EMSE Security Control filter

Topics:

Overview

This release introduces a security filter for the EMSE engine. Previously a white list was used on the av.emse.security control in the BIZ ServerConfig.properties file. This is now a black list that blocks (by default) the classes java.lang.ProcessBuilder and java.lang.Runtime.

EMSE Security Control methods

These methods are available for the EMSE Security Control:

  • writeToFile and deleteFile - In the ServerConfig.properties file, the configuration property av.emse.file.path={EMSE file path on application server} restricts access to the server for these methods.
Note: The EMSE Security Control overrides the behavior of existing EMSE scripts that call these two methods.

Configure EMSE Security Control

Follow these steps for each BIZ server individually.

  1. On the application server, go to \av.biz\conf\av\ and open the ServerConfig.properties file.
  2. Verify this entry exists and is enabled (set to true): av.emse.security=true
  3. Check that the path includes the correct location of your EMSE script folder: av.emse.file.path={EMSE file path on application server}

    Example: To set the file path as D:\emse\temp, add this code: av.emse.file.path=D:\emse\temp

  4. Go to \av.biz\conf\av\ and open the EMSESecurityConfig.properties file, or create the file (this file name is case sensitive).
  5. Add classes to this code in the EMSESecurityConfig.properties file:

    emse.class.blacklist={class #1, class#2,...}

    Example: Adding emse.class.blacklist=java.lang.ProcessBuilder, java.lang.Runtime blocks those classes from modifying instances. These two classes are the default for the blacklist.
  6. Restart the server for the changes to take effect.