Garmaine Staff asked 1 year ago
I have problems configuring ESAPI to let it work with my Spring Boot Web Application (maven project).
I'm using this URL for help : https://web.archive.org/web/20161005210258/http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
And from this URL I have chosen this part to put ESAPI.properties in a specific directory :
The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference * implementation, resources can be put in several locations, which are searched in the following order: *
* 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ). *
So for that here is my code :
1 – In application.properties :
esapi.path=/data/folder/testApp/Apps/MyApp/ESAPIConf
2 – In StartupApplication.java (class that will be executed only once at the startup of my application) :
@Component
public class StartupApplication implements InitializingBean {
@Autowired
private Environment env;
@Override
@Transactional
public void afterPropertiesSet() throws Exception {
new GlobalVars();
GlobalVars.esapiPropertyFilePath = env.getProperty("esapi.path");
// this setResourceDirectory to be executed once
ESAPI.securityConfiguration().setResourceDirectory(GlobalVars.esapiPropertyFilePath);
...etc
}
3 – In my jsp page :
<form action="#" method="POST" onsubmit="linkVariabletoDBFields()">
<input type="hidden" name = "nameconf" id="nameconf" value="<%=ESAPI.encoder().encodeForHTMLAttribute(request.getParameter("confname")) %>" />
The Problem :
When the application server (JBOSS EAP 7.2) is starting and more specifically when StartupApplication class is executed the setResourceDirectory is returning :
ESAPI: Reset resource directory to: /data/folder/testApp/Apps/MyApp/ESAPIConf
ESAPI: Attempting to load ESAPI.properties via file I/O.
ESAPI: Attempting to load ESAPI.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/linuxuser/ESAPI.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: /data/folder/testApp/Apps/MyApp/ESAPIConf/ESAPI.properties
ESAPI: Not found in 'user.home' (/home/linuxuser) directory: /home/linuxuser/esapi/ESAPI.properties
ESAPI: Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
ESAPI: Attempting to load ESAPI.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
ESAPI: Attempting to load validation.properties via file I/O.
ESAPI: Attempting to load validation.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/linuxuser/validation.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: /data/folder/testApp/Apps/MyApp/ESAPIConf/validation.properties
ESAPI: Not found in 'user.home' (/home/linuxuser) directory: /home/linuxuser/esapi/validation.properties
ESAPI: Loading validation.properties via file I/O failed.
ESAPI: Attempting to load validation.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED validation.properties via the CLASSPATH from 'esapi/' using current thread context class loader!
It cannot find the properties file although the file exists in /data/folder/testApp/Apps/MyApp/ESAPIConf
And when I access my jsp page I'm getting :
Error : org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
I guess because the ESAPI.properties was not found.
Kindly help.