|
| 1 | +# For testing new properties part of PR# 886. Hoping these are the only |
| 2 | +# properties that will be needed. TBD. |
| 3 | + |
| 4 | + |
| 5 | +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder |
| 6 | + |
| 7 | +ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory |
| 8 | +#=========================================================================== |
| 9 | +# ESAPI Logging |
| 10 | +# Set the application name if these logs are combined with other applications |
| 11 | +Logger.ApplicationName=ExampleApplication |
| 12 | +# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true |
| 13 | +Logger.LogEncodingRequired=false |
| 14 | +# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. |
| 15 | +Logger.LogApplicationName=true |
| 16 | +# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. |
| 17 | +Logger.LogServerIP=true |
| 18 | +# Determines whether ESAPI should log the user info. |
| 19 | +Logger.UserInfo=true |
| 20 | +# Determines whether ESAPI should log the session id and client IP. |
| 21 | +Logger.ClientInfo=true |
| 22 | + |
| 23 | +# Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME]. |
| 24 | +# If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used |
| 25 | +Logger.LogPrefix=true |
| 26 | + |
| 27 | +################## NEW PROPERTIES ################### |
| 28 | +# |
| 29 | +# NOTE: I still like the property name |
| 30 | +# ESAPI.enableLegCannonModeAndGetMyAssFired.methodNames" |
| 31 | +# and |
| 32 | +# ESAPI.enableLegCannonModeAndGetMyAssFired.methodNames" |
| 33 | +# better. Betcha those would be set a lot less often than this "more |
| 34 | +# professional" names will be. |
| 35 | +# |
| 36 | +######################################################################################## |
| 37 | +# The following methods are now disabled in the default configuration and must |
| 38 | +# be explicity enabled. If you try to invoke a method disabled by default, ESAPI |
| 39 | +# will thrown a NotConfiguredByDefaultException. |
| 40 | +# |
| 41 | +# The reason for this varies, but ranges from they are not really suitable for |
| 42 | +# enterprise scale to that are only marginally tested (if at all) versus the are |
| 43 | +# unsafe for general use, although them may be fine when combined with other |
| 44 | +# security-in-depth techiques. |
| 45 | +# |
| 46 | +# The disabled-by-default methods are: |
| 47 | +# org.owasp.esapi.reference.DefaultEncoder.encodeForSQL |
| 48 | +# org.owasp.esapi.ESAPI.accessController [FUTURE; will correspond to deprecation notice] |
| 49 | +# |
| 50 | +# The format is a comma-separated list of fully.Qualified.ClassName.methodName; |
| 51 | +# all class names must begin with "org.owasp.esapi.". |
| 52 | +ESAPI.dangerouslyAllowUnsafeMethods.methodNames= |
| 53 | + |
| 54 | +# Normally you would put some text here (that will be logged) that provides some |
| 55 | +# justification as to why you have enabled these functions. This can be |
| 56 | +# anythuing such as a Jira or ServiceNow ticket number, a security exception |
| 57 | +# reference, etc. If it is left empty, it will just like "Justification: none".` |
| 58 | +ESAPI.enableLegCannonModeAndGetMyAssFired.justification= |
0 commit comments