This is an automated email from the ASF dual-hosted git repository. shuber pushed a commit to branch unomi-1.5.x in repository https://gitbox.apache.org/repos/asf/unomi.git
commit 4eccfb9b30a8739f1b3ff7f67d6a4eb03bd41905 Author: Serge Huber <[email protected]> AuthorDate: Tue Nov 10 17:45:32 2020 +0100 Add documentation to new security configuration parameters. (cherry picked from commit 98b67db615684ce5da9a1adcb2d4dec5a457ef1a) --- .../src/main/resources/etc/custom.system.properties | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/package/src/main/resources/etc/custom.system.properties b/package/src/main/resources/etc/custom.system.properties index a7b665c..9660b68 100644 --- a/package/src/main/resources/etc/custom.system.properties +++ b/package/src/main/resources/etc/custom.system.properties @@ -31,15 +31,33 @@ org.apache.unomi.hazelcast.network.port=${env:UNOMI_HAZELCAST_NETWORK_PORT:-5701 ## Security settings ## ####################################################################################################################### org.apache.unomi.security.root.password=${env:UNOMI_ROOT_PASSWORD:-karaf} + +# These parameters control the list of classes that are allowed or forbidden when executing expressions. org.apache.unomi.scripting.allow=${env:UNOMI_ALLOW_SCRIPTING_CLASSES:-org.apache.unomi.api.Event,org.apache.unomi.api.Profile,org.apache.unomi.api.Session,org.apache.unomi.api.Item,org.apache.unomi.api.CustomItem,ognl.*,java.lang.Object,java.util.Map,java.util.HashMap,java.lang.Integer,org.mvel2.*} org.apache.unomi.scripting.forbid=${env:UNOMI_FORBID_SCRIPTING_CLASSES:-} + +# This parameter controls the whole expression filtering system. It is not recommended to turn it off. The main reason +# to turn it off would be to check if it is interfering with something, but it should always be active in production. org.apache.unomi.scripting.filter.activated=${env:UNOMI_SCRIPTING_FILTER_ACTIVATED:-true} + +# The following parameters control the filtering using regular expressions for each scripting sub-system. +# The "collections" parameter tells the expression filtering system which configurations to expect. By default only +# MVEL and/or OGNL are accepted values, but in the future these might be replaced by new scripting sub-systems. +# For each scripting sub-system, there is an allow and a forbid value. It is NOT recommended to change the built-in +# "forbid" value unless you are having issues with its value. +# It is however fully expected to add new expressions to the "allow" value, although it is better to add them inside +# any plugins you may be adding. This configuration is only designed to compensate for the cases where something was not properly designed or to deal with compatibility issues. Just be VERY careful to make your patterns AS SPECIFIC AS POSSIBLE in order to avoid introducing a way to abuse the expression filtering. org.apache.unomi.scripting.filter.collections=${env:UNOMI_SCRIPTING_FILTER_COLLECTIONS:-mvel,ognl} org.apache.unomi.scripting.filter.mvel.allow=${env:UNOMI_SCRIPTING_FILTER_MVEL_ALLOW:-} org.apache.unomi.scripting.filter.mvel.forbid=${env:UNOMI_SCRIPTING_FILTER_MVEL_FORBID:-.*Runtime.*,.*ProcessBuilder.*,.*exec.*,.*invoke.*,.*getClass.*,.*Class.*,.*ClassLoader.*,.*System.*,.*Method.*,.*method.*,.*Compiler.*,.*Thread.*,.*FileWriter.*,.*forName.*,.*Socket.*,.*DriverManager.*,eval} org.apache.unomi.scripting.filter.ognl.allow=${env:UNOMI_SCRIPTING_FILTER_OGNL_ALLOW:-} org.apache.unomi.scripting.filter.ognl.forbid=${env:UNOMI_SCRIPTING_FILTER_OGNL_FORBID:-.*Runtime.*,.*ProcessBuilder.*,.*exec.*,.*invoke.*,.*getClass.*,.*Class.*,.*ClassLoader.*,.*System.*,.*Method.*,.*method.*,.*Compiler.*,.*Thread.*,.*FileWriter.*,.*forName.*,.*Socket.*,.*DriverManager.*,eval} + +# This parameter controls whether OGNL scripting is allowed in expressions. Because of security reasons it is +# deactivated by default. If you run into compatibility issues you could reactivate it but it is at your own risk. org.apache.unomi.security.properties.useOGNLScripting=${env:UNOMI_SCRIPTING_USE_OGNL:-false} +# This parameter controls the condition sanitizing done on the ContextServlet (/context.json). If will remove any +# expressions that start with "script::". It is not recommended to change this value, unless you run into compatibility issues. org.apache.unomi.security.personalization.sanitizeConditions=${env:UNOMI_SECURITY_SANITIZEPERSONALIZATIONCONDITIONS:-true} #######################################################################################################################
