问题
I added a OWASP ESAPI library to my project. And currently I'm stuck with a problem where to locate ESAPI.properties file. This project later should be deployed on few servers to which I don't have an access. So in my opinion there is no way to customizeorg.owasp.esapi.resources variable and I can't put it under user home directory. So the only place where I can put this file is SystemResource Directory/resourceDirectory but where is it? I have already tried to put these files:
.esapi/ESAPI.properties
esapi/ESAPI.properties
ESAPI.properties
Into these locations:
$CATALINA_HOME/webapps/<MY_PROJECT>/
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF/classes
$CATALINA_HOME/webapps/<MY_PROJECT>/META-INF
But in all of these places I get an error:
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
So where I should locate this file? It's a legacy project(just Eclipse Project without Maven) and it's structure is pretty ugly. There is no such directory like /src/main/resources where in my opinion this ESAPI.properties file should be located. I have created this directory, but where finally this file should be after deployment a WAR archive to Tomcat?
回答1:
ESAPI.properties file should reside in a CLASSPATH under the esapi directory.
So let's say you have a module which is deployed into war in any of the 2 forms: as a jar, or exploded as classes. Just create a directory inside the source of a module where you use the OWASP ESAPI 3rd party.
From eclipse perspective the file just need to be in the CLASSPATH regardless whether you use maven or not. When using maven, maven resources directory is converted as eclipse sources directory by m2eclipse plugin.
Example (using eclipse standard source structure):
src
|---com
| |---module
| | |---SomeClass.java
|---esapi
| |---ESAPI.properties
回答2:
Maybe this will help. It describes the search order implemented in ESAPI 2.x to find the ESAPI.properties file: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/reference/DefaultSecurityConfiguration.html
I think that documentation is fairly up-to-date, but you can find details of how it is implemented in the loadConfiguration() method of DefaultSecurityConfiguration.java which you can find here:
https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/reference/DefaultSecurityConfiguration.html
Hope that helps. -kevin
回答3:
Just a minor update that may be relevant. Looks like the 2.1.0.1 release accidentally broke the previous 2.x search order (in order to support XML configuration properties for ESAPI). This will be fixed in the (as-yet-to-be-determined) ESAPI point release. See ESAPI GitHub issue 397 for details.
来源:https://stackoverflow.com/questions/29842208/correct-location-for-esapi-properties-under-web-project