[OWASP-ESAPI] properties Not found in 'org.owasp.esapi.resources'directory

Joanne Sun joannehsun at gmail.com
Fri Nov 13 18:05:19 EST 2009 

I have tried to add
-Dorg.owasp.esapi.SupressConfigurationLogging=true in build.xml
and
ESAPI.printProperties=false in ESAPI.properties

but they do not seem to work.  Maybe I did not make it correct? Or there is
no work around to suppress these messages using ESAPI-2.0rc2.jar (except
changing the source code) ? Then when is the next version available?

Thanks.
On Fri, Nov 13, 2009 at 7:15 AM, Rob Spremulli <rob.spremulli at gmail.com>wrote:

> I actually logged an issue for this:
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=58
>
> if the logger is configured before instantiating the securityConfig
> (through the ESAPI.setLogFactory method) then is should absolutely be using
> configured logging.  A more global solution may be to start an app with an
> additional paramter which would put ESAPI into a debug mode and print all
> this data; this solution could be applied to other classes as well.
>
> Alternatively, a simpler fix for 2.0 could be to make the logSpecial method
> protected so a subclass of the DefaultSecurityConfig could alter it's
> behavior.
>
> On Fri, Nov 13, 2009 at 8:59 AM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:
>
>> Joanne Sun wrote:
>>
>> >> *From:* Joanne Sun <joannehsun at gmail.com>
>> >>
>> >> Thanks. Where I can decrease log granularity? I have to turn it off
>> before
>> >> shipping the product to customers.
>> >>
>> >> I used the class jar. Is the log configuration on some document?
>> >>
>> >> Thank you,
>> >>
>> >> Joanne
>> >>
>> >> On Mon, Jul 27, 2009 at 10:48 AM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> >>
>> >>>  These are just log messages showing ESAPI hunting for a
>> ESAPI.properties
>> >>> file.... If you want to turn them off you can decrease log
>> granulatrity -
>> >>> but I prefer to leave them on so I can debug startup issues (like an
>> admin
>> >>> moves to a different server and things start to break, etc).
>>
>> > Hi Jim, I tried to change log4j.xml from debug to fatal, but it does not
>> > work.
>> >
>> > If I use JUL, how to remove the following message? Thanks,
>> > ".
>> > Seeking ESAPI.properties
>> >   Not found in 'org.owasp.esapi.resources' directory:
>> > C:\hsun\work\sd\temp\weblogic-10.3.1\rtd\ESAPI.properties
>> >   Not found in SystemResource Directory/resourceDirectory:
>> > .esapi/ESAPI.properties
>> >   Not found in SystemResource Directory/.esapi: .esapi/ESAPI.properties
>> >   Not found in SystemResource Directory: ESAPI.properties
>> >   Not found in 'user.home' directory: C:\Documents and
>> > Settings\josun\.esapi\ESAPI.properties
>> >   Found on classpath
>> > Loaded properties file
>> > Seeking validation.properties
>> >   Not found in 'org.owasp.esapi.resources' directory:
>> > C:\hsun\work\sd\temp\weblogic-10.3.1\rtd\validation.properties
>> >   Not found in SystemResource Directory/resourceDirectory:
>> > .esapi/validation.properties
>> >   Not found in SystemResource Directory/.esapi:
>> .esapi/validation.properties
>> >   Not found in SystemResource Directory: validation.properties
>> >   Not found in 'user.home' directory: C:\Documents and
>> > Settings\josun\.esapi\validation.properties
>> >   Found on classpath
>> > Loaded properties file
>>
>> Joanne,
>>
>> These messages come from the reference implementation of the
>> SecurityConfiguration interface (i.e., DefaultSecurityConfiguration).
>>
>> The logging there does *not* use either log4j or the Java logging, but
>> rather logs via 'System.out.println()'. The reasons for this is these
>> log messages are done *prior to* locating the ESAPI.properties file
>> and hence at that time it would not be know what your preferred logging
>> mechanism would be--be it log4j or Java logging. Plus, there is an
>> additional
>> chicken-and-the-egg problem of what to do if the logging mechanism that
>> _was_ choosen was not properly configured. How would you know in that
>> case?
>>
>> I have already "quieted" the logging part about seeking the various files
>> and figured for most cases it is tolerable, but I think it is useful to
>> have
>> not only when these property files are _not_ found, but even when they are
>> because the ones that are found may not be the ones that you *intended* to
>> be found.
>>
>> So at this point the only thing we could do would be to have something to
>> suppress the ESAPI configuration logging, perhaps through setting a system
>> property. E.g.,
>>    java -Dorg.owasp.esapi.SupressConfigurationLogging=true ...
>>
>> Now onto the second part...
>>
>> >   ========Master Configuration========
>> >   ResourceDirectory: .esapi
>> >   |   Authenticator.AbsoluteTimeoutDuration=120
>> >   |   Authenticator.AllowedLoginAttempts=3
>> >   |   Authenticator.IdleTimeoutDuration=20
>> >   |   Authenticator.MaxOldPasswordHashes=13
>> >   |   Authenticator.PasswordParameterName=password
>> >   |   Authenticator.RememberTokenDuration=14
>> >   |   Authenticator.UsernameParameterName=username
>> <...snip...>
>>
>> Currently, in the latest release candidate build, the section of code that
>> prints these properties is commented out (looks like in revision 733)
>> along
>> with a comment:
>>        //FIXME - make this chunk configurable
>>
>> I had added code at one point to allow this to be disabled via setting the
>> property
>>
>>        ESAPI.printProperties=false
>>
>> in your ESAPI.properties file and had set it this way in the
>> ESAPI.properties
>> that we use with the JUnit tests, but obviously with the code chunk that
>> is
>> printing these properties out--also to System.out BTW, although at that
>> point
>> we could at least *try* to log use the preferred logging mechanism (maybe
>> that's what the FIXME comment referred to???)--it does not really matter
>> whether the value of ESAPI.printProperties is set to true or false. They
>> are not going to be printed out any longer until the commented out code
>> is restored.
>>
>> You may have noticed that I've CC'd the owasp-esapi list on this. That's
>> because I'm interested in getting more feedback on this. I too can see
>> how printing out the info that Joanne wants to get rid of can be
>> distracting
>> to customers, but yet at times--especially when you are
>> troubleshooting--it
>> can be *very* helpful (the only other reasonable alternative being using
>> a debugger).
>>
>> So what's everyone's thoughts on this? How should we treat it?
>>
>> -kevin
>> --
>> Kevin W. Wall
>> "The most likely way for the world to be destroyed, most experts agree,
>> is by accident. That's where we come in; we're computer professionals.
>> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091113/7a6a2049/attachment-0001.html

More information about the OWASP-ESAPI mailing list