Merge pull request #223 from harshanL/master

Added OWASP configurations to IoT pack.
2025-09-16 23:32:19 +00:00 · 2016-12-16 11:02:23 +05:30 · 2016-12-16 11:02:23 +05:30 · b0d1c73888
commit b0d1c73888
parent e35560f703 5de373b6c2
3 changed files with 199 additions and 8 deletions
--- a/modules/core/distribution/src/assembly/bin.xml
+++ b/modules/core/distribution/src/assembly/bin.xml
@ -113,6 +113,7 @@
                <exclude>**/conf/log4j.properties</exclude>
                <exclude>**/repository/conf/security/Owasp.CsrfGuard.Carbon.properties</exclude>
                <exclude>**/repository/components/plugins/httpclient_4.3.2.wso2v1.jar</exclude>
+                <exclude>**/conf/tomcat/carbon/WEB-INF/web.xml</exclude>
            </excludes>
        </fileSet>

@ -701,6 +702,11 @@
    </dependencySets>

    <files>
+        <file>
+            <source>src/repository/conf/tomcat/carbon/WEB-INF/web.xml</source>
+            <outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/tomcat/carbon/WEB-INF</outputDirectory>
+            <fileMode>755</fileMode>
+        </file>
        <file>
            <source>src/repository/bin/wso2server.sh</source>
            <outputDirectory>${pom.artifactId}-${pom.version}/bin</outputDirectory>
--- a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
+++ b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
@ -450,15 +450,15 @@ org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
 org.owasp.csrfguard.unprotected.Services=%servletContext%/services/*
 org.owasp.csrfguard.unprotected.oauth=%servletContext%/commonauth/*
 org.owasp.csrfguard.unprotected.samlsso=%servletContext%/samlsso/*
-org.owasp.csrfguard.unprotected.authenticationendpoint=%servletContext%/authenticationendpoint/*
+org.owasp.csrfguard.unprotected.authenticationEndpoint=%servletContext%/authenticationendpoint/*
 org.owasp.csrfguard.unprotected.wso2=%servletContext%/wso2/*
 org.owasp.csrfguard.unprotected.oauth2=%servletContext%/oauth2/*
-org.owasp.csrfguard.unprotected.openid=%servletContext%/openid/*
-org.owasp.csrfguard.unprotected.openidserver=%servletContext%/openidserver/*
+org.owasp.csrfguard.unprotected.openId=%servletContext%/openid/*
+org.owasp.csrfguard.unprotected.openIdServer=%servletContext%/openidserver/*
 org.owasp.csrfguard.unprotected.passivests=%servletContext%/passivests/*
 org.owasp.csrfguard.unprotected.thrift=%servletContext%/thriftAuthenticator/*
-org.owasp.csrfguard.unprotected.publisher.rest.api=%servletContext%/api/appm/publisher/*
-org.owasp.csrfguard.unprotected.store.rest.api=%servletContext%/api/appm/store/*
-org.owasp.csrfguard.unprotected.certificate.mgt.rest.api=%servletContext%/api/certificate-mgt/*
-org.owasp.csrfguard.unprotected.device.mgt.rest.api=%servletContext%/api/device-mgt/*
-org.owasp.csrfguard.unprotected.dcr.rest.api=%servletContext%/dynamic-client-web/*
+org.owasp.csrfguard.unprotected.publisherRestApi=%servletContext%/api/appm/publisher/*
+org.owasp.csrfguard.unprotected.storeRestApi=%servletContext%/api/appm/store/*
+org.owasp.csrfguard.unprotected.certificateMgtRestApi=%servletContext%/api/certificate-mgt/*
+org.owasp.csrfguard.unprotected.deviceMgtRestApi=%servletContext%/api/device-mgt/*
+org.owasp.csrfguard.unprotected.dcrRestApi=%servletContext%/dynamic-client-web/*
--- a/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml
+++ b/modules/core/distribution/src/repository/conf/tomcat/carbon/WEB-INF/web.xml
@ -0,0 +1,185 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
+        "http://java.sun.com/dtd/web-app_2_3.dtd">
+<web-app id="WebApp">
+    <!-- OWASP CSRFGuard per-application configuration property file location-->
+    <context-param>
+        <param-name>Owasp.CsrfGuard.Config</param-name>
+        <param-value>repository/conf/security/Owasp.CsrfGuard.Carbon.properties</param-value>
+    </context-param>
+    <servlet id="bridge">
+        <servlet-name>bridgeservlet</servlet-name>
+        <display-name>Carbon Bridge Servlet</display-name>
+        <description>Carbon Bridge Servlet</description>
+        <servlet-class>org.wso2.carbon.tomcat.ext.servlet.DelegationServlet</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <!-- OWASP CSRFGuard servlet that serves dynamic token injection JavaScript-->
+    <servlet>
+        <servlet-name>JavaScriptServlet</servlet-name>
+        <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>bridgeservlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+    <!--
+       This is required if your application bundles expose JSPs.
+     -->
+    <servlet-mapping>
+        <servlet-name>bridgeservlet</servlet-name>
+        <url-pattern>*.jsp</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>JavaScriptServlet</servlet-name>
+        <url-pattern>/carbon/admin/js/csrfPrevention.js</url-pattern>
+    </servlet-mapping>
+    <!--This is for performing the character encoding in the JSPs. -->
+    <filter>
+        <filter-name>CharsetFilter</filter-name>
+        <filter-class>org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter</filter-class>
+        <init-param>
+            <param-name>requestEncoding</param-name>
+            <param-value>UTF-8</param-value>
+        </init-param>
+    </filter>
+    <!-- OWASP CSRFGuard filter used to validate CSRF token-->
+    <filter>
+        <filter-name>CSRFGuard</filter-name>
+        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
+    </filter>
+    <!-- Tomcat http header security filter -->
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+    </filter>
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter</filter-name>
+        <url-pattern>*</url-pattern>
+    </filter-mapping>
+    <filter>
+        <filter-name>HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL</filter-name>
+        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
+        <!-- Disable other headers except X-Frame-Options (not required, but enhances performance)-->
+        <init-param>
+            <param-name>hstsEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <init-param>
+            <param-name>blockContentTypeSniffingEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <init-param>
+            <param-name>xssProtectionEnabled</param-name>
+            <param-value>false</param-value>
+        </init-param>
+        <init-param>
+            <param-name>antiClickJackingOption</param-name>
+            <param-value>SAMEORIGIN</param-value>
+        </init-param>
+    </filter>
+    <filter>
+        <filter-name>URLBasedCachePreventionFilter</filter-name>
+        <filter-class>org.wso2.carbon.ui.filters.cache.URLBasedCachePreventionFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>HttpHeaderSecurityFilter_AntiClickJacking_SpecialURL</filter-name>
+        <url-pattern>/samlsso</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>CharsetFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>CSRFGuard</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>URLBasedCachePreventionFilter</filter-name>
+        <url-pattern>*.jsp</url-pattern>
+    </filter-mapping>
+    <!-- OWASP CSRFGuard context listener used to read CSRF configuration -->
+    <listener>
+        <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
+    </listener>
+    <!-- OWASP CSRFGuard session listener used to generate per-session CSRF token -->
+    <listener>
+        <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
+    </listener>
+    <session-config>
+        <session-timeout>15</session-timeout>
+        <cookie-config>
+            <secure>true</secure>
+        </cookie-config>
+    </session-config>
+    <!-- custom error pages -->
+    <error-page>
+        <error-code>400</error-code>
+        <location>/carbon/errors/error_400.html</location>
+    </error-page>
+    <error-page>
+        <error-code>401</error-code>
+        <location>/carbon/errors/error_401.html</location>
+    </error-page>
+    <error-page>
+        <error-code>403</error-code>
+        <location>/carbon/errors/error_403.html</location>
+    </error-page>
+    <error-page>
+        <error-code>404</error-code>
+        <location>/carbon/errors/error_404.html</location>
+    </error-page>
+    <error-page>
+        <error-code>405</error-code>
+        <location>/carbon/errors/error_405.html</location>
+    </error-page>
+    <error-page>
+        <error-code>408</error-code>
+        <location>/carbon/errors/error_408.html</location>
+    </error-page>
+    <error-page>
+        <error-code>410</error-code>
+        <location>/carbon/errors/error_410.html</location>
+    </error-page>
+    <error-page>
+        <error-code>500</error-code>
+        <location>/carbon/errors/error_500.html</location>
+    </error-page>
+    <error-page>
+        <error-code>502</error-code>
+        <location>/carbon/errors/error_502.html</location>
+    </error-page>
+    <error-page>
+        <error-code>503</error-code>
+        <location>/carbon/errors/error_503.html</location>
+    </error-page>
+    <error-page>
+        <error-code>504</error-code>
+        <location>/carbon/errors/error_504.html</location>
+    </error-page>
+    <error-page>
+        <location>/carbon/errors/error.html</location>
+    </error-page>
+</web-app>