Trying to Use ESAPI But getting Error

荒凉一梦 提交于 2019-11-27 22:04:44
Jason Dean

The ESAPI.properties file should have more than 3 lines in it. See for example:

https://web.archive.org/web/20150904064147/http://code.google.com:80/p/owasp-esapi-java/source/browse/trunk/configuration/esapi/ESAPI.properties

In my experience the ESAPI.properties file either needs to be in the same folder as the esapi.jar or needs to be compiled into the jar in a resources directory.

/resources/ESAPI.properties

I believe that either one should work. If ESAPI does not find the file it one location it looks in others.

The code for that is here around line 620:

https://web.archive.org/web/20161005210258/http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

James Drinkard

I just struggled through this one myself.

  1. I created a folder called esapi in my C:/users/myname/ directory and loaded up the ESAPI.properties, validation.properties, and the ESAPI-AccessControlPolicy.xml which got me past all the not finding files errors. ESAPI looks in several places for the files. I'm running Windows 7 64 bit by the way.
  2. Then I had to update some of the jars. I should have done this from the beginning, but I didn't know it. I was getting this error: AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception. for every jar that needed to be a newer version, like commons collections or log4j. At the bottom of the stack trace it would reference the offending jar.

When I added the newer jars from the esapi lib directory everything just worked!

I got this message at the end in my console:

ESAPI.accessController found: org.owasp.esapi.reference.DefaultAccessController@1cb8deef

Note: There is an ESAPI_en_US.properties file, but it's the one with only a few lines in it. Just use the file in: \esapi-2.1.0-dist\src\test\resources\esapi\ESAPI.properties. That is the full complete file.

The reference SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference implementation, resources can be put in several locations, which are searched in the following order:

1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).

2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):

            java -Dorg.owasp.esapi.resources="C:\temp\resources"

You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.

3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory (supported for backward compatibility) or inside the System.getProperty( "user.home" ) + "/esapi" directory.

4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)

After having this problem and looking at the installation documentation (esapi-x.x.x-dist\documentation\esapi4java-core-x-x-install-guide.pdf) I found a very useful section which detailed that the properties file can be anywhere, provided a vm flag (-Dorg.owasp.esapi.resources=path") points to a particular directory. For example, if I stick the file in a "resources" folder at the root of my project directory, then the flag would be:

-Dorg.owasp.esapi.resources="path\to\project\root\resources"

Can you put your file (with this name) in:

D:\Eclipse-Workspace\Test\ESAPI.properties

And show us the contents and exception again.

Nethaji Narasimalu
  1. Extract the esapi jar
  2. create a folder named resources under org.owasp.esapi
  3. copy ESAPI.properties to the org.owasp.esapi.resources
  4. Build and deploy

extract the jar add properties file under resources folder.

initially getting same error, after updating properties file it worked for me

Shankar P

Thanks for providing the information

-Dorg.owasp.esapi.resources="path\to\project\root\resources"

This is a good source of information and has resolved my issue

I had the same problem too. I resolved it using a little bit of James Drinkard solution. What I basically did is created a new folder with name ESAPI and added ESAPI.properties file, Validation.properties, and the ESAPI-AccessControlPolicy.xml. And archived it into a jar file and added to the lib folder under WebContet/WEB-INF and build it to the path and it worked.

*To archive it into a jar file I used windows command move ESAPI ESAPI.jar

Kevin Wall

Look at the various scripts under 'src/examples/scripts' and they will show you one easy way to control where the ESAPI.properties files is found. (This is for ESAPI 2.0 or later.)

You will find a copy of the ESAPI.properties file will be under 'configuration/esapi'.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!