Application Security
This chapter describes the configuration settings that protect JasperReports Server and its users from unauthorized access. The configuration properties appear in two locations:
| • | Some properties must be configured during the installation and deployment phase, before users access the server. These settings are configured through files used by the installation scripts. These settings are available only when performing a WAR file installation. |
| • | Properties you can configure after installation are located in files in various folders. Configuration file paths are relative to the <js-install> directory, which is the root of your JasperReports Server installation. To change the configuration, edit these files then restart the server. |
Because the locations of files described in this chapter vary with your application server, the paths specified in this chapter are relative to the deployed WAR file for the application. For example, the applicationContext.xml file is shown as residing in the WEB-INF folder. If you use the Tomcat application server bundled with the installer, the default path to this location is:
C:\Program Files\jasperreports-server-9.0.0\apache-tomcat\webapps\jasperserver-pro\WEB-INF
|
|
Use caution when editing the properties described in this chapter. Inadvertent changes may cause unexpected errors throughout JasperReports® Server that may be difficult to troubleshoot. Before changing any files, back them up to a location outside of your JasperReports® Server installation. Do not modify settings not described in the documentation. Even though some settings may appear straightforward, values other than the default may not work properly and may cause errors. |
This chapter contains the following sections:
| • | Encrypting Passwords in Configuration Files |
| • | Configuring CSRF Protection |
| • | Configuring XSS Protection |
| • | Protecting Against SQL Injection |
| • | Protecting Against XML External Entity Attacks |
| • | Protecting Against Clickjacking Attacks |
| • | Restricting File Uploads |
| • | Restricting Groovy Access |
| • | Hiding Stack Trace Messages |
| • | Defining a Cross-Domain Policy for Flash |
| • | Enabling SSL in Tomcat |
| • | Disabling Unused HTTP Verbs |
| • | Configuring HTTP Header Options |
| • | Setting the Secure Flag on Cookies |
| • | Setting httpOnly for Cookies |
| • | Protection Domain Infrastructure in Tomcat |
| • | Encrypting Passwords in URLs |
| • | Host Header Injection Protection |
Recommended Comments
There are no comments to display.