davidjmcclelland davidjmcclelland - 1 month ago 13
Java Question

where should I locate a common ESAPI.properties file used by multiple wars inside an ear?

I have two modules that will use ESAPI with the same properties files (ESAPI and validation.properties).

These modules output to wars that are contained in an ear.

I have the properties files inside one of the war files, where they are found at server start. The other war file seems to work fine and does not complain that it can't find the properties files in the log.

I am using ESAPI to sanitize html and url parameters - I wonder if I even need these property files to be accessible to the second module, or either one since there is no configuration and everything is being done with defaults.

Answer Source

First, let me describe how ESAPI 2.x goes about finding its ESAPI.properties file.

The reference implementation class for ESAPI's SecurityConfiguration interface is

org.owasp.esapi.reference.DefaultSecurityConfiguration

With this default implementation, resources like ESAPI.properties and Validation.properties can be put in several locations, which are searched in the following order:

1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory(). E.g.,

ESAPI.securityConfiguration().setResourceDirectory("C:\myApp\resources");

Of course, if you use this technique, it must be done before any other ESAPI calls are made that use ESAPI.properties (which are most of them).

2) Inside the directory defined by the System property "org.owasp.esapi.resources". You can set this on the java command line as follows (for example):

java -Dorg.owasp.esapi.resources="C:\temp\resources" ...

You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the '-D' string above.

3) Inside the

System.getProperty( "user.home" ) + "/.esapi"

directory (supported for backward compatibility) or inside the

System.getProperty( "user.home" ) + "/esapi"

4) The first ".esapi" or "esapi" directory encountered on the classpath. Note this may be complicated by the fact that Java uses multiple class loaders and if you are have multiple applications in a given application server, they may be using different classpaths. For this reason, this option is not generally recommended, but is offered for reasons of backward compatibility with earlier ESAPI 1.4.x versions.

Once ESAPI finds a valid property file (e.g., ESAPI.properties) that it can read, it stops searching for others.

Now, that said, if you want to share a single ESAPI.properties file across all of your .war files, I would recommend going with option #2 and set the System property "org.owasp.esapi.resources" to some common secured directory that both of them can access. Also, you should use a full path name.