[Esapi-user] Problems with DefaultSecurityConfiguration

Jim Manico jim.manico at owasp.org
Tue Aug 9 13:38:20 EDT 2011

Including dev.

Jim Manico

On Aug 9, 2011, at 1:28 PM, Owen Berger <owen.k.berger at gmail.com> wrote:

> Okay, so I attempted to set the DefaultSecurityConfiguration using both the initialize and override methods from my previous post (Setter Methods in ESAPI Class), and neither are quite working as expected, plus the explicit warnings in the code-base make be nervous to use this as a long-term solution.
> I guess my problem with the DefaultSecurityConfiguration is as follows:
> 1) The first reason I wanted to override the DefaultSecurityConfiguration is because it was not able to locate my ESAPI.properties or validation.properties in the WEB-INF/classes/resources folder. It still could not locate the files inside after using the security configuration's setResourceDirectory() method. I overrode the original configuration to directly load the file from the web application's resource folder. I understand that I can just move the two properties files to a location where they can be found by the DefaultSecConfig, but it just makes more sense to me to keep them bundled with the web app in the resource folder, is that incorrect or misguided thinking?
> 2) There is a lot of extra (and inaccurate) log chatter with the DefaultSecurityConfiguration, and I couldn't figure out where it was coming from.
> Is there a better way to override the DefaultSecurityConfiguration other than the initialize or override functions that K. Wall told me about? Or should I try to work around my above-listed problems because the DefaultSecurityConfiguration is not meant to ever be overriden?
> Thank you,
> Owen Berger
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

More information about the Esapi-user mailing list