[Esapi-user] Thoughts on ESAPI's EncryptedProperties

Kevin W. Wall kevin.w.wall at gmail.com
Sat Apr 24 13:56:27 EDT 2010

As I started going through ESAPI's EncryptedProperties
interface and DefaultEncryptedProperties reference implementation,
I realized that one can not place encrypted properties and plaintext
properties in the same Java properties file.

I was wondering if that was a issue for anyone? At my day job,
my application security team provides a class that allows both
to be placed into the same jar.  The way that this works is
that any property name that contains '.sensitive' in the property
name is assumed to be encrypted so that when a getProperty() is
called with such a property name, it knows that to expect that such
a property is encrypted. All others are assumed to be unencrypted.

We provided this behavior at the request of several development teams
who do not want to keep around separate properties files for sensitive
information. (I imagine in part because all the changes to their documentation
this would cause.)

Anyway, this sort of thing is pretty easy to write and I've thought
of providing it either as an example under "src/examples/java" or
to just provide it as a class within ESAPI proper.  (However, if I do
the latter, I will wait for the 2.1 branch has I don't wish to start
adding feeping creaturism like this into the 2.0 trunk.)

So what are your thoughts? Would something like that be useful?

And if you think "yes", do you think it should be placed into
an examples file now (in 2.0) or in a future version of core
ESAPI (2.1 or 3.0 or whatever the next branch will be)?

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list