[Esapi-user] ESAPI.properties always returns defaults

Kevin W. Wall kevin.w.wall at gmail.com
Thu Oct 16 02:38:42 UTC 2014


Jaime,

On Wed, Oct 15, 2014 at 9:25 PM,  <jaime.e.garcia.lopez at accenture.com> wrote:
> Hi, even than my tomcat console says that my ESAPI.properties file was
> found, I can see that the default values are read instead of my values, see
> the below console output:
>
> Attempting to load ESAPI.properties via file I/O.
>
> Attempting to load ESAPI.properties as resource file via file I/O.
>
> Not found in 'org.owasp.esapi.resources' directory or file not readable:
> C:\tomcat-CVS-7.0.47\ESAPI.properties
>
> Not found in SystemResource Directory/resourceDirectory:
> .esapi\ESAPI.properties
>
> Found in 'user.home' directory:
> C:\Users\jaime.e.garcia.lopez\esapi\ESAPI.properties
>
> Loaded 'ESAPI.properties' properties file
>
> SecurityConfiguration for Validator.ConfigurationFile not found in
> ESAPI.properties. Using default: validation.properties
>
> Attempting to load validation.properties via file I/O.
>
> Attempting to load validation.properties as resource file via file I/O.
>
> Not found in 'org.owasp.esapi.resources' directory or file not readable:
> C:\tomcat-CVS-7.0.47\validation.properties
>
> Not found in SystemResource Directory/resourceDirectory:
> .esapi\validation.properties
>
> Found in 'user.home' directory:
> C:\Users\jaime.e.garcia.lopez\esapi\validation.properties
>
> Loaded 'validation.properties' properties file
>
> SecurityConfiguration for ESAPI.printProperties not found in
> ESAPI.properties. Using default: false
>
> SecurityConfiguration for Encryptor.CipherTransformation not found in
> ESAPI.properties. Using default: AES/CBC/PKCS5Padding
>
> SecurityConfiguration for ESAPI.Logger not found in ESAPI.properties. Using
> default: org.owasp.esapi.reference.JavaLogFactory
>
> SecurityConfiguration for Logger.LogApplicationName not found in
> ESAPI.properties. Using default: true
>
> SecurityConfiguration for Logger.LogServerIP not found in ESAPI.properties.
> Using default: true
>
> SecurityConfiguration for Logger.ApplicationName not found in
> ESAPI.properties. Using default: DefaultName

Well, first note that while it found some files, it says that they
are not readable. E.g.,
    ... not readable: C:\tomcat-CVS-7.0.47\ESAPI.properties

It's not enough that ESAPI finds the file, it also has to have read
permission. So, if you were expecting the one in (say)
"C:\tomcat-CVS-7.0.47\ESAPI.properties" to be the one that
gets used, check the file and folder permissions leading up to
that file.

As far as the ESAPI.properties that it is actually trying to use, it
seems to be indicating that it is using this:
    C:\Users\jaime.e.garcia.lopez\esapi\ESAPI.properties
which it found via your 'user.home' Java system property.

As far as the default values being used, you will get that
message if it cannot find the given property. It only does this
for some properties where there are know safe defaults. So,
for example, it is not going to do this for Encryptor.MasterKey
because it's not secure for everyone to use the same encryption
key, but having everyone use AES/CBC/PKCS5Padding is
a pretty safe default.

Check the file that ESAPI claims it is using
(C:\Users\jaime.e.garcia.lopez\esapi\ESAPI.properties) for some
of the properties that it claims that it can't find, like
Encryptor.CipherTransformation and see if they really are
missing. They might be. For instance that property is new
in ESAPI 2.x, so if you converted an ESAPI.properties from
ESAPI 1.4 it naturally would be missing.  If it turns out that
it actually claims the property is there (and it's not commented
out), then you probably should create a Google Issue for it.

Hope that helps.
-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the Esapi-user mailing list