Application Security

This chapter describes the configuration settings that protect JasperReports Server and its users from unauthorized access. The configuration properties appear in two locations:

Some properties must be configured during the installation and deployment phase, before users access the server. These settings are configured through files used by the installation scripts. These settings are available only when performing a WAR file installation.
Properties you can configure after installation are located in files in various folders. Configuration file paths are relative to the <js-install> directory, which is the root of your JasperReports Server installation. To change the configuration, edit these files then restart the server.

Because the locations of files described in this chapter vary with your application server, the paths specified in this chapter are relative to the deployed WAR file for the application. For example, the applicationContext.xml file is shown as residing in the WEB-INF folder. If you use the Tomcat application server bundled with the installer, the default path to this location is:

C:\Program Files\jasperreports-server-6.4\apache-tomcat\webapps\jasperserver-pro\WEB-INF

Use caution when editing the properties described in this chapter. Inadvertent changes may cause unexpected errors throughout JasperReports Server that may be difficult to troubleshoot. Before changing any files, back them up to a location outside of your JasperReports Server installation.

Do not modify settings not described in the documentation. Even though some settings may appear straightforward, values other than the default may not work properly and may cause errors.

This chapter contains the following sections:

Encrypting Passwords in Configuration Files
Configuring CSRF Protection
Protecting Against SQL Injection
Protecting Against Cross-Site Scripting
Restricting File Uploads
Restricting Groovy's Access
Hiding Stack Trace Messages
Defining a Cross-Domain Policy for Flash
Enabling SSL in Tomcat
Disabling Unused HTTP Verbs
Configuring HTTP Header Options
Setting the Secure Flag on Cookies
Setting httpOnly for Cookies
Protection Domain Infrastructure in Tomcat
Encrypting Passwords in URLs