mirror of
https://github.com/YunoHost-Apps/ofbiz_ynh.git
synced 2024-09-03 19:46:33 +02:00
265 lines
15 KiB
Properties
265 lines
15 KiB
Properties
##############################################################################
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
###############################################################################
|
|
####
|
|
# OFBiz Security Settings
|
|
####
|
|
|
|
# -- define the password restrictions --
|
|
password.length.min=5
|
|
|
|
### -- pattern based password OFBIZ-4958
|
|
security.login.password.pattern.enable=true
|
|
security.login.password.pattern=^.*(?=.{5,}).*$
|
|
# This is a mix to handle the localisation of the OOTB pattern which is only a fixed length
|
|
security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
|
|
# -- For More restrictive pattern you can use the following, no localisation-
|
|
#security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
|
|
#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
|
|
# Only contains alphanumeric and the following special characters: !@#$%^&*
|
|
# Contains at least 1 of the special characters in the list above
|
|
# The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
|
|
# minimum length 5 digit.
|
|
# HELP
|
|
# Start of group
|
|
# (
|
|
# (?=.*\d) # must contains one digit from 0-9
|
|
# (?=.*[a-z]) # must contains one lowercase characters
|
|
# (?=.*[A-Z]) # must contains one uppercase characters
|
|
# (?=.*[!@#$%^&*]) # must contains one special symbols in the list "!@#$%^&*"
|
|
# . # match anything with previous condition checking
|
|
# {5,20} # length at least 5 characters and maximum of 20
|
|
# {5,} # minimum length 5 chars and no linitation to max length.
|
|
# )
|
|
# End of group
|
|
# For further password patterns look at
|
|
# http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum
|
|
|
|
# -- disable the account after this many logins --
|
|
max.failed.logins=3
|
|
|
|
# -- number of password change to be saved in UserLoginPasswordHistory.
|
|
# -- passwords saved in history of userLoginId will not be allowed to be reused.
|
|
# -- 0 to not save history at all
|
|
password.change.history.limit=0
|
|
|
|
# Security Policy : Force user to reset login password in fix number of days -
|
|
# To enable this functionality <password.change.history.limit> need to be a non zero number. And <user.auto.change.password.enable> need to set as true.
|
|
user.auto.change.password.enable=false
|
|
user.change.password.days=90
|
|
user.change.password.notification.days=5
|
|
|
|
# -- disable the account for this many minutes (if 0, then indefinite) --
|
|
login.disable.minutes=5
|
|
|
|
# -- disable global logout --
|
|
login.disable.global.logout=false
|
|
|
|
# -- store a record for each login attempt? --
|
|
store.login.history=true
|
|
store.login.history.on.service.auth=false
|
|
store.login.history.incorrect.password=true
|
|
|
|
# -- disable impersonation
|
|
security.disable.impersonation=true
|
|
# -- if you want that an user cannot operate during an administrator impersonate his account. If true, it can be helpful for QA and dev site
|
|
security.login.authorised.during.impersonate=false
|
|
|
|
# -- should we encrypt (SHA Hash) the password? --
|
|
password.encrypt=true
|
|
|
|
# -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() --
|
|
# -- options may include: SHA, PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA384, PBKDF2WithHmacSHA512 and etc
|
|
password.encrypt.hash.type=SHA
|
|
|
|
# -- if the type of hash to use for one-way encryption is PBKDF2WithHmacSHA1 or PBKDF2WithHmacSHA256 or PBKDF2WithHmacSHA384 or PBKDF2WithHmacSHA512
|
|
# -- the type of hash to use for one-way encryption needs iteration
|
|
password.encrypt.pbkdf2.iterations=10000
|
|
|
|
# -- this is helpful to recover old accounts or to be able to login at all sometimes --
|
|
# -- SHOULD GENERALLY NOT BE TRUE FOR PRODUCTION SITES, but is useful for interim periods when going to password encryption --
|
|
password.accept.encrypted.and.plain=false
|
|
|
|
# -- set request life time after a password change (like email) in hours, set -1 if you want disable it --
|
|
password.request.change.timeout=24
|
|
|
|
# -- should we convert usernames and passwords to lowercase? (useful for case insensitive usernames and passwords) --
|
|
username.lowercase=false
|
|
password.lowercase=false
|
|
|
|
# -- Use LDAP for user authentication? --
|
|
security.ldap.enable=false
|
|
|
|
# -- Fail login if LDAP authentication fails? --
|
|
security.ldap.fail.login=false
|
|
|
|
# -- should we allow x509 certificate login
|
|
security.login.cert.allow=true
|
|
|
|
# -- HTTP header based ID (for integrations; uncomment to enable)
|
|
#security.login.http.header=REMOTE_USER
|
|
|
|
# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
|
|
# Use for external authentication solutions like CAS which overload the getRemoteUser method.
|
|
#security.login.http.servlet.remoteuserlogin.allow=true
|
|
|
|
# -- pattern for the userlogin id in CN section of certificate
|
|
security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
|
|
|
|
# -- Use Tomcat SingleSignOn valve to allow single sign on (SSO) and single log out (SLO).
|
|
# -- Remember to set security.login.externalLoginKey.enabled to false when using Tomcat SSO.
|
|
# -- Note Tomcat SSO is not implemented for cluster as Tomcat ClusterSingleSignOn is not used: OFBIZ-10123
|
|
security.login.tomcat.sso=false
|
|
|
|
# -- Hours after which EmailAdressVerification should expire
|
|
email_verification.expire.hours=48
|
|
|
|
# -- Name of the protect-view preprocessor method (this should not change, but in case...)
|
|
protect-view.preprocessor=java.org.apache.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView
|
|
|
|
# -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
|
|
#default.error.response.view=none:
|
|
default.error.response.view=view:viewBlocked
|
|
|
|
# -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
|
|
security.login.externalLoginKey.enabled=true
|
|
|
|
# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
|
|
# Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
|
|
login.secret_key_string=login.secret_key_string
|
|
|
|
# -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
|
|
security.jwt.token.expireTime=1800
|
|
|
|
# -- Enables the internal Single Sign On feature which allows a token based login between OFBiz instances
|
|
# -- To make this work you also have to configure a secret key with security.token.key
|
|
security.internal.sso.enabled=false
|
|
|
|
# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
|
|
security.token.key=security.token.key
|
|
|
|
# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
|
|
# -- no spaces after commas,no wildcard, can be extended of course...
|
|
host-headers-allowed=localhost,127.0.0.1,__DOMAIN__
|
|
|
|
# -- By default the SameSite value in SameSiteFilter is 'strict'.
|
|
# -- This property allows to change to 'lax' if needed.
|
|
# -- If you use 'lax' we recommend that you set
|
|
# -- org.apache.ofbiz.security.CsrfDefenseStrategy
|
|
# -- for csrf.defense.strategy (see below)
|
|
SameSiteCookieAttribute=
|
|
|
|
# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
|
|
# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes
|
|
# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime.
|
|
# -- If you need to use one to these classes you need to change the TemplateClassResolver
|
|
# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read
|
|
# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
|
|
templateClassResolver=
|
|
|
|
|
|
#-- ===== UPLOAD: supported file formats are *safe* PNG, GIF, TIFF, JPEG, PDF, Audio and Video and ZIP
|
|
#--
|
|
#-- No proprietary file formats (Excel, Word, etc.) are handled OOTB.
|
|
#-- They can be handled by custom projects using https://github.com/righettod/document-upload-protection:
|
|
#-- https://github.com/OWASP/www-projectchapter-example/blob/master/cheatsheets/Protect_FileUpload_Against_Malicious_File.md
|
|
#-- Also Tika is an option, but you have to check Tika code, to be sure it's secure enough (ie don't use only metadata)
|
|
#--
|
|
#-- Apache Commons Imaging is used for images.
|
|
#-- For supported formats see https://commons.apache.org/proper/commons-imaging/formatsupport.html
|
|
#-- Notably https://commons.apache.org/proper/commons-imaging/formatsupport.html#Metadata_Format_Support
|
|
#-- OOTB OFBiz only supports PNG, GIF, TIFF and JPEG, it's a breeze to extend using more:
|
|
#-- commonsImagingSupportedFormats=BMP,GIF,JPEG/JFIF,ICNS,ICO/CUR,PCX/DCX,PNM/PGM/PBM/PPM/PAMPortablePixmap,PNG,PSD/Photoshop,RGBE/RadianceHDR,\
|
|
TIFF,WBMP,XBM,XPM
|
|
#-- You should then modify SupportedImageFormats label.
|
|
#--
|
|
#-- If you want to get more image formats then use imageJ:
|
|
#-- For imagejSupportedFormats see https://imagejdocu.tudor.lu/faq/general/which_file_formats_are_supported_by_imagej. NOTE: plugins support is important here
|
|
#-- imagejSupportedFormats=TIFF(.tiff,.tif),JPEG(.jpeg,.jpg),BMP(.bmp),FITS(.fits),PGM(.pgm),PPM(.ppm),PBM(.pbm),GIF(.gif),AnimatedGIF(.gif),\
|
|
PNG(.png),DICOM(.dic,.dcm,.dicom),PICT(.pict,.pic,.pct),PSD(.psd),TGA(.tga),ICO(.ico),CUR(.cur),Sunraster(.sun),\
|
|
XBM(.xbm),XPM(.xpm),PCX(.pcx),ANALYZE,NIfTi,AHF(.ahf),SPE(.spe),PIC(.pic),LeicaTIFF(.tiff,.lei),Quicktime(.pic,.mov),\
|
|
AVI(.avi),PDS(.pds),LSM(.lsm),RAW,ISAC,FluoViewTIFF(.tiff),FluoviewFV1000OIB(.oib),\
|
|
FluoviewFV1000OIF(.oif,.tif,-ro.pty,.lut,.bmp),IPLAB(.ipl),BrukerNMR(.fid,.ser,.2dseq,.2rr,.2ii,.3rrr,.3iii),FDF(.fdf),\
|
|
VFF(.vff),SIF(.sif),AxioVisionZVI(.zvi),DM3(.dm3),Deltavision(.dv,.r3d),MI,NII,NIII,IMG(.img),UNC,PerkinElmer(.tif,.tim,\
|
|
.zpo,.csv,.htm,.ano,.rec,.cfg,.2,.3,.4,.5,.6,.7,.8,\u2026),EPS(.eps,.epsi),SEQ(.seq),IPW(.ipw),OpenLabLIFF(.liff),\
|
|
OpenLabRAW(.raw),Metamorph(.stk),ICS(.ics,.ids),LeicaLif(.lif),Imaris(.ims),OME-XML(.ome),OME-TIFF(.tiff),\
|
|
ABD-TIFF(.tiff),GEL(.gel),Nikon(.nef,.tiff),Slidebook(.sld),SPCImage(.sdt),AL3D(.al3d),ND2(.nd2),μManager(.tif,.txt),\
|
|
MRC(.mrc),JPEG2000(.jp2),MNG(.mng),Flex(.flex),NRRD(.nrrd,.nhdr),VIFFbitmapimage(.xv),ROI(.roi),ERS(.ers),RS(.rs),HPGL
|
|
#--
|
|
#-- PDFBox and PDFReader are used for PDF files
|
|
#--
|
|
#-- For text files, the philosophy is we can't presume of all possible text contents used for attacks with payloads
|
|
#-- At least there is an easy way to prevent them in SecuredUpload::isValidTextFile
|
|
#--
|
|
#-- List of denied files suffixes to be uploaded
|
|
#-- OFBiz of course also check contents...
|
|
deniedFileExtensions=html,htm,php,php1,php2,hph3,php4,php5,php6,php7,phps,asp,aspx,asa,asax,ascx,ashx,asmx,jsp,jspa,jspx,jsw,jsv,jspf,jtml,cfm,cfc,bat,exe,com,dll,\
|
|
vbs,js,reg,cgi,asis,sh,phtm,pht,phtml,shtm,inc,asp,cdx,asa,cer,py,pl,shtml,hta,ps1,tag,pgif,htaccess,phar,inc,cgi,wss,do,action
|
|
#--
|
|
#-- The upload vulnerability is only a post-auth (needs a credential with suitable permissions),
|
|
#-- people may like to allow more than what is allowed OOTB
|
|
#-- As it name says, allowAllUploads opens all possibilities
|
|
allowAllUploads=
|
|
|
|
#--
|
|
#-- CSV format used to upload CSV files, cf. https://commons.apache.org/proper/commons-csv/apidocs/org/apache/commons/csv/CSVFormat.html
|
|
csvformat=CSVFormat.DEFAULT
|
|
|
|
|
|
#--
|
|
#-- List of denied tokens often part of webshells. Note that, for now at least, most are supposed to be used on a *nix system
|
|
#-- TODO.... to be continued with known webshell contents... a complete allow list is impossible anyway...
|
|
#--
|
|
#-- It could notably be improved by checking for all Javascripts payloads.
|
|
#-- As listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet,
|
|
#-- at 2022-02-25 there are 8929 of them considering all tags, all events and all browsers...!
|
|
#--
|
|
#-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax.
|
|
#-- Else "template.utility.Execute" is a good replacement but not as much catching, who knows...
|
|
#--
|
|
#-- If you are sure you are safe for a token you can remove it, etc.
|
|
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
|
|
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\
|
|
chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
|
|
python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
|
|
ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate
|
|
|
|
#-- Max line length for uploaded files, by default 10000
|
|
maxLineLength=
|
|
|
|
#-- Popup last-visited time from database after user has logged in.
|
|
#-- So users can know of any unauthorised access to their accounts.
|
|
#-- Default is false.
|
|
afterlogin.lastvisit.show=
|
|
|
|
#-- uri used for login (cf jira OFBIZ-12047)
|
|
#-- it's a list, each uri should be separated by comma, without space
|
|
login.uris=login
|
|
|
|
#-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can uncomment the allowedProtocols property, here given as an example
|
|
#-- You may also put other protocols you want to use, instead or with those
|
|
allowedProtocols=localhost,127.0.0.1
|
|
|
|
#-- By default (OOTB) OFBiz is protected against Large File Denial of Service because build.gradle defines -Xmx1024M
|
|
#-- So you can at most upload a file around 500MB (see OFBIZ-11534 for more info)
|
|
#-- If you need to upload larger files then follow https://nightlies.apache.org/ofbiz/trunk/readme/html5/#passing-jvm-runtime-options-to-ofbiz
|
|
|
|
#-- Prevent Freemarker exploits
|
|
#-- eg: allowedURIsForFreemarkerInterpolation=createTextContentCms,updateTextContentCms,...
|
|
allowedURIsForFreemarkerInterpolation=
|
|
|