############################################################################## # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. ############################################################################### #### # OFBiz Security Settings #### # -- define the password restrictions -- password.length.min=5 ### -- pattern based password OFBIZ-4958 security.login.password.pattern.enable=true security.login.password.pattern=^.*(?=.{5,}).*$ # This is a mix to handle the localisation of the OOTB pattern which is only a fixed length security.login.password.pattern.description=loginservices.password_must_be_least_characters_long # -- For More restrictive pattern you can use the following, no localisation- #security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$ #security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*. # Only contains alphanumeric and the following special characters: !@#$%^&* # Contains at least 1 of the special characters in the list above # The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!) # minimum length 5 digit. # HELP # Start of group # ( # (?=.*\d) # must contains one digit from 0-9 # (?=.*[a-z]) # must contains one lowercase characters # (?=.*[A-Z]) # must contains one uppercase characters # (?=.*[!@#$%^&*]) # must contains one special symbols in the list "!@#$%^&*" # . # match anything with previous condition checking # {5,20} # length at least 5 characters and maximum of 20 # {5,} # minimum length 5 chars and no linitation to max length. # ) # End of group # For further password patterns look at # http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum # -- disable the account after this many logins -- max.failed.logins=3 # -- number of password change to be saved in UserLoginPasswordHistory. # -- passwords saved in history of userLoginId will not be allowed to be reused. # -- 0 to not save history at all password.change.history.limit=0 # Security Policy : Force user to reset login password in fix number of days - # To enable this functionality need to be a non zero number. And need to set as true. user.auto.change.password.enable=false user.change.password.days=90 user.change.password.notification.days=5 # -- disable the account for this many minutes (if 0, then indefinite) -- login.disable.minutes=5 # -- disable global logout -- login.disable.global.logout=false # -- store a record for each login attempt? -- store.login.history=true store.login.history.on.service.auth=false store.login.history.incorrect.password=true # -- disable impersonation security.disable.impersonation=true # -- if you want that an user cannot operate during an administrator impersonate his account. If true, it can be helpful for QA and dev site security.login.authorised.during.impersonate=false # -- should we encrypt (SHA Hash) the password? -- password.encrypt=true # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- # -- options may include: SHA, PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA384, PBKDF2WithHmacSHA512 and etc password.encrypt.hash.type=SHA # -- if the type of hash to use for one-way encryption is PBKDF2WithHmacSHA1 or PBKDF2WithHmacSHA256 or PBKDF2WithHmacSHA384 or PBKDF2WithHmacSHA512 # -- the type of hash to use for one-way encryption needs iteration password.encrypt.pbkdf2.iterations=10000 # -- this is helpful to recover old accounts or to be able to login at all sometimes -- # -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption -- password.accept.encrypted.and.plain=false # -- set request life time after a password change (like email) in hours, set -1 if you want disable it -- password.request.change.timeout=24 # -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) -- username.lowercase=false password.lowercase=false # -- Use LDAP for user authentication? -- security.ldap.enable=false # -- Fail login if LDAP authentication fails? -- security.ldap.fail.login=false # -- should we allow x509 certificate login security.login.cert.allow=true # -- HTTP header based ID (for integrations; uncomment to enable) #security.login.http.header=REMOTE_USER # -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable) # Use for external authentication solutions like CAS which overload the getRemoteUser method. #security.login.http.servlet.remoteuserlogin.allow=true # -- pattern for the userlogin id in CN section of certificate security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$ # -- Use Tomcat SingleSignOn valve to allow single sign on (SSO) and single log out (SLO). # -- Remember to set security.login.externalLoginKey.enabled to false when using Tomcat SSO. # -- Note Tomcat SSO is not implemented for cluster as Tomcat ClusterSingleSignOn is not used: OFBIZ-10123 security.login.tomcat.sso=false # -- Hours after which EmailAdressVerification should expire email_verification.expire.hours=48 # -- Name of the protect-view preprocessor method (this should not change, but in case...) protect-view.preprocessor=java.org.apache.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView # -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java) #default.error.response.view=none: default.error.response.view=view:viewBlocked # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls security.login.externalLoginKey.enabled=true # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality. # Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key login.secret_key_string=login.secret_key_string # -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value. security.jwt.token.expireTime=1800 # -- Enables the internal Single Sign On feature which allows a token based login between OFBiz instances # -- To make this work you also have to configure a secret key with security.token.key security.internal.sso.enabled=false # -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key security.token.key=security.token.key # -- List of domains or IP addresses to be checked to prevent Host Header Injection, # -- no spaces after commas,no wildcard, can be extended of course... host-headers-allowed=localhost,127.0.0.1,__DOMAIN__ # -- By default the SameSite value in SameSiteFilter is 'strict'. # -- This property allows to change to 'lax' if needed. # -- If you use 'lax' we recommend that you set # -- org.apache.ofbiz.security.CsrfDefenseStrategy # -- for csrf.defense.strategy (see below) SameSiteCookieAttribute= # -- Freemarker TemplateClassResolver option, see OFBIZ-11709. # -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes # -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime. # -- If you need to use one to these classes you need to change the TemplateClassResolver # -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read # -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security templateClassResolver= #-- ===== UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP #-- #-- No proprietary file formats (Excel, Word, etc.) are handled OOTB. #-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection: #-- https://github.com/OWASP/www-projectchapter-example/blob/master/cheatsheets/Protect_FileUpload_Against_Malicious_File.md #-- Also Tika is an option, but you have to check Tika code, to be sure it's secure enough (ie don't use only metadata) #-- #-- Apache Commons Imaging is used for images. #-- For supported formats see https://commons.apache.org/proper/commons-imaging/formatsupport.html #-- Notably https://commons.apache.org/proper/commons-imaging/formatsupport.html#Metadata_Format_Support #-- OOTB OFBiz only supports PNG, GIF, TIFF and JPEG, it's a breeze to extend using more: #-- commonsImagingSupportedFormats=BMP,GIF,JPEG/JFIF,ICNS,ICO/CUR,PCX/DCX,PNM/PGM/PBM/PPM/PAMPortablePixmap,PNG,PSD/Photoshop,RGBE/RadianceHDR,\ TIFF,WBMP,XBM,XPM #-- You should then modify SupportedImageFormats label. #-- #-- If you want to get more image formats then use imageJ: #-- For imagejSupportedFormats see https://imagejdocu.tudor.lu/faq/general/which_file_formats_are_supported_by_imagej. NOTE: plugins support is important here #-- imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),\ PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),\ XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),\ AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),\ FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lut,.bmp),IPLAB(.ipl),BrukerNMR(.fid,.ser,.2dseq,.2rr,.2ii,.3rrr,.3iii),FDF(.fdf),\ VFF(.vff),SIF(.sif),AxioVisionZVI(.zvi),DM3(.dm3),Deltavision(.dv,.r3d),MI,NII,NIII,IMG(.img),UNC,PerkinElmer(.tif,.tim,\ .zpo,.csv,.htm,.ano,.rec,.cfg,.2,.3,.4,.5,.6,.7,.8,\u2026),EPS(.eps,.epsi),SEQ(.seq),IPW(.ipw),OpenLabLIFF(.liff),\ OpenLabRAW(.raw),Metamorph(.stk),ICS(.ics,.ids),LeicaLif(.lif),Imaris(.ims),OME-XML(.ome),OME-TIFF(.tiff),\ ABD-TIFF(.tiff),GEL(.gel),Nikon(.nef,.tiff),Slidebook(.sld),SPCImage(.sdt),AL3D(.al3d),ND2(.nd2),μManager(.tif,.txt),\ MRC(.mrc),JPEG2000(.jp2),MNG(.mng),Flex(.flex),NRRD(.nrrd,.nhdr),VIFFbitmapimage(.xv),ROI(.roi),ERS(.ers),RS(.rs),HPGL #-- #-- PDFBox and PDFReader are used for PDF files #-- #-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads #-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile #-- #-- List of denied files suffixes to be uploaded #-- OFBiz of course also check contents... deniedFileExtensions=html,htm,php,php1,php2,hph3,php4,php5,php6,php7,phps,asp,aspx,asa,asax,ascx,ashx,asmx,jsp,jspa,jspx,jsw,jsv,jspf,jtml,cfm,cfc,bat,exe,com,dll,\ vbs,js,reg,cgi,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action #-- #-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions), #-- people may like to allow more than what is allowed OOTB #-- As it name says, allowAllUploads opens all possibilities allowAllUploads= #-- #-- CSV format used to upload CSV files, cf. https://commons.apache.org/proper/commons-csv/apidocs/org/apache/commons/csv/CSVFormat.html csvformat=CSVFormat.DEFAULT #-- #-- List of denied tokens often part of webshells. Note that, for now at least, most are supposed to be used on a *nix system #-- TODO.... to be continued with known webshell contents... a complete allow list is impossible anyway... #-- #-- It could notably be improved by checking for all Javascripts payloads. #-- As listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet, #-- at 2022-02-25 there are 8929 of them considering all tags, all events and all browsers...! #-- #-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax. #-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows... #-- #-- If you are sure you are safe for a token you can remove it, etc. deniedWebShellTokens=java.,beans,freemarker,