peval / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

UE: NullPointerException in DefaultSecurityConfiguration #253

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.call AbstractAccessReferenceMap.getDirectReference(..) from 
IntegerAccessreferenceMap instance with empty map ('itod').

this will lead directly to this problem.

What is the expected output? 
It should return null or throw an handled exception.

What do you see instead?
Unfortunately an unexpected error occurred on the last page. 
java.lang.NullPointerException at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.getESAPIProperty(DefaultS
ecurityConfiguration.java:1057) at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.setCipherXProperties(Defa
ultSecurityConfiguration.java:245) at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityCon
figuration.java:220) at 
org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecuri
tyConfiguration.java:75) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79) 
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav
a:43) at java.lang.reflect.Method.invoke(Method.java:618) at 
org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) at 
org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:182) at 
org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137) at 
org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154) at 
org.owasp.esapi.errors.EnterpriseSecurityException.<init>(EnterpriseSecurityExce
ption.java:43) at 
org.owasp.esapi.errors.AccessControlException.<init>(AccessControlException.java
:43) at 
org.owasp.esapi.reference.AbstractAccessReferenceMap.getDirectReference(Abstract
AccessReferenceMap.java:202) 

What version of the product are you using? On what operating system?
Version is:
esapi 2.0_rc10
antisamy 4.4
bsh-core 2.0b4

Does this issue affect only a specified browser or set of browsers?
all browsers

Please provide any additional information below.
no further data available.

Original issue reported on code.google.com by Sebastia...@web.de on 16 Nov 2011 at 12:56

GoogleCodeExporter commented 9 years ago
Problem relates to missing configuration files in application's directory.
Although, Exceptions should be thrown without any configuration needed.
It would be great, if it is possible to use this library without any 
configuration. Perhaps with default values, which are configured inside the JAR 
file.

Original comment by Sebastia...@web.de on 23 Nov 2011 at 8:11

GoogleCodeExporter commented 9 years ago
We won't be making changes to 2.x to include a configuration.

Original comment by chrisisbeef on 18 Sep 2014 at 8:43