[Esapi-dev] Issue with ESAPI.properties using ESAPI-1.4.3

Johan Lim johanlim76 at gmail.com
Wed Jan 27 19:17:54 EST 2010 

HI Jim,
Glad that we finally found the issue.
Just let me know once the version is ready and I will run it on my side.

Johan

On Thu, Jan 28, 2010 at 11:14 AM, Jim Manico <jim.manico at owasp.org> wrote:

> I'm predicting that 1.4.4 will go out this week, due to this info. This is
> a significant problem. You offer to help test in your environment will help
> dramatically.
>
> Give me a few hours to test and research this more + I'll post 1.4.4-RC1
> attempting to solve this problem.
>
> Thank you Johan,
> - Jim
>
>
>  Hi Jim
>
> Sure I can test your fix, just let me know the instructions to get the new
> version.
> If the new version fix the issue, when will there be a new release with the
> fix?
>
> Johan
>
> On Thu, Jan 28, 2010 at 11:06 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> No, it should be File.separator. This is the problem.
>>
>> Johan, if you want, I'll cut you a new version from trunk - would care to
>> test my fix?
>>
>> - Jim
>>
>>
>>
>>  Hi Chris, Jim,
>>
>> Here is an update on my status.
>>
>> 1) Changes the "resources" directory to ".resources" still not working
>> 2) Using the ".esapi" directory does not work
>> 3) Chris, thanks for the tip, by dropping -D from the property name, the
>> server is able to pick up the ESAPI.properties. :)
>> 4) Will not hard code the properties now.
>>
>> Now that by setting the System Properties as mention in point 3  above
>> the server is able to find the ESAPI.properties, I am able to continue with
>> the enhancement for now. But would like to be able to just add the
>> properties file into the "resources" folder in the "WEB-INF\classes" as this
>> will not require the customer to change their server setting.
>>
>> Jim, I have a  brief look at the code below, just wondering if the problem
>> is in this line "fileUrl = ClassLoader.getSystemResource("resources/" +
>> filename);" as it uses the "/" instead or "\"?
>>
>> Johan
>>
>>
>>
>> On Thu, Jan 28, 2010 at 10:57 AM, Jim Manico <jim.manico at owasp.org>wrote:
>>
>>> Chris,
>>>
>>> It's "resources" since some OS's do not support folder names like
>>> ".esapi"
>>>
>>> Take a look at the function
>>>
>>> getResourceFile at
>>>
>>> http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
>>>
>>> This code changed significantly recently. We are now specifically trying
>>> to load a URI to the file in order to fix other issues. This is where the
>>> problem is. I'm researching this in more detail now.
>>>
>>>     	// if not found, look for a directory named 'resources' on the classpath
>>>         fileUrl = ClassLoader.getSystemResource("resources/" + filename);
>>>     	if(fileUrl != null) {
>>>      		String resource = fileUrl.getFile(); 		
>>>      		
>>>      		URI uri = null;
>>>      		try {
>>>      			uri = new URI("file://" + resource);
>>>      		} catch (Exception e) {}
>>>      		
>>>      		if (uri != null) {	
>>>      			f = new File( uri );
>>> 	        	if ( f.exists() ) {
>>> 	            	logSpecial( "  Found in SystemResource Directory /resources: " + f.getAbsolutePath(), null );
>>> 	            	return f;
>>> 	        } else {
>>> 	            	logSpecial( "  Not found in SystemResource Directory /resources (this should never happen): " + f.getAbsolutePath(), null );
>>> 	        	}
>>>      		} else {
>>>      			logSpecial( "  (uri null) Not found in SystemResource Directory /resources (this should never happen)", null );
>>>      		}
>>>     	} else {
>>>     		logSpecial( "  Not found in SystemResource Directory /resources: " + "resources/" + filename, null );
>>>     	}
>>>
>>>
>>>
>>> - Jim
>>>
>>>
>>> 1. I believe (Jim, correct me if I am wrong) that the resources directory
>>> should be .resources
>>> 2. Not sure off the top of my head
>>> 3. Drop the -D from the property name
>>> 4. It is possible that where you are trying to set it programmatically
>>> the ESAPI has already been initialized before your code point was reached
>>>
>>> System
>>>
>>> On Wed, Jan 27, 2010 at 4:34 PM, Johan Lim <johanlim76 at gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am in need of help with the properties file issue as I have already
>>>> spend a day on this issue. I have downloaded ESAPI-version 1.4.3.
>>>> The issue is that my Web-app is not able to locate the ESAPI.properties
>>>> file, I keep getting the following error messages:
>>>>
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Seeking
>>>> ESAPI.properties
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>>> 'org.owasp.esapi.resources' directory or file not readable: C:\Program
>>>> Files\IBM\WebSphere Studio\Application Developer IE\v5.1.1\ESAPI.properties
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>>> SystemResource Directory/resourceDirectory: null/ESAPI.properties
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>>> SystemResource Directory/.esapi: .esapi/ESAPI.properties
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>>> SystemResource Directory /resources: resources/ESAPI.properties
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>>> SystemResource Directory: ESAPI.properties
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Not found in
>>>> 'user.home' directory: C:\Documents and
>>>> Settings\johan\.esapi\ESAPI.properties
>>>>
>>>> [28/01/10 10:24:38:690 EST] 23bda0f0 SystemOut O Failed to load security
>>>> configuration
>>>>
>>>> I am using WSAD 5.1.1 to do my development and using Windows XP OS. This
>>>> is what I have done so far:
>>>>
>>>> 1) Add a folder "resources" to "WEB-INF\classes" directory
>>>>
>>>> 2) Add a folder ".esapi" to "WEB-INF\classes" directory
>>>>
>>>> 3) Update the WAS Test Server environment. Add the following line into
>>>> the System Properties: Name =-Dorg.owasp.esapi.resources, Value =
>>>> C:\temp\resources
>>>>
>>>> 4) Explicitly add the properties file with the following line "
>>>> System.setProperty("org.owasp.esapi.resources",
>>>> "C:\\temp\\resources\\ESAPI.properties");"
>>>>
>>>> None of the above steps I have tried worked. Please help as I am not
>>>> able to move forward with my enhancement.
>>>>
>>>>
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>> Johan
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Esapi-dev mailing list
>>>> Esapi-dev at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Chris Schmidt
>>>
>>> OWASP ESAPI Developer
>>> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>>>
>>> Check out OWASP ESAPI for Java
>>> http://code.google.com/p/owasp-esapi-java/
>>>
>>> OWASP ESAPI for JavaScript
>>> http://code.google.com/p/owasp-esapi-js/
>>>
>>> Yet Another Developers Blog
>>> http://yet-another-dev.blogspot.com
>>>
>>> Bio and Resume
>>> http://www.digital-ritual.net/resume.html
>>>
>>>
>>> _______________________________________________
>>> Esapi-dev mailing listEsapi-dev at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>>
>>>
>>> --
>>> Jim Manico
>>> OWASP Podcast Host/Producer
>>> OWASP ESAPI Project Managerhttp://www.manico.net
>>>
>>>
>>
>>
>> --
>> Jim Manico
>> OWASP Podcast Host/Producer
>> OWASP ESAPI Project Managerhttp://www.manico.net
>>
>>
>
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Managerhttp://www.manico.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100128/7b489448/attachment.html

More information about the Esapi-dev mailing list