UE: NullPointerException in DefaultSecurityConfiguration

[GoogleCodeExporter]

What steps will reproduce the problem?
1.call AbstractAccessReferenceMap.getDirectReference(..) from 
IntegerAccessreferenceMap instance with empty map ('itod').

this will lead directly to this problem.

What is the expected output? 
It should return null or throw an handled exception.

What do you see instead?
Unfortunately an unexpected error occurred on the last page. 
java.lang.NullPointerException at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.getESAPIProperty(DefaultS
ecurityConfiguration.java:1057) at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.setCipherXProperties(Defa
ultSecurityConfiguration.java:245) at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityCon
figuration.java:220) at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecuri
tyConfiguration.java:75) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79) 
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav
a:43) at java.lang.reflect.Method.invoke(Method.java:618) at 
org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) at 
org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:182) at 
org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137) at 
org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154) at 
org.owasp.esapi.errors.EnterpriseSecurityException.<init>(EnterpriseSecurityExce
ption.java:43) at 
org.owasp.esapi.errors.AccessControlException.<init>(AccessControlException.java
:43) at 
org.owasp.esapi.reference.AbstractAccessReferenceMap.getDirectReference(Abstract
AccessReferenceMap.java:202) 

What version of the product are you using? On what operating system?
Version is:
esapi 2.0_rc10
antisamy 4.4
bsh-core 2.0b4

Does this issue affect only a specified browser or set of browsers?
all browsers

Please provide any additional information below.
no further data available.

Original issue reported on code.google.com by Sebastia...@web.de on 16 Nov 2011 at 12:56

[GoogleCodeExporter]

Problem relates to missing configuration files in application's directory.
Although, Exceptions should be thrown without any configuration needed.
It would be great, if it is possible to use this library without any 
configuration. Perhaps with default values, which are configured inside the JAR 
file.

Original comment by Sebastia...@web.de on 23 Nov 2011 at 8:11

[GoogleCodeExporter]

We won't be making changes to 2.x to include a configuration.

Original comment by chrisisbeef on 18 Sep 2014 at 8:43

• Changed state: WontFix