minimum-config deployment fails

[GoogleCodeExporter]

What steps will reproduce the problem?
1. extract ESAPI-2.0-rc7.zip into a folder
2. reference the ESAPI method ESAPI.encoder().encodeForHTML ( ...) in a JSP in 
an ear file
3. move the configuration, lib, and esapi-2.0_RC7-SNAPSHOT.jar folders 
extracted from 1 to be included in the ear file that contains the JSP where 
ESAPI is used
3. observe exception on JSP and the following in logs:
Attempting to load ESAPI.properties via file io.
Attempting to load ESAPI.properties via file io.
Not found in 'org.owasp.esapi.resources' directory or file not readable: 
C:\longAppDir\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' directory: C:\Documents and 
Settings\yourUser\.esapi\ESAPI.properties
Loading ESAPI.properties via file io failed.
Attempting to load ESAPI.properties via the classpath.
ESAPI.properties could not be loaded by any means. fail.

What is the expected output? What do you see instead?
Validation should occur without an exception - ESAPI.properties should be found 
even with minimum configuration.  Or this should be explicitly stated in the 
install-guide.  The addition of -Dorg.owasp.esapi.resources to the startup args 
did not work as intended.  It also failed as the argument was added after 
debugging arguments, which for some reason caused it to not get picked up 
(debugged the source DefaultSecurityConfiguration and saw that customDirectory 
string was null).

What version of the product are you using? On what operating system?
esapi-2.0_RC7-SNAPSHOT.jar

Please provide any additional information below.
The fix:
Add "Class-Path: configuration/.esapi/" to the manifest in 
esapi-2.0_RC7-SNAPSHOT.jar:
Manifest-Version: 1.0
Class-Path: configuration/.esapi/
Created-By: 1.6.0_20 (Sun Microsystems Inc.)
Or at least this should be mentioned in the install-guide, along with the 
automatic addition of the argument to the startup args should be mentioned and 
done properly.

Original issue reported on code.google.com by saadsha...@gmail.com on 14 Sep 2010 at 7:14

[GoogleCodeExporter]

Is this still a problem with the latest release candidate 2.0rc10

Original comment by manico.james@gmail.com on 2 Nov 2010 at 8:14

• Changed state: Accepted
• Added labels: Milestone-Release2.0

[GoogleCodeExporter]

Yes, the issue as described would be the same in 2.0rc10.

I didn't see anything in the install guide that describes where things should 
be placed in a war/ear.

Copying the configuration directory into the WEB-INF\lib directory isn't going 
to work.  Adding the suggested entry into the esapi.jar didn't seem to fix it.

I think the correct procedure here would be to:
1) copy/move the contents of the configuration directory to WEB-INF/classes
2) copy/move the contents of the lib directory and the esapi jar file to 
WEB-INF/lib

This would result in the properties file being placed here:
/WEB-INF/classes/.esapi/ESAPI.properties

Different placement would be needed if the esapi jar file was placed further up 
the directory structure of an ear and not loaded by the war classloader.

Original comment by brent.sh...@gmail.com on 7 Nov 2010 at 3:49

[GoogleCodeExporter]

Brent,
Regarding Comment #2...I'm not surprised there isn't anything mentioned in the 
install guide. I'm pretty sure that hasn't been updated in ages. When the 
classpath is searched, the logic is somewhat complicated as 3 different class 
loaders are used in the search and a bunch of different places are searched in 
the class path. (See 
DefaultSecurityConfiguration.loadConfigurationFromClasspath() for details.)  So 
best way to see if this is fixed is to just have someone retest it. Also, if 
you want to place ESAPI.properties in /WEB-INF/classes/.esapi, you could try 
setting -Dorg.owasp.esapi.resources=/WEB-INF/classes/.esapi which I think it 
should make it work. You could also place ESAPI.properties in the root 
directory of your ear file and it should be found as well.

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 7:30

[GoogleCodeExporter]

Added component type.

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 7:31

• Added labels: Component-SecurityConfiguration