[Esapi-user] Properties File modification

Kevin W. Wall kevin.w.wall at gmail.com
Sun Jul 11 10:30:24 EDT 2010

Owen Berger wrote:
> I was just trying to implement a MessageUtils class that acts as a
> centralized message-getting mechanism.  I was checking to see how ESAPI
> dealt with properties file changes, and noticed that in line 210 of the
> DefaultSecurityConfiguration:
> //    private static long lastModified = -1;
>  the lastModified variable had been commented out, as if there was
> consideration for this, but then it was removed.  Is there a security
> concern in checking for properties file changes each time they are
> called on, or is it enough just to check lastModified against the
> properties file and synchronize access to it?


I recall some discussion of this in the ESAPI-DEV list maybe 9 or 10
months ago. One problem with this approach is how much of the reference
model (org.owasp.esapi.reference.* classes) have been implemented.

Many of them set local variables up via static initialization or the
classes CTOR, and that would cause the properties used in such a manner
not to be impacted by ESAPI looking for changes to it's ESAPI.properties

It's generally agreed that our whole approach to ESAPI configuration
needs to be reinvestigated. But that is not likely to happen until
a future release.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list