[Esapi-dev] Issue with ESAPI.properties using ESAPI-1.4.3

Johan Lim johanlim76 at gmail.com
Wed Jan 27 19:09:29 EST 2010 

Hi Jim

Sure I can test your fix, just let me know the instructions to get the new
version.
If the new version fix the issue, when will there be a new release with the
fix?

Johan

On Thu, Jan 28, 2010 at 11:06 AM, Jim Manico <jim.manico at owasp.org> wrote:

> No, it should be File.separator. This is the problem.
>
> Johan, if you want, I'll cut you a new version from trunk - would care to
> test my fix?
>
> - Jim
>
>
>
>  Hi Chris, Jim,
>
> Here is an update on my status.
>
> 1) Changes the "resources" directory to ".resources" still not working
> 2) Using the ".esapi" directory does not work
> 3) Chris, thanks for the tip, by dropping -D from the property name, the
> server is able to pick up the ESAPI.properties. :)
> 4) Will not hard code the properties now.
>
> Now that by setting the System Properties as mention in point 3  above  the
> server is able to find the ESAPI.properties, I am able to continue with the
> enhancement for now. But would like to be able to just add the properties
> file into the "resources" folder in the "WEB-INF\classes" as this will not
> require the customer to change their server setting.
>
> Jim, I have a  brief look at the code below, just wondering if the problem
> is in this line "fileUrl = ClassLoader.getSystemResource("resources/" +
> filename);" as it uses the "/" instead or "\"?
>
> Johan
>
>
>
> On Thu, Jan 28, 2010 at 10:57 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Chris,
>>
>> It's "resources" since some OS's do not support folder names like ".esapi"
>>
>> Take a look at the function
>>
>> getResourceFile at
>>
>> http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
>>
>> This code changed significantly recently. We are now specifically trying
>> to load a URI to the file in order to fix other issues. This is where the
>> problem is. I'm researching this in more detail now.
>>
>>     	// if not found, look for a directory named 'resources' on the classpath
>>         fileUrl = ClassLoader.getSystemResource("resources/" + filename);
>>     	if(fileUrl != null) {
>>      		String resource = fileUrl.getFile(); 		
>>      		
>>      		URI uri = null;
>>      		try {
>>      			uri = new URI("file://" + resource);
>>      		} catch (Exception e) {}
>>      		
>>      		if (uri != null) {	
>>      			f = new File( uri );
>> 	        	if ( f.exists() ) {
>> 	            	logSpecial( "  Found in SystemResource Directory /resources: " + f.getAbsolutePath(), null );
>> 	            	return f;
>> 	        } else {
>> 	            	logSpecial( "  Not found in SystemResource Directory /resources (this should never happen): " + f.getAbsolutePath(), null );
>> 	        	}
>>      		} else {
>>      			logSpecial( "  (uri null) Not found in SystemResource Directory /resources (this should never happen)", null );
>>      		}
>>     	} else {
>>     		logSpecial( "  Not found in SystemResource Directory /resources: " + "resources/" + filename, null );
>>     	}
>>
>>
>>
>> - Jim
>>
>>
>> 1. I believe (Jim, correct me if I am wrong) that the resources directory
>> should be .resources
>> 2. Not sure off the top of my head
>> 3. Drop the -D from the property name
>> 4. It is possible that where you are trying to set it programmatically the
>> ESAPI has already been initialized before your code point was reached
>>
>> System
>>
>> On Wed, Jan 27, 2010 at 4:34 PM, Johan Lim <johanlim76 at gmail.com> wrote:
>>
>>> Hi All,
>>>
>>> I am in need of help with the properties file issue as I have already
>>> spend a day on this issue. I have downloaded ESAPI-version 1.4.3.
>>> The issue is that my Web-app is not able to locate the ESAPI.properties
>>> file, I keep getting the following error messages:
>>>
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Seeking ESAPI.properties
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>> 'org.owasp.esapi.resources' directory or file not readable: C:\Program
>>> Files\IBM\WebSphere Studio\Application Developer IE\v5.1.1\ESAPI.properties
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>> SystemResource Directory/resourceDirectory: null/ESAPI.properties
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>> SystemResource Directory/.esapi: .esapi/ESAPI.properties
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>> SystemResource Directory /resources: resources/ESAPI.properties
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>> SystemResource Directory: ESAPI.properties
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in 'user.home'
>>> directory: C:\Documents and Settings\johan\.esapi\ESAPI.properties
>>>
>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Failed to load security
>>> configuration
>>>
>>> I am using WSAD 5.1.1 to do my development and using Windows XP OS. This
>>> is what I have done so far:
>>>
>>> 1) Add a folder "resources" to "WEB-INF\classes" directory
>>>
>>> 2) Add a folder ".esapi" to "WEB-INF\classes" directory
>>>
>>> 3) Update the WAS Test Server environment. Add the following line into
>>> the System Properties: Name =-Dorg.owasp.esapi.resources, Value =
>>> C:\temp\resources
>>>
>>> 4) Explicitly add the properties file with the following line "
>>> System.setProperty("org.owasp.esapi.resources",
>>> "C:\\temp\\resources\\ESAPI.properties");"
>>>
>>> None of the above steps I have tried worked. Please help as I am not able
>>> to move forward with my enhancement.
>>>
>>>
>>>
>>> Thanks.
>>>
>>>
>>>
>>> Johan
>>>
>>>
>>>
>>> _______________________________________________
>>> Esapi-dev mailing list
>>> Esapi-dev at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>>
>>
>>
>> --
>> Chris Schmidt
>>
>> OWASP ESAPI Developer
>> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>>
>> Check out OWASP ESAPI for Java
>> http://code.google.com/p/owasp-esapi-java/
>>
>> OWASP ESAPI for JavaScript
>> http://code.google.com/p/owasp-esapi-js/
>>
>> Yet Another Developers Blog
>> http://yet-another-dev.blogspot.com
>>
>> Bio and Resume
>> http://www.digital-ritual.net/resume.html
>>
>>
>> _______________________________________________
>> Esapi-dev mailing listEsapi-dev at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/esapi-dev
>>
>>
>>
>> --
>> Jim Manico
>> OWASP Podcast Host/Producer
>> OWASP ESAPI Project Managerhttp://www.manico.net
>>
>>
>
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Managerhttp://www.manico.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100128/19835fc0/attachment-0001.html

More information about the Esapi-dev mailing list