[Esapi-user] ESAPI Swingset

Kevin W. Wall kevin.w.wall at gmail.com
Wed Jan 13 23:36:13 EST 2010

Johan Lim wrote:
> Hi Jim,
> I would like to ask when is the new 1.4.2 version be out? At this stage I am
> not able to use the ESAPI 2.0 rc4 as the webapp need to run on JDK1.4.
> Also with the properties file, in version 1.4, is there an easier way to
> extend it?


What do you me "extend it" (the properties file)? Do you want to add your
own properties to it? If so, I think not, unless you tweak the class
DefaultSecurityConfiguration or define your own class that implements the
SecurityConfiguration class and then reset the that that is used to call

	ESAPI.setSecurityConfiguration(SecurityConfiguration newSecurityConfig)

The class that you provide would have to return the private instance of
the Properties object or define your own getter/setter methods for the
new properties. However, if that is your intent, I would not recommend it.
You would approach making the ESAPI properties available from (say) a database
using a similar strategy.

OTOH, you may just be asking how you can locate the ESAPI properties file
elsewhere (other than in the ESAPI jar file).

You can do that quite easily. First you would extract a copy from the ESAPI
jar file (at least until Jim releases version 1.4.2) and then make your changes
to that copy. Finally you would put it into a directory path that is defined
by the Java system property org.owasp.esapi.resources. E.g.,

	java ... -Dorg.owasp.esapi.resources=/full/path/to/your/ESAPI.properties

(Note: This should just be the full path name to the _directory_ where the
ESAPI.properties and validator.properties should be searched for not the actual
path of those files.)

Hope this helps. If not, please elaborate on what you mean by "extending" the
ESAPI properties.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list