Garmaine Staff asked 1 year ago

I have problems configuring ESAPI to let it work with my Spring Boot Web Application (maven project).

I'm using this URL for help : https://web.archive.org/web/20161005210258/http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

And from this URL I have chosen this part to put ESAPI.properties in a specific directory :

The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference * implementation, resources can be put in several locations, which are searched in the following order: *

* 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ). *

So for that here is my code :

1 – In application.properties :

esapi.path=/data/folder/testApp/Apps/MyApp/ESAPIConf

2 – In StartupApplication.java (class that will be executed only once at the startup of my application) :

@Component
public class StartupApplication implements InitializingBean {

    @Autowired
    private Environment env;


    @Override
    @Transactional
    public void afterPropertiesSet() throws Exception {

        new GlobalVars();

        GlobalVars.esapiPropertyFilePath = env.getProperty("esapi.path");
        // this setResourceDirectory to be executed once
        ESAPI.securityConfiguration().setResourceDirectory(GlobalVars.esapiPropertyFilePath);

...etc

}

3 – In my jsp page :

<form action="#" method="POST" onsubmit="linkVariabletoDBFields()">

<input type="hidden" name = "nameconf" id="nameconf" value="<%=ESAPI.encoder().encodeForHTMLAttribute(request.getParameter("confname")) %>" />

The Problem :

When the application server (JBOSS EAP 7.2) is starting and more specifically when StartupApplication class is executed the setResourceDirectory is returning :

ESAPI: Reset resource directory to: /data/folder/testApp/Apps/MyApp/ESAPIConf
ESAPI: Attempting to load ESAPI.properties via file I/O.
ESAPI: Attempting to load ESAPI.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/linuxuser/ESAPI.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: /data/folder/testApp/Apps/MyApp/ESAPIConf/ESAPI.properties
ESAPI: Not found in 'user.home' (/home/linuxuser) directory: /home/linuxuser/esapi/ESAPI.properties
ESAPI: Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
ESAPI: Attempting to load ESAPI.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
ESAPI: Attempting to load validation.properties via file I/O.
ESAPI: Attempting to load validation.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/linuxuser/validation.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: /data/folder/testApp/Apps/MyApp/ESAPIConf/validation.properties
ESAPI: Not found in 'user.home' (/home/linuxuser) directory: /home/linuxuser/esapi/validation.properties
ESAPI: Loading validation.properties via file I/O failed.
ESAPI: Attempting to load validation.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED validation.properties via the CLASSPATH from 'esapi/' using current thread context class loader!

It cannot find the properties file although the file exists in /data/folder/testApp/Apps/MyApp/ESAPIConf

And when I access my jsp page I'm getting :

Error :  org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.

I guess because the ESAPI.properties was not found.

Kindly help.