[Esapi-user] Esapi 1.4 to 2.01 upgrade path

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jan 24 03:02:27 UTC 2013


Andre, I will try to answer your questions the best that I
am able:

On Tue, Jan 22, 2013 at 3:35 PM, Andre Susantin
<andre_susantin at yahoo.com> wrote:
> We're using Esapi 1.4.4 and wanted to upgrade to 2.0.1
>
> 1. What is the option of not referring ESAPI.properties by add to VM
> Arguments: -Dorg.owasp.esapi.resources="/path/to/.esapi?
> Can we add just classpath to /path/to/.esapi?

Yes, this should work. (At least it's supposed to. But since it is
meant to be used within a JavaEE servlet container and we
don't run our JUnit tests from said container, I can't vouch that
it's ever been *explicitly* tested via JUnit. Try it and see if it
it doesn't work, let us know.

BTW, you can get details of how ESAPI.properties is loaded from
the DefaultSecurityConfiguration Javadoc at:
<http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/reference/DefaultSecurityConfiguration.html>

> 2. Dependency library: Do we have to replace all 1.4 dependency libraries,
> with the 2.0.1?
> Comparing these 2 dependencies show many same libs:
> 2.0.1:
> http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc6/site/dependencies.html
> 1.4.4:
> http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/site/dependencies.html
>
Well, you don't *have* to, but if you try to use some of the 1.4
dependency libraries, keep in mind that ESAPI 2.0.x has not
been tested under those conditions.

Furthermore, some of the libraries have been upgraded because
the older versions used with ESAPI 1.4 had vulnerabilities in them
so you should strongly consider upgrading them if for no other
reason than that.

> We are currently only using ESAPI.encoder packages, what is the  minimum
> libs required for ESAPI-2.0.1.jar to function?

That's an answer that I can't provide without looking at the
JDepend dependency analysis from Eclipse and my Eclipse
is currently tied up doing an update of a bunch of stuff. But
you should be able to do the same analysis yourself.

Anyone else want to add their $.02, feel free.

-kevin


More information about the Esapi-user mailing list