Class SecuritySettings
- java.lang.Object
-
- org.silverpeas.core.util.security.SecuritySettings
-
public class SecuritySettings extends Object
User: Yohann Chastagnier Date: 05/03/14
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SecuritySettings.Registration
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static String
getAllowedDefaultSourcesInCSP()
static List<String>
getAllowedDomains()
Gets the URL of all of the domains that are authorized to be accessed from Silverpeas.static String
getAllowedScriptSourcesInCSP()
static String
getAllowedStyleSourcesInCSP()
static String
getIFrameSandboxTagAttribute()
Gets the formatted sandbox iframe attribute for external contents.static long
getStrictTransportSecurityExpirationTime()
How many seconds the client must memorize Silverpeas has to be accessed only by HTTPS.static boolean
isSessionTokenRenewEnabled()
Is the renew of the synchronizer tokens used to protect a user session enabled?static boolean
isStrictTransportSecurityEnabled()
Is the Strict Transport Security enabled?static boolean
isWebContentInjectionSecurityEnabled()
Is the content injection security mechanism enabled?static boolean
isWebSecurityByTokensEnabled()
Is the security mechanism based on the synchronizer token pattern enabled?static boolean
isWebSqlInjectionSecurityEnabled()
Is the SQL injection security mechanism enabled?static boolean
isWebXssInjectionSecurityEnabled()
Is the XSS injection security mechanism enabled?static SecuritySettings.Registration
registration()
static String
skippedParametersAboutWebSqlInjectionSecurity()
Indicates the parameters for which the SQL injection verification must be bypassed.static String
skippedParametersAboutWebXssInjectionSecurity()
Indicates the parameters for which the XSS injection verification must be bypassed.
-
-
-
Method Detail
-
isWebSqlInjectionSecurityEnabled
public static boolean isWebSqlInjectionSecurityEnabled()
Is the SQL injection security mechanism enabled?- Returns:
- true if the security mechanism is enabled for Silverpeas, false otherwise.
-
skippedParametersAboutWebSqlInjectionSecurity
public static String skippedParametersAboutWebSqlInjectionSecurity()
Indicates the parameters for which the SQL injection verification must be bypassed.- Returns:
- a regexp represented by a string.
-
isWebXssInjectionSecurityEnabled
public static boolean isWebXssInjectionSecurityEnabled()
Is the XSS injection security mechanism enabled?- Returns:
- true if the security mechanism is enabled for Silverpeas, false otherwise.
-
skippedParametersAboutWebXssInjectionSecurity
public static String skippedParametersAboutWebXssInjectionSecurity()
Indicates the parameters for which the XSS injection verification must be bypassed.- Returns:
- a regexp represented by a string.
-
isWebSecurityByTokensEnabled
public static boolean isWebSecurityByTokensEnabled()
Is the security mechanism based on the synchronizer token pattern enabled?- Returns:
- true if the security mechanism is enabled for Silverpeas, false otherwise.
-
isSessionTokenRenewEnabled
public static boolean isSessionTokenRenewEnabled()
Is the renew of the synchronizer tokens used to protect a user session enabled?- Returns:
- true if the renew of session tokens is enabled in Silverpeas, false otherwise.
-
isStrictTransportSecurityEnabled
public static boolean isStrictTransportSecurityEnabled()
Is the Strict Transport Security enabled? Strict Transport Security can be used only with secured connections. It ensures only HTTPS connections are used and hence asks the client to switch any HTTP connection to an HTTPS connection.- Returns:
- true of Strict Transport Security must be used, false otherwise.
-
getStrictTransportSecurityExpirationTime
public static long getStrictTransportSecurityExpirationTime()
How many seconds the client must memorize Silverpeas has to be accessed only by HTTPS. Strict Transport Security can be used only with secured connections. It ensures only HTTPS connections are used and hence asks the client to switch any HTTP connection to an HTTPS connection.- Returns:
- a number of seconds or 0 if no expiration time.
-
getAllowedDomains
public static List<String> getAllowedDomains()
Gets the URL of all of the domains that are authorized to be accessed from Silverpeas. By default, if empty, only web resources coming from Silverpeas itself should be authorized. If of size one and the first value is "*", no CORS protection is enabled. Otherwise, only the specified domains are authorized by the CORS protection to be accessed from Silverpeas.- Returns:
- a list of URI identifying the domains that are authorized to be accessed from Silverpeas.
-
isWebContentInjectionSecurityEnabled
public static boolean isWebContentInjectionSecurityEnabled()
Is the content injection security mechanism enabled? That is to say is the Content Security Policy enabled?- Returns:
- true if the Content Security Policy is enabled for Silverpeas, false otherwise.
-
getAllowedDefaultSourcesInCSP
public static String getAllowedDefaultSourcesInCSP()
-
getAllowedScriptSourcesInCSP
public static String getAllowedScriptSourcesInCSP()
-
getAllowedStyleSourcesInCSP
public static String getAllowedStyleSourcesInCSP()
-
getIFrameSandboxTagAttribute
public static String getIFrameSandboxTagAttribute()
Gets the formatted sandbox iframe attribute for external contents.- Returns:
- the TAG attribute.
-
registration
public static SecuritySettings.Registration registration()
-
-