[Esapi-user] Feedback on ESAPI 1.4.2

Ed Schaller schallee at darkmist.net
Tue Jan 26 12:10:21 EST 2010


I can comment on a few of these.

> We are still on WebSphere 5.1 / Servlet 2.3 / JSP 1.2 so I had to remove a 
> few unsupported methods (as per Esapi 1.4).

Could you provide a list by any chance? I can look into some of them. I
can't remember if WAS 51 is a 1.4 JVM or 1.3. For my employer I need to
test on WAS 6.0 so I'm not too far ahead of you.

> Also had to add an unimplemented method to ExecutorTest.Conf to get it to 
> compile.

Yup... This is fixed in 1.4.3 that was just released. Sorry about
that. There aren't many changes except for this and NPE if you try to
use the encoders without a config file so you can probably migrate to
1.4.3 pretty easily.

> Can files named test* in folder src/main/resources be removed (are they 
> for test only)?

I'll try to look into this when I have a chance. There are a LOT of
issues with files and unit tests (take a look at ${user.home}/.esapi if
you don't believe me... I'm working on it...).

> I found the hint about setting "-Dorg.owasp.esapi.resources" in AllTests, 

I'm working on this one too. There are some rather annoying problems with
the way the unit tests interact with each other. Theoretically unit tests
should not affect each other but this is not currently the case. ESPI
makes use of a fair number of static fields and one test setting one
can affect another. I've got some code that is working better with the
resources directory but it's still not there yet.

> but also had to set variable "basedir=." as not set by my environment.

Really? Are you testing with maven or something else? Maven runs tests
through surefire and surefire sets this property so I've been using it
to find paths. What version of maven are you using?

> Some tests that expect "C:\\Windows" fail on our desktops (XP) which have 
> "C:\\WINNT" instead.

I fixed a fair number of these though I do most of my development in
linux and miss some windows issues. Can you do me a favor and log issues
for these and I'll look into them?

> Otherwise just failures in EncoderTest.testDoubleEncodingCanonicalization. 

Yup. This is the one that's still failing in 1.4.x

Thank's for using ESAPI and info on problems so we can make it better!

>>>------>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100126/81776c04/attachment.bin 


More information about the Esapi-user mailing list