[Esapi-dev] Accesing esapi.properties in restricted environment

[Kevin W. Wall]

> Chris Schmidt wrote:
>>
>>   Have you tried passing the path in as a system property on the command
>> line?
>>
>> -Dorg.owasp.esapi.resources="C:\temp\resources"

Calderon, Juan Carlos (GE, Corporate, consultant) wrote:
> Hi Chris
> 
> Is not an option, since we do not manage webserver and thus doing that
> would be very burocratic and might not be approved after all

Instead of passing the property via the command line, how about doing the
equivalent somewhere in your code, say in a static initializer (or a
"start-up" class, if your application server supports such a thing) using

	System.setProperty("org.owasp.esapi.resources", "C:\\temp\\resources");

If that doesn't work for you, you should be able to load it from your classpath.
If it can't find it via the file system, it will try to load it from a variety
of classpaths. Rather than wasting words (as I usually do! ;), I'll refer
you to the login in the private method
	DefaultSecurityConfiguration.loadConfigurationFromClasspath(String)
For logic, see the loadConfigurationFromClasspath() method in
<http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java>

You should be able to use this as long as you can control the classpath that
your application uses (or you can trust anything earlier in the classpath).

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME