airavata.grouper.AiravataGrouperUtil.EXPERIMENT_STEM_NAME; -import static org.apache.airavata.grouper.AiravataGrouperUtil.OTHER_STEM_NAME; -import static org.apache.airavata.grouper.AiravataGrouperUtil.PROJECT_STEM_NAME; - -/** - * @author vsachdeva - * - */ -public enum ResourceType { - - PROJECT, - EXPERIMENT, - DATA, - OTHER; - - public ResourceType getParentResoruceType() { - - switch (this) { - case EXPERIMENT: - return PROJECT; - case DATA: - return EXPERIMENT; - default: - return null; - } - } - - public String getStemFromResourceType() { - - switch (this) { - case PROJECT: - return PROJECT_STEM_NAME; - case EXPERIMENT: - return EXPERIMENT_STEM_NAME; - case DATA: - return DATA_STEM_NAME; - case OTHER: - return OTHER_STEM_NAME; - default: - return null; - } - - } - -} http://git-wip-us.apache.org/repos/asf/airavata/blob/82e57526/modules/group-manager/src/main/java/org/apache/airavata/grouper/role/RoleServiceImpl.java ---------------------------------------------------------------------- diff --git a/modules/group-manager/src/main/java/org/apache/airavata/grouper/role/RoleServiceImpl.java b/modules/group-manager/src/main/java/org/apache/airavata/grouper/role/RoleServiceImpl.java deleted file mode 100755 index 558d68c..0000000 --- a/modules/group-manager/src/main/java/org/apache/airavata/grouper/role/RoleServiceImpl.java +++ /dev/null @@ -1,112 +0,0 @@ -/** - * - */ -package org.apache.airavata.grouper.role; - -import edu.internet2.middleware.grouper.*; -import edu.internet2.middleware.grouper.exception.GroupNotFoundException; -import edu.internet2.middleware.grouper.group.TypeOfGroup; -import edu.internet2.middleware.grouper.misc.SaveMode; -import edu.internet2.middleware.subject.Subject; -import edu.internet2.middleware.subject.SubjectNotFoundException; - -import static org.apache.airavata.grouper.AiravataGrouperUtil.*; - -/** - * @author vsachdeva - * - */ -public class RoleServiceImpl { - - - public Group createRole(String roleId, GrouperSession session) { - - GrouperSession grouperSession = null; - Group role = null; - try { - grouperSession = session != null? session : GrouperSession.startRootSession(); - GroupSave groupSave = new GroupSave(grouperSession); - groupSave.assignTypeOfGroup(TypeOfGroup.role); - groupSave.assignGroupNameToEdit(ROLES_STEM_NAME+COLON+roleId); - groupSave.assignName(ROLES_STEM_NAME+COLON+roleId); - groupSave.assignDisplayExtension(roleId); - groupSave.assignDescription(roleId); - groupSave.assignSaveMode(SaveMode.INSERT_OR_UPDATE); - groupSave.assignCreateParentStemsIfNotExist(true); - role = groupSave.save(); - } finally { - if (session == null) { - GrouperSession.stopQuietly(grouperSession); - } - } - return role; - } - - public void deleteRole(String roleId, GrouperSession session) { - GrouperSession grouperSession = null; - try { - grouperSession = session != null? session : GrouperSession.startRootSession(); - edu.internet2.middleware.grouper.Group role = GroupFinder.findByName(grouperSession, ROLES_STEM_NAME+COLON+roleId, false); - if (role != null) { - role.delete(); - } - } finally { - if (session == null) { - GrouperSession.stopQuietly(grouperSession); - } - } - } - - public void assignRoleToUser(String userId, String roleId, GrouperSession session) throws GroupNotFoundException, SubjectNotFoundException { - - GrouperSession grouperSession = null; - try { - grouperSession = session != null? session : GrouperSession.startRootSession(); - edu.internet2.middleware.grouper.Group role = GroupFinder.findByName(grouperSession, ROLES_STEM_NAME+COLON+roleId, false); - if (role == null) { - throw new GroupNotFoundException("Role "+roleId+" was not found."); - } - Subject subject = SubjectFinder.findById(userId, false); - if (subject == null) { - throw new SubjectNotFoundException("userId "+userId+" was not found."); - } - role.addMember(subject, false); - } finally { - if (session == null) { - GrouperSession.stopQuietly(grouperSession); - } - } - - } - - public void removeRoleFromUser(String userId, String roleId, GrouperSession session) throws GroupNotFoundException, SubjectNotFoundException { - GrouperSession grouperSession = null; - try { - grouperSession = session != null? session : GrouperSession.startRootSession(); - edu.internet2.middleware.grouper.Group role = GroupFinder.findByName(grouperSession, ROLES_STEM_NAME+COLON+roleId, false); - if (role == null) { - throw new GroupNotFoundException("Role "+roleId+" was not found."); - } - Subject subject = SubjectFinder.findByIdAndSource(userId, SUBJECT_SOURCE, false); - if (subject == null) { - throw new SubjectNotFoundException("userId "+userId+" was not found."); - } - role.deleteMember(subject, false); - } finally { - if (session == null) { - GrouperSession.stopQuietly(grouperSession); - } - } - } - - public static void main(String[] args) { - RoleServiceImpl roleServiceImpl = new RoleServiceImpl(); - - roleServiceImpl.createRole("test_role", null); - - roleServiceImpl.assignRoleToUser("test.subject.3", "test_role", null); - - //roleServiceImpl.deleteRole("test_role", null); - } - -} http://git-wip-us.apache.org/repos/asf/airavata/blob/82e57526/modules/group-manager/src/main/resources/Owasp.CsrfGuard.overlay.properties ---------------------------------------------------------------------- diff --git a/modules/group-manager/src/main/resources/Owasp.CsrfGuard.overlay.properties b/modules/group-manager/src/main/resources/Owasp.CsrfGuard.overlay.properties deleted file mode 100755 index fb7f668..0000000 --- a/modules/group-manager/src/main/resources/Owasp.CsrfGuard.overlay.properties +++ /dev/null @@ -1,78 +0,0 @@ -org.owasp.csrfguard.Logger=edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger - -org.owasp.csrfguard.TokenPerPage=false - -org.owasp.csrfguard.action.Redirect.Page=%servletContext%/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=csrf - -org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory - -org.owasp.csrfguard.Config.Print = false - -# to see how error handling works, edit grouperUi.js -org.owasp.csrfguard.Ajax=true - - -org.owasp.csrfguard.unprotected.DefaultGrouper=%servletContext%/ -org.owasp.csrfguard.unprotected.GrouperHome=%servletContext%/home.do -org.owasp.csrfguard.unprotected.GrouperDir=%servletContext%/grouper/* -org.owasp.csrfguard.unprotected.GrouperExternal=%servletContext%/grouperExternal/index.html -org.owasp.csrfguard.unprotected.GrouperExternalAppHtml=%servletContext%/grouperExternal/appHtml/* -org.owasp.csrfguard.unprotected.GrouperExternalPublicAssets=%servletContext%/grouperExternal/public/assets/* -org.owasp.csrfguard.unprotected.GrouperExternalPublicNetworkGraph=%servletContext%/grouperExternal/public/networkGraph/* -org.owasp.csrfguard.unprotected.GrouperGifs=^/grouper/grouperExternal/public/.*\\.gif$ -org.owasp.csrfguard.unprotected.GrouperJpgs=^/grouper/grouperExternal/public/.*\\.jpg$ -org.owasp.csrfguard.unprotected.GrouperPngs=^/grouper/grouperExternal/public/.*\\.png$ -org.owasp.csrfguard.unprotected.GrouperUi=%servletContext%/grouperUi/ -org.owasp.csrfguard.unprotected.GrouperUiIndex=%servletContext%/grouperUi/index.html -org.owasp.csrfguard.unprotected.GrouperUiAppHtml=%servletContext%/grouperUi/appHtml/* -org.owasp.csrfguard.unprotected.GrouperI2mi=%servletContext%/i2mi/* -org.owasp.csrfguard.unprotected.GrouperScripts=%servletContext%/scripts/* -org.owasp.csrfguard.unprotected.GrouperStatus=%servletContext%/status -org.owasp.csrfguard.unprotected.GrouperIndex=%servletContext%/index.jsp -org.owasp.csrfguard.unprotected.GrouperOwaspJavascript=%servletContext%/grouperExternal/public/OwaspJavaScriptServlet - -org.owasp.csrfguard.unprotected.GrouperStrutsAddSaved=^%servletContext%/addSaved[^.]+\\.do$ -org.owasp.csrfguard.unprotected.GrouperStrutsBrowse=^%servletContext%/browse[^.]+\\.do$ -org.owasp.csrfguard.unprotected.GrouperStrutsCancel=^%servletContext%/cancel[^.]+\\.do$ -org.owasp.csrfguard.unprotected.GrouperStrutserror=%servletContext%/error.do -org.owasp.csrfguard.unprotected.GrouperStrutsfilterError=%servletContext%/filterError.do -org.owasp.csrfguard.unprotected.GrouperStrutshelp=%servletContext%/help.do -org.owasp.csrfguard.unprotected.GrouperStrutslogin=%servletContext%/login.do -org.owasp.csrfguard.unprotected.GrouperStrutsCallLogin=%servletContext%/callLogin.do -org.owasp.csrfguard.unprotected.GrouperStrutslogout=%servletContext%/logout.do -org.owasp.csrfguard.unprotected.GrouperStrutsPopulate=^%servletContext%/populate[^.]+\\.do$ -org.owasp.csrfguard.unprotected.GrouperStrutsuserAudit=%servletContext%/userAudit.do -#http://localhost:8090/grouper/populateSearchSubjects.do - - -org.owasp.csrfguard.unprotected.GrouperSimpleMembershipUpdateImportExportExportSubjectIdsCsv=%servletContext%/grouperUi/app/SimpleMembershipUpdateImportExport.exportSubjectIdsCsv/* -org.owasp.csrfguard.unprotected.GrouperSimpleMembershipUpdateImportExportExportAllCsv=%servletContext%/grouperUi/app/SimpleMembershipUpdateImportExport.exportAllCsv/* - -org.owasp.csrfguard.unprotected.GrouperUiV2MainIndex=%servletContext%/grouperUi/app/UiV2Main.index -org.owasp.csrfguard.unprotected.GrouperUiV2MainIndexMain=%servletContext%/grouperUi/app/UiV2Main.indexMain -org.owasp.csrfguard.unprotected.GrouperUiV2MainFolderMenu=%servletContext%/grouperUi/app/UiV2Main.folderMenu -org.owasp.csrfguard.unprotected.GrouperUiV2GroupAddMemberFilter=%servletContext%/grouperUi/app/UiV2Group.addMemberFilter -org.owasp.csrfguard.unprotected.GrouperUiV2GroupImportGroupExportSubmit=%servletContext%/grouperUi/app/UiV2GroupImport.groupExportSubmit -org.owasp.csrfguard.unprotected.GrouperUiV2StemCopyParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.stemCopyParentFolderFilter -org.owasp.csrfguard.unprotected.GrouperUiV2StemCreateGroupParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.createGroupParentFolderFilter -org.owasp.csrfguard.unprotected.GrouperUiV2StemCreateStemParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.createStemParentFolderFilter -org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToGroupFilter=%servletContext%/grouperUi/app/UiV2Subject.addToGroupFilter -org.owasp.csrfguard.unprotected.GrouperUiV2GroupUpdateFilter=%servletContext%/grouperUi/app/UiV2Group.groupUpdateFilter -org.owasp.csrfguard.unprotected.GrouperUiV2GroupCompositeFilter=%servletContext%/grouperUi/app/UiV2Group.groupCompositeFactorFilter -org.owasp.csrfguard.unprotected.GrouperUiV2StemAddMemberFilter=%servletContext%/grouperUi/app/UiV2Stem.addMemberFilter -org.owasp.csrfguard.unprotected.GrouperUiV2ExternalEntitiesAddGroupFilter=%servletContext%/grouperUi/app/UiV2ExternalEntities.addGroupFilter -org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToStemFilter=%servletContext%/grouperUi/app/UiV2Subject.addToStemFilter -org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToAttributeDefFilter=%servletContext%/grouperUi/app/UiV2Subject.addToAttributeDefFilter -org.owasp.csrfguard.unprotected.GrouperExternalPublicIndex=%servletContext%/grouperExternal/public/UiV2Public.index -# TODO take this out and error page should not be post -org.owasp.csrfguard.unprotected.GrouperExternalPublicPostIndex=%servletContext%/grouperExternal/public/UiV2Public.postIndex -org.owasp.csrfguard.unprotected.GrouperUiV2Export=^%servletContext%/grouperUi/app/UiV2GroupImport\\.groupExportSubmit/.*$ - - - -# Allows the developer to specify the value of the Cache-Control header in the HTTP response -# when serving the dynamic JavaScript file. The default value is private, maxage=28800. -# Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance. -# Note that the Cache-Control header is always set to "no-store" when either the "Rotate" -# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties. -org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=1800 http://git-wip-us.apache.org/repos/asf/airavata/blob/82e57526/modules/group-manager/src/main/resources/Owasp.CsrfGuard.properties ---------------------------------------------------------------------- diff --git a/modules/group-manager/src/main/resources/Owasp.CsrfGuard.properties b/modules/group-manager/src/main/resources/Owasp.CsrfGuard.properties deleted file mode 100755 index 97e655e..0000000 --- a/modules/group-manager/src/main/resources/Owasp.CsrfGuard.properties +++ /dev/null @@ -1,403 +0,0 @@ -# The OWASP CSRFGuard Project, BSD License -# Eric Sheridan ([email protected]), Copyright (c) 2011 -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. Neither the name of OWASP nor the names of its contributors may be used -# to endorse or promote products derived from this software without specific -# prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties - -# Common substitutions -# %servletContext% is the servlet context (e.g. the configured app prefix or war file name, or blank. -# e.g. if you deploy a default warfile as someApp.war, then %servletContext% will be /someApp -# if there isnt a context it will be the empty string. So to use this in the configuration, use e.g. %servletContext%/something.html -# which will translate to e.g. /someApp/something.html - -# Logger -# -# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of -# the object responsible for processing all log messages produced by CSRFGuard. The default -# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages -# to System.out which JavaEE application servers redirect to a vendor specific log file. -# Developers can customize the logging behavior of CSRFGuard by implementing the -# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new -# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard -# to capture all log messages to the console: -# -# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger -org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger - -# Which configuration provider factory you want to use. The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory -# Another configuration provider has more features including config overlays: org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory -# The default configuration provider is: org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory -# which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be PropertiesConfigurationProviderFactory -# it needs to implement org.owasp.csrfguard.config.ConfigurationProviderFactory -org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory - - -# If csrfguard filter is enabled -org.owasp.csrfguard.Enabled = true - -# If csrf guard filter should check even if there is no session for the user -# Note: this changed around 2014/04, the default behavior used to be to -# not check if there is no session. If you want the legacy behavior (if your app -# is not susceptible to CSRF if the user has no session), set this to false -org.owasp.csrfguard.ValidateWhenNoSessionExists = true - -# New Token Landing Page -# -# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) defines where -# to send a user if the token is being generated for the first time, and the use new token landing -# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens. -# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not specified, and to true -# if it is specified.. If UseNewTokenLandingPage is set true then this request is generated -# using auto-posting forms and will only contain the CSRF prevention token parameter, if -# applicable. All query-string or form parameters sent with the original request will be -# discarded. If this property is not defined, CSRFGuard will instead auto-post the user to the -# original context and servlet path. The following configuration snippet instructs OWASP CSRFGuard to -# redirect the user to %servletContext%/index.html when the user visits a protected resource -# without having a corresponding CSRF token present in the HttpSession object: -# -# org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/index.html - - -# Protected Methods -# -# The protected methods property (org.owasp.csrfguard.ProtectedMethods) defines a comma -# separated list of HTTP request methods that should be protected by CSRFGuard. The default -# list is an empty list which will cause all HTTP methods to be protected, thus preserving -# legacy behavior. This setting allows the user to inform CSRFGuard that only requests of the -# given types should be considered for protection. All HTTP methods not in the list will be -# considered safe (i.e. view only / unable to modify data). This should be used only when the -# user has concrete knowledge that all requests made via methods not in the list -# are safe (i.e. do not apply an action to any data) since it can actually introduce new -# security vulnerabilities. For example: the user thinks that all actionable requests are -# only available by POST requests when in fact some are available via GET requests. If the -# user has excluded GET requests from the list then they have introduced a vulnerability. -# The following configuration snippet instructs OWASP CSRFGuard to protect only the POST, -# PUT, and DELETE HTTP methods. -# -# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE - -# or you can configure all to be protected, and specify which is unprotected. This is the preferred approach - -# org.owasp.csrfguard.UnprotectedMethods=GET - -# Unique Per-Page Tokens -# -# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) is a boolean value that -# determines if CSRFGuard should make use of unique per-page (i.e. URI) prevention tokens as -# opposed to unique per-session prevention tokens. When a user requests a protected resource, -# CSRFGuard will determine if a page specific token has been previously generated. If a page -# specific token has not yet been previously generated, CSRFGuard will verify the request was -# submitted with the per-session token intact. After verifying the presence of the per-session token, -# CSRFGuard will create a page specific token that is required for all subsequent requests to the -# associated resource. The per-session CSRF token can only be used when requesting a resource for -# the first time. All subsequent requests must have the per-page token intact or the request will -# be treated as a CSRF attack. This behavior can be changed with the org.owasp.csrfguard.TokenPerPagePrecreate -# property. Enabling this property will make CSRFGuard calculate the per page token prior to a first -# visit. This option only works with JSTL token injection and is useful for preserving the validity of -# links if the user pushes the back button. There may be a performance impact when enabling this option -# if the .jsp has a large number of proctected links that need tokens to be calculated. -# Use of the unique token per page property is currently experimental -# but provides a significant amount of improved security. Consider the exposure of a CSRF token using -# the legacy unique per-session model. Exposure of this token facilitates the attacker's ability to -# carry out a CSRF attack against the victim's active session for any resource exposed by the web -# application. Now consider the exposure of a CSRF token using the experimental unique token per-page -# model. Exposure of this token would only allow the attacker to carry out a CSRF attack against the -# victim's active session for a small subset of resources exposed by the web application. Use of the -# unique token per-page property is a strong defense in depth strategy significantly reducing the -# impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP -# CSRFGuard to utilize the unique token per-page model: -# -# org.owasp.csrfguard.TokenPerPage=true -# org.owasp.csrfguard.TokenPerPagePrecreate=false -org.owasp.csrfguard.TokenPerPage=true -org.owasp.csrfguard.TokenPerPagePrecreate=false - -# Token Rotation -# -# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean value that determines if -# CSRFGuard should generate and utilize a new token after verifying the previous token. Rotation -# helps minimize the window of opportunity an attacker has to leverage the victim's stolen token -# in a targeted CSRF attack. However, this functionality generally causes navigation problems in -# most applications. Specifically, the 'Back' button in the browser will often cease to function -# properly. When a user hits the 'Back' button and interacts with the HTML, the browser may submit -# an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress -# (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages -# containing FORM submissions using the cache-control header. However, this may also introduce -# performance problems as the browser will have to request HTML on a more frequent basis. The following -# configuration snippet enables token rotation: -# -# org.owasp.csrfguard.Rotate=true - -# Ajax and XMLHttpRequest Support -# -# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that indicates whether or not OWASP -# CSRFGuard should support the injection and verification of unique per-session prevention tokens for -# XMLHttpRequests. To leverage Ajax support, the user must not only set this property to true but must -# also reference the JavaScript DOM Manipulation code using a script element. This dynamic script will -# override the send method of the XMLHttpRequest object to ensure the submission of an X-Requested-With -# header name value pair coupled with the submission of a custom header name value pair for each request. -# The name of the custom header is the value of the token name property and the value of the header is -# always the unique per-session token value. This custom header is analogous to the HTTP parameter name -# value pairs submitted via traditional GET and POST requests. If the X-Requested-With header was sent -# in the HTTP request, then CSRFGuard will look for the presence and ensure the validity of the unique -# per-session token in the custom header name value pair. Note that verification of these headers takes -# precedence over verification of the CSRF token supplied as an HTTP parameter. More specifically, -# CSRFGuard does not verify the presence of the CSRF token if the Ajax support property is enabled and -# the corresponding X-Requested-With and custom headers are embedded within the request. The following -# configuration snippet instructs OWASP CSRFGuard to support Ajax requests by verifying the presence and -# correctness of the X-Requested-With and custom headers: -# -# org.owasp.csrfguard.Ajax=true -org.owasp.csrfguard.Ajax=true - -# The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected. -# If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected. -# All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*), -# but you only want to protect a few pages. -# -# org.owasp.csrfguard.Protect=true - -# Unprotected Pages: -# -# The unprotected pages property (org.owasp.csrfguard.unprotected.*) defines a series of pages that -# should not be protected by CSRFGuard. Such configurations are useful when the CsrfGuardFilter is -# aggressively mapped (ex: /*). The syntax of the property name is org.owasp.csrfguard.unprotected.[PageName], -# where PageName is some arbitrary identifier that can be used to reference a resource. The syntax of -# defining the uri of unprotected pages is the same as the syntax used by the JavaEE container for uri mapping. -# Specifically, CSRFGuard will identify the first match (if any) between the requested uri and an unprotected -# page in order of declaration. Match criteria is as follows: -# -# Case 1: exact match between request uri and unprotected page -# Case 2: longest path prefix match, beginning / and ending /* -# Case 3: extension match, beginning *. -# Case 4: if the value starts with ^ and ends with $, it will be evaulated as a regex. Note that before the -# regex is compiled, any common variables will be substituted (e.g. %servletContext%) -# Default: requested resource must be validated by CSRFGuard -# -# The following code snippet illustrates the four use cases over four examples. The first two examples -# (Tag and JavaScriptServlet) look for direct URI matches. The third example (Html) looks for all resources -# ending in a .html extension. The next example (Public) looks for all resources prefixed with the URI path /MySite/Public/*. -# The last example looks for resources that end in Public.do -# -# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp -# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet -# org.owasp.csrfguard.unprotected.Html=*.html -# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/* -# regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex -# org.owasp.csrfguard.unprotected.PublicServlet=^%servletContext%/.*Public\.do$ -org.owasp.csrfguard.unprotected.Default=%servletContext%/ -org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html -org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet -org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html -org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html -org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html -org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html -org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp -org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp -org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp -org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp - -# Actions: Responding to Attacks -# -# The actions directive (org.owasp.csrfguard.action.*) gives the user the ability to specify one or more -# actions that should be invoked when a CSRF attack is detected. Every action must implement the -# org.owasp.csrfguard.action.IAction interface either directly or indirectly through the -# org.owasp.csrfguard.action.AbstractAction helper class. Many actions accept parameters that can be specified -# along with the action class declaration. These parameters are consumed at runtime and impact the behavior of -# the associated action. -# -# The syntax for defining and configuring CSRFGuard actions is relatively straight forward. Let us assume we wish -# to redirect the user to a default page when a CSRF attack is detected. A redirect action already exists within -# the CSRFGuard bundle and is available via the class name org.owasp.csrfguard.actions.Redirect. In order to enable -# this action, we capture the following declaration in the Owasp.CsrfGuard.properties file: -# -# syntax: org.owasp.csrfguard.action.[actionName]=[className] -# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect -# -# The aforementioned directive declares an action called "Redirect" (i.e. [actionName]) referencing the Java class -# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a CSRF attack is detected, the Redirect action -# will be executed. You may be asking yourself, "but how do I specify where the user is redirected?"; this is where -# action parameters come into play. In order to specify the redirect location, we capture the following declaration -# in the Owasp.CsrfGuard.properties file: -# -# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[parameterValue] -# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%servletContext%/error.html -# -# The aforementioned directive declares an action parameter called "ErrorPage" (i.e. [parameterName]) with the value -# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The -# Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when -# an attack is detected. -# -#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty -org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log -org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%) -#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate -org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect -org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html -#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute -#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key -org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate -#org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute -#org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key -#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error -#org.owasp.csrfguard.action.Error.Code=403 -#org.owasp.csrfguard.action.Error.Message=Security violation. - -# Token Name -# -# The token name property (org.owasp.csrfguard.TokenName) defines the name of the HTTP parameter -# to contain the value of the OWASP CSRFGuard token for each request. The following configuration -# snippet sets the CSRFGuard token parameter name to the value OWASP_CSRFTOKEN: -# -# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN -org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN - -# Session Key -# -# The session key property (org.owasp.csrfguard.SessionKey) defines the string literal used to save -# and lookup the CSRFGuard token from the session. This value is used by the filter and the tag -# libraries to retrieve and set the token value in the session. Developers can use this key to -# programmatically lookup the token within their own code. The following configuration snippet sets -# the session key to the value OWASP_CSRFTOKEN: -# -# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN -org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN - -# Token Length -# -# The token length property (org.owasp.csrfguard.TokenLength) defines the number of characters that -# should be found within the CSRFGuard token. Note that characters are delimited by dashes (-) in groups -# of four. For cosmetic reasons, users are encourage to ensure the token length is divisible by four. -# The following configuration snippet sets the token length property to 32 characters: -# -# org.owasp.csrfguard.TokenLength=32 -org.owasp.csrfguard.TokenLength=32 - -# Pseudo-random Number Generator -# -# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used -# to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong -# pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number -# generator to SHA1PRNG: -# -# org.owasp.csrfguard.PRNG=SHA1PRNG -org.owasp.csrfguard.PRNG=SHA1PRNG - -# Pseudo-random Number Generator Provider - -# The pseudo-random number generator provider property (org.owasp.csrfguard.PRNG.Provider) defines which -# provider's implementation of org.owasp.csrfguard.PRNG we should utilize. The following configuration -# snippet instructs the JVM to leverage SUN's implementation of the algorithm denoted by the -# org.owasp.csrfguard.PRNG property: - -# org.owasp.csrfguard.PRNG.Provider=SUN -org.owasp.csrfguard.PRNG.Provider=SUN - -# If not specifying the print config option in the web.xml, you can specify it here, to print the config -# on startup -org.owasp.csrfguard.Config.Print = true - -########################### -## Javascript servlet settings if not set in web.xml -## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection -########################### - -# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jarfile -# Denotes the location of the JavaScript template file that should be consumed and dynamically -# augmented by the JavaScriptServlet class. The default value is WEB-INF/Owasp.CsrfGuard.js. -# Use of this property and the existence of the specified template file is required. -org.owasp.csrfguard.JavascriptServlet.sourceFile = - -# Boolean value that determines whether or not the dynamic JavaScript code should be strict -# with regards to what links it should inject the CSRF prevention token. With a value of true, -# the JavaScript code will only place the token in links that point to the same exact domain -# from which the HTML originated. With a value of false, the JavaScript code will place the -# token in links that not only point to the same exact domain from which the HTML originated, -# but sub-domains as well. -org.owasp.csrfguard.JavascriptServlet.domainStrict = true - -# Allows the developer to specify the value of the Cache-Control header in the HTTP response -# when serving the dynamic JavaScript file. The default value is private, maxage=28800. -# Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance. -# Note that the Cache-Control header is always set to "no-store" when either the "Rotate" -# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties. -org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800 - -# Allows the developer to specify a regular expression describing the required value of the -# Referer header. Any attempts to access the servlet with a Referer header that does not -# match the captured expression is discarded. Inclusion of referer header checking is to -# help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from -# the dynamically generated JavaScript. While the primary defenses against JavaScript -# Hijacking attacks are implemented within the dynamic JavaScript itself, referer header -# checking is implemented to achieve defense in depth. -org.owasp.csrfguard.JavascriptServlet.refererPattern = .* - -# Similar to javascript servlet referer pattern, but this will make sure the referer of the -# javascript servlet matches the domain of the request. If there is no referer (proxy strips it?) -# then it will not fail. Generally this is a good idea to be true. -org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true - -# Boolean value that determines whether or not the dynamic JavaScript code should -# inject the CSRF prevention token as a hidden field into HTML forms. The default -# value is true. Developers are strongly discouraged from disabling this property -# as most server-side state changing actions are triggered via a POST request. -org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true - -# Boolean value that determines whether or not the dynamic JavaScript code should -# inject the CSRF prevention token in the query string of src and href attributes. -# Injecting the CSRF prevention token in a URL resource increases its general risk -# of exposure to unauthorized parties. However, most JavaEE web applications respond -# in the exact same manner to HTTP requests and their associated parameters regardless -# of the HTTP method. The risk associated with not protecting GET requests in this -# situation is perceived greater than the risk of exposing the token in protected GET -# requests. As a result, the default value of this attribute is set to true. Developers -# that are confident their server-side state changing controllers will only respond to -# POST requests (i.e. discarding GET requests) are strongly encouraged to disable this property. -org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true - - -org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project - -########################### -## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider -## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki) -## By default the configuration is read from the Owasp.CsrfGuard.properties -## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays -## the base settings. See the Owasp.CsrfGuard.properties for the possible -## settings that can be applied to the Owasp.CsrfGuard.overlay.properties -########################### - -# comma separated config files that override each other (files on the right override the left) -# each should start with file: or classpath: -# e.g. classpath:Owasp.CsrfGuard.properties, file:c:/temp/myFile.properties -org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties - -# seconds between checking to see if the config files are updated -org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60 - - -########################### - http://git-wip-us.apache.org/repos/asf/airavata/blob/82e57526/modules/group-manager/src/main/resources/README.txt ---------------------------------------------------------------------- diff --git a/modules/group-manager/src/main/resources/README.txt b/modules/group-manager/src/main/resources/README.txt deleted file mode 100755 index 5fd8001..0000000 --- a/modules/group-manager/src/main/resources/README.txt +++ /dev/null @@ -1,21 +0,0 @@ -==== - Copyright 2014 Internet2 - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -==== - -- All of the config files which have ".example" in them are examples of the real config files, with the same name without the ".example" in the name -- So copy each of the *.example* files to a name without .example in it, and customize to your environment. -- e.g. copy sources.example.xml to sources.xml, then customize -- the .example shows you which files need customization, and will not prompt you to commit the real file to CVS (since it is ignored and not stored in CVS) -- note some files without .example also might need customization (e.g. grouper.properties) \ No newline at end of file
