[Esapi-user] Next ESAPI patch release (date: TBD) will require Java 7 and Servlet API 3.0.1

Kevin W. Wall kevin.w.wall at gmail.com
Sun Jul 16 20:30:49 UTC 2017

[NOTE: This is being cross-posted to both ESAPI-User and ESAPI-Dev
mailing lists, so be aware that if you Reply-All, you will have to be
subscribed to both mailing lists or one of them will bounce.]

ESAPI Community,

After extensive discussion with ESAPI project co-leader, Matt Seil, we
have decided to compile ESAPI so that it creates target code
compatible with JDK 1.7.  Previously, ESAPI had supported JDK 1.6.

We understand that this may make future updates of ESAPI unusable for
some of you, but short of a major hack, this was the only way that we
could fix the 'mvn site' goal and it likely would have prohibited us
from upgrading to new and useful Maven plug-ins in the future.

In addition, because of the decision to no longer support JDK 1.6, we
are also dropping support for Servlet API 2.5 and going to be
requiring version 3.0.1 starting in the next ESAPI release. This was
done in part because of Dependency Check warnings and in part because
since we are moving to Java 7, so it just seemed to make sense in that
regard as well. (I think even Tomcat 7.x, which originally only
supported Java 6, still used Servlet API 3.0 out-of-the-box.) We do
not plan to use any incompatible new 3.0 features though until at
least the next minor point release (i.e., which will be a
while so if you wish to still use Servlet API 2.5, things should
continue working until then.

In regards to *why* we are moving to Java 7, according to Oracle (see
http://www.oracle.com/technetwork/java/eol-135779.html), JDK 6 (aka,
1.6) went GA on Dec 2006, public updates ended on Feb 2013, premier
support ended on Dec 2015, and extended support will end on Dec 2018,
leaving on "sustaining support". Chances are good that if you have the
funds for sustaining support, that you also have an IT shop large
enough to get your Java web applications updated to use a newer JDK /

It's long been my personal opinion that supporting really old stuff
that is no longer publicly supported actually exacerbates security
issues. I know that that opinion may differ somewhat from past ESAPI
leaders, but I don't think that ESAPI should be used as a tourniquet
for a bleeding project that are in such (security) dire straits that
they refuse to take the time or spend the money to upgrade their web
application to at least use JDK 7. I think there has to be a balance
here and one previous release of JDK is far back enough I think.
Forcing those who to contribute to work on ESAPI to use ancient,
unsupported versions of Java is placing unnecessary restrictions on
them and only makes their job more difficult.

Therefore, my advice is to at least upgrade to JDK 8. Public updates
for Java 7 have already ended in April 2015 and premier support is
scheduled to end in July 2019 so if you are on Java 6 now, move to
Java 8. If you are currently on Java 7, you are strongly advised to
move to Java 8 as well (or perhaps plan for Java 9, which is still not
GA) so you not be in this position with future versions of ESAPI.

If there is some reason why you are unable to the move to at least
Java 7 and thus unable to use new ESAPI updates, then I sympathize
with you. For you, I think there are but two choices...either continue
to use ESAPI and not get any of the bug fixes or to fork ESAPI
and support it for yourself. But Matt and I feel that dropping support
for Java 6 and only supporting  back to JDK / JRE 7 is in the best
interest of the majority of the ESAPI community at this time.

Thanks for your understanding in this matter.

Best regards,
-kevin wall
ESAPI project co-lead
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the Esapi-user mailing list