Correct location for ESAPI.properties under web project

Asked 24/4, 2015 at 8:19 Answered 6/10, 2022 at 17:39

I added a OWASP ESAPI library to my project. And currently I'm stuck with a problem where to locate ESAPI.properties file. This project later should be deployed on few servers to which I don't have an access. So in my opinion there is no way to customizeorg.owasp.esapi.resources variable and I can't put it under user home directory. So the only place where I can put this file is SystemResource Directory/resourceDirectory but where is it? I have already tried to put these files:

.esapi/ESAPI.properties
esapi/ESAPI.properties
ESAPI.properties

Into these locations:

$CATALINA_HOME/webapps/<MY_PROJECT>/
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF
$CATALINA_HOME/webapps/<MY_PROJECT>/WEB-INF/classes
$CATALINA_HOME/webapps/<MY_PROJECT>/META-INF

But in all of these places I get an error: Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties

So where I should locate this file? It's a legacy project(just Eclipse Project without Maven) and it's structure is pretty ugly. There is no such directory like /src/main/resources where in my opinion this ESAPI.properties file should be located. I have created this directory, but where finally this file should be after deployment a WAR archive to Tomcat?

Haler answered 24/4, 2015 at 8:19 Comment(0)

ESAPI.properties file should reside in a CLASSPATH under the esapi directory.

So let's say you have a module which is deployed into war in any of the 2 forms: as a jar, or exploded as classes. Just create a directory inside the source of a module where you use the OWASP ESAPI 3rd party.

From eclipse perspective the file just need to be in the CLASSPATH regardless whether you use maven or not. When using maven, maven resources directory is converted as eclipse sources directory by m2eclipse plugin.

Example (using eclipse standard source structure):

src
|---com
|   |---module
|   |   |---SomeClass.java
|---esapi
|   |---ESAPI.properties

Footling answered 24/4, 2015 at 8:43 Comment(4)

Thank you very much for your help. Unfortunately it looks like this structure doesn't work too. I just tried to build a war file in this way. In WAR file and in deployed folder I see ESAPI config files in same directory as my classes(/WEB-INF/classes). Classes root folder is com as it should be. And there are esapi/ESAPI.properties file. But I still see Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties error message. – Haler 24/4, 2015 at 8:57

which version of esapi do you use? – Footling 24/4, 2015 at 9:16

OWASP ESAPI v2.1.0 It loads config files fine from my home directory. – Haler 24/4, 2015 at 9:17

UPD: Finally it works. Configured as you wrote above. I really not sure why it didn't work before. The only thing I change was excluding tests from a build path. Thank you so much. – Haler 24/4, 2015 at 11:49

Maybe this will help. It describes the search order implemented in ESAPI 2.x to find the ESAPI.properties file: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/reference/DefaultSecurityConfiguration.html

I think that documentation is fairly up-to-date, but you can find details of how it is implemented in the loadConfiguration() method of DefaultSecurityConfiguration.java which you can find here:

https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/reference/DefaultSecurityConfiguration.html

Hope that helps. -kevin

Arista answered 26/4, 2015 at 22:46 Comment(1)

My bad; when I answered, that link was still available. ESAPI moved to GitHub. Check out github.com/ESAPI/esapi-java-legacy/blob/esapi-2.1.0.1/src/main/… instead. – Arista 9/7, 2017 at 19:49

Just a minor update that may be relevant. Looks like the 2.1.0.1 release accidentally broke the previous 2.x search order (in order to support XML configuration properties for ESAPI). This will be fixed in the (as-yet-to-be-determined) ESAPI point release. See ESAPI GitHub issue 397 for details.

Arista answered 9/7, 2017 at 19:52 Comment(0)

I just downloaded ESAPI 2.5 and added the ESAPI.properties, esapi-java-logging.properties and validation.properties files in the "src" ddirectory. No older structure, just there. eclipse IDE updates any changes on thos files to WEB-INF/classes directory and it worked for me

Lennox answered 6/10, 2022 at 17:39 Comment(0)

Recommended topics

Hot tags