Clever Geek Handbook

Correct location of ESAPI.properties within the web project

I have added OWASP ESAPI library to my project. And I'm currently stuck with an issue where the file can be found ESAPI.properties

. This project later needs to be deployed to multiple servers that I don't have access to. So in my opinion there is no way to set the variable org.owasp.esapi.resources

and I cannot put it in the user's home directory. So the only place I can put this file is SystemResource Directory/resourceDirectory

, but where is it? I already tried to put these files:

.esapi/ESAPI.properties
esapi/ESAPI.properties
ESAPI.properties

In these places:

$CATALINA_HOME/webapps/<MY_PROJECT>/
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF/classes
$CATALINA_HOME/webapps/<MY_PROJECT>/META-INF

But in all these places I get an error: Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties

So where should I find this file? This is a legacy project (only an Eclipse project without Maven) and this structure is pretty ugly. There is no such directory as /src/main/resources

where, in my opinion, this file ESAPI.properties

should be located. I created this directory, but finally where should this file be after deploying the WAR to Tomcat?

+3


source to share


3 answers


ESAPI.properties

the file must be in CLASSPATH

a directory esapi

.

So let's say you have a module that is deployed to war in either of two forms: as a jar or explode as classes. Just create a directory inside the module source where you are using the OWASP ESAPI 3rd party.

In terms of eclipse, the file just has to be in CLASSPATH

whether you are using maven or not. When using maven, maven directory is resources

converted as eclipse directory sources

in plugin m2eclipse

.



Example (using standard eclipse source framework):

src
|---com
|   |---module
|   |   |---SomeClass.java
|---esapi
|   |---ESAPI.properties
+4


source


Maybe this will help. It describes the search order implemented in ESAPI 2.x to find the ESAPI.properties file: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/reference/DefaultSecurityConfiguration.html

I think the documentation is pretty modern, but you can find details on how it is implemented in the loadConfiguration () method of DefaultSecurityConfiguration.java which you can find here:



https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/reference/DefaultSecurityConfiguration.html

Hope it helps. Kevin

+2


source


Just a small update that might make a difference. It looks like the 2.1.0.1 release accidentally broke the previous 2.x search order (to support XML configuration properties for ESAPI). This will be fixed in an ESAPI release (not yet defined). See ESAPI GitHub issue 397 for details .

0


source






More articles:


All Articles