vidyuthd / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

private access of 'properties' filed in DefaultSecurityConfiguration.java prevents overriding of loadConfiguration() #222

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Extend DefaultSecurityConfiguration
2. Override loadConfiguration() in the extending class
3. Call any method in the super class that references 'properties' object, and 
you'll get a null pointer exception.

What is the expected output? What do you see instead?
We want to extend DefaultSecurityConfiguration and override its property 
loading mechanism. We override the protected method loadConfiguration(), but 
due to private access on 'properties', that field can't be accessed by the 
overriding method and so remains set to null in the superclass. Therefore, any 
method in the superclass that's not overriden in the subclass and that accesses 
the 'properties' field will throw a null pointer exception. 

What version of the product are you using? On what operating system?
ESAPI 2.0rc11, linux

Does this issue affect only a specified browser or set of browsers?
no

Please provide any additional information below.

Original issue reported on code.google.com by gleb.ole...@gorillalogic.com on 2 May 2011 at 10:06

GoogleCodeExporter commented 9 years ago
Extension of DefaultSecurityConfiguration is also made more awkward by private 
access on the following fields and methods:

String cipherXformFromESAPIProp
String cipherXformCurrent
String resourceDirectory

loadConfigurationFromClasspath(String fileName)
logSpecial(String message)
logSpecial(String message, Throwable e)
setCipherXProperties()

Original comment by gleb.ole...@gorillalogic.com on 4 May 2011 at 10:18

GoogleCodeExporter commented 9 years ago
Note: an easy fix to the original issue would be to give protected access to 
the 'properties' field. Alternatively, a protected setter on that field would 
also work.

Original comment by gleb.ole...@gmail.com on 9 May 2011 at 2:53