Comments (3)
As an abosolute minimum, Encryptor.MasterKey and Encryptor.MasterSalt should be
moved
to a separate file (e.g., something like ESAPI-Encryptor.properties or
Encryption.properties) because these properties need to be kept secret to all
but a
small set of individuals. For instance, in a production environment, developers
should not even have read access to these properties, however it is probably
that
they have read access to the other encryption-related properties such as
Original comment by [email protected]
on 7 Nov 2009 at 5:47
from owasp-esapi-java.
Although one could override the DefaultSecurityConfiguration and point to
another
file that includes those two properties, I think this desire would be
commonplace and
this feature should be part of the default implementation. I would also
suggest a
separate system property be defined which could point to the path of the new
ESAPI-Encryptor.properties file so that it can reside outside the default .esapi
"org.owasp.esapi.resources" directory if desired to make it easier to protect
using
tighter file access controls, auditing, and backup procedures during deployment.
Original comment by [email protected]
on 8 Nov 2009 at 4:17
from owasp-esapi-java.
We need to abstract the entire key management process. I agree with all
thoughts above.
Original comment by [email protected]
on 1 Nov 2010 at 6:02
- Changed state: Accepted
- Added labels: Milestone-Release2.1
from owasp-esapi-java.
Related Issues (20)
- AbstractAccessReferenceMap.addDirectReference not invariant
- setHeader blocks legitimate headers due to header name size limit being too low
- Log4j configuration with no root level causes NPE in Log4jLogger.java HOT 1
- Content Security Policy - Java Servlet Filter
- logger is gettin class cast exception
- [deleted issue]
- Regex in ESAPI.properties is not considering few of the french characters HOT 2
- Performance HOT 3
- -Log4JLogger.java doesn't output correct file & line number-Similar issue as reported in Issue 268
- HttpParamtervalue for allowing Xml Data
- HTTPParameterValue
- EncryptedPropertiesUtils Switch for Adding Values
- User session just jumped from unknown to 0:0:0:0:0:0:0:1 HOT 1
- ESAPI configuration files not included in dist.
- SecurityConfiguration for ESAPI.Encoder not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultEncoder HOT 1
- Need to update Apache Commons BeanUtils
- Multiple URLs are not supported by Validator.Redirect
- Duplicates ESAPI_en_US.properties in esapi-2.1.0-dist.zip HOT 1
- isValidInput failing for HTTPParameterValue {internalAction:getScreen} HOT 1
- StringUtilities.union() method is broken, weakens GenerateStrongPassword
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-esapi-java.