Correct location of ESAPI.properties within the web project
I have added OWASP ESAPI library to my project. And I'm currently stuck with an issue where the file can be found ESAPI.properties
. This project later needs to be deployed to multiple servers that I don't have access to. So in my opinion there is no way to set the variable org.owasp.esapi.resources
and I cannot put it in the user's home directory. So the only place I can put this file is SystemResource Directory/resourceDirectory
, but where is it? I already tried to put these files:
.esapi/ESAPI.properties esapi/ESAPI.properties ESAPI.properties
In these places:
$CATALINA_HOME/webapps/<MY_PROJECT>/
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF/classes
$CATALINA_HOME/webapps/<MY_PROJECT>/META-INF
But in all these places I get an error:
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
So where should I find this file? This is a legacy project (only an Eclipse project without Maven) and this structure is pretty ugly. There is no such directory as /src/main/resources
where, in my opinion, this file ESAPI.properties
should be located. I created this directory, but finally where should this file be after deploying the WAR to Tomcat?
source to share
ESAPI.properties
the file must be in CLASSPATH
a directory esapi
.
So let's say you have a module that is deployed to war in either of two forms: as a jar or explode as classes. Just create a directory inside the module source where you are using the OWASP ESAPI 3rd party.
In terms of eclipse, the file just has to be in CLASSPATH
whether you are using maven or not. When using maven, maven directory is resources
converted as eclipse directory sources
in plugin m2eclipse
.
Example (using standard eclipse source framework):
src
|---com
| |---module
| | |---SomeClass.java
|---esapi
| |---ESAPI.properties
source to share
Maybe this will help. It describes the search order implemented in ESAPI 2.x to find the ESAPI.properties file: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/reference/DefaultSecurityConfiguration.html
I think the documentation is pretty modern, but you can find details on how it is implemented in the loadConfiguration () method of DefaultSecurityConfiguration.java which you can find here:
Hope it helps. Kevin
source to share
Just a small update that might make a difference. It looks like the 2.1.0.1 release accidentally broke the previous 2.x search order (to support XML configuration properties for ESAPI). This will be fixed in an ESAPI release (not yet defined). See ESAPI GitHub issue 397 for details .
source to share