[OWASP-ESAPI] Diff to allow ESAPI to build on MacOS X

Andrew van der Stock vanderaj at owasp.org
Thu Jul 10 00:12:17 EDT 2008 

ProGuard makes some terrible decisions due to the obfuscation rubbish  
it does. From their POV, there's not much point in obfuscating source  
if you're calling the runtime in the clear. So instead of doing the  
portable thing, it pulls in rt.jar and jsse.jar - even when it is not  
obfuscating. ProGuard should ignore JRE standard libraries when it's  
not obfuscating, as these libraries are part of the JRE on every  
platform.

Why's this an issue? rt.jar itself (the name and its location) is not  
defined by any JSR, it's just the way it has been with the Sun  
reference implementations for a long time. And of course, Apple chose  
that leeway to really reorganize the JDK layout to suit their needs.  
Some of their changes makes sense, other bits make no sense at all.

Apple's version of the Sun JDK splits rt.jar into classes.jar and  
ui.jar to minimize memory overhead and load times for non-UI Java  
programs, such as servlet containers. The Apple on disk layout is also  
very different compared to Sun's layout, but that's not so important  
as long as you just know that the framework you compiled to will be  
there when it's time to run.

Apple's layout allows them to officially support the simultaneous  
running of different versions of the JDK and even 32 and 64 bit  
programs at the same time. For example, Safari will only kick off 32  
bit Java applets and apps launched via JWS, but I have my JDK set to  
1.6, which is 64 bit only. So when I launch WebScarab from OWASP's web  
site, it's running on 32 bit Java 1.5, and yet Eclipse is running as a  
64 bit 1.6 JDK app. It's completely transparent to the user (unless  
you need lots of RAM for your app, and you run out), and it's pretty  
cool for testing purposes.

However, that's not the point of this e-mail.

ESAPI uses ProGuard to package the JAR. ProGuard sucks (see above). So  
here's a diff that gets around ProGuard and allows ESAPI to build and  
run on MacOS X, whilst still allowing it to (hopefully!) compile and  
run on other platforms that have the bog standard Sun JDK.

Can someone test the patch on Windows and Linux or Solaris, and if it  
works, commit it?

The diff requires ant 1.6.3 or later as I use the "else" attribute in  
the condition statement. Ant 1.6.3 was released in April 2005, so I  
think we can safely assume most folks who are prepared to *compile*  
ESAPI will have the necessary pre-requisites. It will not affect  
binary distributions of ESAPI.

thanks,
Andrew van der Stock

-------------- next part --------------
A non-text attachment was scrubbed...
Name: build.diff
Type: application/octet-stream
Size: 2730 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-esapi/attachments/20080710/637ed205/attachment.obj 
-------------- next part --------------






-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-esapi/attachments/20080710/637ed205/attachment.bin

More information about the OWASP-ESAPI mailing list