I am trying to use ESAPI.jar for providing security to my web application.Basically I have just started using ESAPI.jar. But problem is I am not able to run even a simple program using ESAPI. The small code snippet is:

String clean = ESAPI.encoder().canonicalize("someString");
Randomizer r=ESAPI.randomizer();    
System.out.println(r);
System.out.println(clean);

I get this error:

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Eclipse-Workspace\Test\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Documents and Settings\user.user) directory: C:\Documents and Settings\user.user\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
ESAPI.properties could not be loaded by any means. Fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
Exception in thread "main" org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:184)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
    at org.rancore.testJasp.TestEsapi.main(TestEsapi.java:59)
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 3 more
Caused by: org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:227)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:75)
    ... 8 more
Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:667)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:436)
    ... 10 more

I have tried copying the 3 ESAPI properties files in my source folder and also configuring them on build path but still I have not succeeded. I have tried many permutations and combinations to no avail.

Please guide me.

The content of property file is:

# User Messages
Error.creating.randomizer=Error creating randomizer

This.is.test.message=This {0} is {1} a test {2} message

# Validation Messages

# Log Messages

The ESAPI.properties file should have more than 3 lines in it. See for example:

https://web.archive.org/web/20150904064147/http://code.google.com:80/p/owasp-esapi-java/source/browse/trunk/configuration/esapi/ESAPI.properties

In my experience the ESAPI.properties file either needs to be in the same folder as the esapi.jar or needs to be compiled into the jar in a resources directory.

/resources/ESAPI.properties

I believe that either one should work. If ESAPI does not find the file it one location it looks in others.

The code for that is here around line 620:

https://web.archive.org/web/20161005210258/http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

I just struggled through this one myself.

1. I created a folder called esapi in my C:/users/myname/ directory and loaded up the ESAPI.properties, validation.properties, and the ESAPI-AccessControlPolicy.xml which got me past all the not finding files errors. ESAPI looks in several places for the files. I'm running Windows 7 64 bit by the way.
2. Then I had to update some of the jars. I should have done this from the beginning, but I didn't know it. I was getting this error: AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception. for every jar that needed to be a newer version, like commons collections or log4j. At the bottom of the stack trace it would reference the offending jar.

When I added the newer jars from the esapi lib directory everything just worked!

I got this message at the end in my console:

ESAPI.accessController found: org.owasp.esapi.reference.DefaultAccessController@1cb8deef

Note: There is an ESAPI_en_US.properties file, but it's the one with only a few lines in it. Just use the file in: \esapi-2.1.0-dist\src\test\resources\esapi\ESAPI.properties. That is the full complete file.

After having this problem and looking at the installation documentation (esapi-x.x.x-dist\documentation\esapi4java-core-x-x-install-guide.pdf) I found a very useful section which detailed that the properties file can be anywhere, provided a vm flag (-Dorg.owasp.esapi.resources=path") points to a particular directory. For example, if I stick the file in a "resources" folder at the root of my project directory, then the flag would be:

-Dorg.owasp.esapi.resources="path\to\project\root\resources"

The reference SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference implementation, resources can be put in several locations, which are searched in the following order:

1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).

2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):

            java -Dorg.owasp.esapi.resources="C:\temp\resources"

You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.

3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory (supported for backward compatibility) or inside the System.getProperty( "user.home" ) + "/esapi" directory.

4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)

Can you put your file (with this name) in:

D:\Eclipse-Workspace\Test\ESAPI.properties

And show us the contents and exception again.

Look at the various scripts under 'src/examples/scripts' and they will show you one easy way to control where the ESAPI.properties files is found. (This is for ESAPI 2.0 or later.)

You will find a copy of the ESAPI.properties file will be under 'configuration/esapi'.

1. Extract the esapi jar
2. create a folder named resources under org.owasp.esapi
3. copy ESAPI.properties to the org.owasp.esapi.resources
4. Build and deploy

extract the jar add properties file under resources folder.

initially getting same error, after updating properties file it worked for me

Thanks for providing the information

-Dorg.owasp.esapi.resources="path\to\project\root\resources"

This is a good source of information and has resolved my issue

I had the same problem too. I resolved it using a little bit of James Drinkard solution. What I basically did is created a new folder with name ESAPI and added ESAPI.properties file, Validation.properties, and the ESAPI-AccessControlPolicy.xml. And archived it into a jar file and added to the lib folder under WebContet/WEB-INF and build it to the path and it worked.

*To archive it into a jar file I used windows command move ESAPI ESAPI.jar