[Esapi-dev] Issue with ESAPI.properties using ESAPI-1.4.3

Jim Manico jim.manico at owasp.org
Wed Jan 27 19:06:41 EST 2010 

No, it should be File.separator. This is the problem.

Johan, if you want, I'll cut you a new version from trunk - would care 
to test my fix?

- Jim


> Hi Chris, Jim,
> Here is an update on my status.
> 1) Changes the "resources" directory to ".resources" still not working
> 2) Using the ".esapi" directory does not work
> 3) Chris, thanks for the tip, by dropping -D from the property name, 
> the server is able to pick up the ESAPI.properties. :)
> 4) Will not hard code the properties now.
> Now that by setting the System Properties as mention in point 3  
> above  the server is able to find the ESAPI.properties, I am able to 
> continue with the enhancement for now. But would like to be able to 
> just add the properties file into the "resources" folder in the 
> "WEB-INF\classes" as this will not require the customer to change 
> their server setting.
> Jim, I have a  brief look at the code below, just wondering if the 
> problem is in this line "fileUrl = 
> ClassLoader.getSystemResource("resources/" + filename);" as it uses 
> the "/" instead or "\"?
> Johan
>
>
>
> On Thu, Jan 28, 2010 at 10:57 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Chris,
>
>     It's "resources" since some OS's do not support folder names like
>     ".esapi"
>
>     Take a look at the function
>
>     getResourceFile at
>
>     http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
>          
>
>     This code changed significantly recently. We are now specifically
>     trying to load a URI to the file in order to fix other issues.
>     This is where the problem is. I'm researching this in more detail now.
>
>          	// if not found, look for a directory named 'resources' on the classpath
>              fileUrl = ClassLoader.getSystemResource("resources/" + filename);
>          	if(fileUrl != null) {
>           		String resource = fileUrl.getFile(); 		
>           		
>           		URI uri = null;
>           		try {
>           			uri = new URI("file://"  + resource);
>           		} catch (Exception e) {}
>           		
>           		if (uri != null) {	
>           			f = new File( uri );
>     	        	if ( f.exists() ) {
>     	            	logSpecial( "  Found in SystemResource Directory /resources: " + f.getAbsolutePath(), null );
>     	            	return f;
>     	        } else {
>     	            	logSpecial( "  Not found in SystemResource Directory /resources (this should never happen): " + f.getAbsolutePath(), null );
>     	        	}
>           		} else {
>           			logSpecial( "  (uri null) Not found in SystemResource Directory /resources (this should never happen)", null );
>           		}
>          	} else {
>          		logSpecial( "  Not found in SystemResource Directory /resources: " + "resources/" + filename, null );
>          	}
>
>
>
>     - Jim
>
>
>>     1. I believe (Jim, correct me if I am wrong) that the resources
>>     directory should be .resources
>>     2. Not sure off the top of my head
>>     3. Drop the -D from the property name
>>     4. It is possible that where you are trying to set it
>>     programmatically the ESAPI has already been initialized before
>>     your code point was reached
>>
>>     System
>>
>>     On Wed, Jan 27, 2010 at 4:34 PM, Johan Lim <johanlim76 at gmail.com
>>     <mailto:johanlim76 at gmail.com>> wrote:
>>
>>         Hi All,
>>         I am in need of help with the properties file issue as I have
>>         already spend a day on this issue. I have downloaded
>>         ESAPI-version 1.4.3.
>>         The issue is that my Web-app is not able to locate the
>>         ESAPI.properties file, I keep getting the following error
>>         messages:
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Seeking
>>         ESAPI.properties
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>         'org.owasp.esapi.resources' directory or file not readable:
>>         C:\Program Files\IBM\WebSphere Studio\Application Developer
>>         IE\v5.1.1\ESAPI.properties
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>         SystemResource Directory/resourceDirectory: null/ESAPI.properties
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>         SystemResource Directory/.esapi: .esapi/ESAPI.properties
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>         SystemResource Directory /resources: resources/ESAPI.properties
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>         SystemResource Directory: ESAPI.properties
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>         'user.home' directory: C:\Documents and
>>         Settings\johan\.esapi\ESAPI.properties
>>
>>         [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Failed to
>>         load security configuration
>>
>>         I am using WSAD 5.1.1 to do my development and using Windows
>>         XP OS. This is what I have done so far:
>>
>>         1) Add a folder "resources" to "WEB-INF\classes" directory
>>
>>         2) Add a folder ".esapi" to "WEB-INF\classes" directory
>>
>>         3) Update the WAS Test Server environment. Add the following
>>         line into the System Properties: Name
>>         =-Dorg.owasp.esapi.resources, Value = C:\temp\resources
>>
>>         4) Explicitly add the properties file with the following line
>>         "System.setProperty("org.owasp.esapi.resources",
>>         "C:\\temp\\resources\\ESAPI.properties");"
>>
>>         None of the above steps I have tried worked. Please help as I
>>         am not able to move forward with my enhancement.
>>
>>         Thanks.
>>
>>         Johan
>>
>>
>>         _______________________________________________
>>         Esapi-dev mailing list
>>         Esapi-dev at lists.owasp.org <mailto:Esapi-dev at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/esapi-dev
>>
>>
>>
>>
>>     -- 
>>     Chris Schmidt
>>
>>     OWASP ESAPI Developer
>>     http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>>
>>     Check out OWASP ESAPI for Java
>>     http://code.google.com/p/owasp-esapi-java/
>>
>>     OWASP ESAPI for JavaScript
>>     http://code.google.com/p/owasp-esapi-js/
>>
>>     Yet Another Developers Blog
>>     http://yet-another-dev.blogspot.com
>>     <http://yet-another-dev.blogspot.com/>
>>
>>     Bio and Resume
>>     http://www.digital-ritual.net/resume.html
>>
>>
>>     _______________________________________________
>>     Esapi-dev mailing list
>>     Esapi-dev at lists.owasp.org  <mailto:Esapi-dev at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/esapi-dev
>>        
>
>
>     -- 
>     Jim Manico
>     OWASP Podcast Host/Producer
>     OWASP ESAPI Project Manager
>     http://www.manico.net  <http://www.manico.net/>
>
>


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100127/34fd19ab/attachment.html

More information about the Esapi-dev mailing list