search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
603 stars 364 forks source link

Properties and properties files that are required, even if esapi logging is not used #742

Open davidmichaelkarr opened 1 year ago

davidmichaelkarr commented 1 year ago

Our project uses the esapi library, but only for the encoding tools. We don't use esapi logging. I recently upgraded from v2.1.0.1 to 2.5.0.0, and I noticed that now it requires this "esapi-java-logging.properties" file, even though we don't use esapi logging. At this point, it appears that just creating an empty file works, but it's just a little weird that we have to do this. I also noticed that I had to add several new properties to ESAPI.properties, again, specific to esapi logging, which we don't use. If I don't set those properties, a fatal error occurs.

Properties should have reasonable default values, and it doesn't make sense to require a properties file to exist if it's going to be empty.

jeremiahjstacey commented 1 year ago

Although your project may not call the ESAPI logging API directly, it is still referenced at runtime and is required by the library components you are using. ESAPI Logging is a transitive requirement of any other feature provided by the library.

In Short: ESAPI components use the ESAPI logging configuration.

My current understanding is that this is presently expected behavior, which is why there has been a great deal of documentation generated around the logging configuration requirements and changes in the last few releases.

kwwall commented 1 year ago

To be honest, if ALL you are using from ESAPI it the Encoder, you probably should switch to using the OWASP Java Encoder Project. It's a lot smaller and has way less dependencies.

On Sun, Sep 11, 2022, 12:01 PM jeremiahjstacey @.***> wrote:

Although your project may not call the ESAPI logging API directly, it is still referenced at runtime and is required by the library components you are using. ESAPI Logging is a transitive requirement of any other feature provided by the library.

In Short: ESAPI components use the ESAPI logging configuration.

My current understanding is that this is presently expected behavior, which is why there has been a great deal of documentation generated around the logging configuration requirements and changes in the last few releases.

— Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/742#issuecomment-1242993822, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG6MH7AFQIWFVG2AD7TV5X64FANCNFSM6AAAAAAQJ2RN5Y . You are receiving this because you are subscribed to this thread.Message ID: @.***>

davidmichaelkarr commented 1 year ago

Ok, well, that's a very good point. I'll examine what we're using from ESAPI, I do believe it's only the encoder, and examine a transition to the OWASP encoder.