0

How can I create my own user class with additional properties in it? I tried to create my own user class by implementing org.owasp.esapi.User interface and added some extra properties.

public class MyUserClass implements User{

then I tried this 

MyUserClass userClass=(MyUserClass) ESAPI.authenticator().getCurrentUser();

But getting this exception:

SecurityConfiguration for Logger.LogEncodingRequired not found in ESAPI.properties. Using default: false
java.lang.ClassCastException: org.owasp.esapi.reference.DefaultUser cannot be cast to com.bean.MyUserClass

I also tried to extend DefaultUser class but error was same.

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
MBR
  • 287
  • 1
  • 4
  • 15

1 Answers1

2

The "exception" you are posting is actually two different items: (1) a log message, and (2) an actual exception. And while these are different items altogether, they still stem from the same underlying issue.

Short answer: You are forgetting to set your security configuration system property when your app initializes. It should look something like this:

System.setProperty("org.owasp.esapi.SecurityConfiguration",
    "org.you.yourapp.YourAppSecurityConfiguration");

Where org.you.yourapp.YourAppSecurityConfiguration is the name of a class you'll write that implements SecurityConfiguration. Because you are failing to set this system property, when the following ESAPI code runs:

private static String securityConfigurationImplName =   
    System.getProperty("org.owasp.esapi.SecurityConfiguration", 
    "org.owasp.esapi.reference.DefaultSecurityConfiguration");

...then since you never set the property, ESAPI is selecting the DefaultSecurityConfiguration for you.

When this DefaultSecurityConfiguration goes to initialize ESAPI's internal logging system, the following method is called:

protected String getESAPIProperty( String key, String def ) {
    String value = properties.getProperty(key);
    if ( value == null ) {
        logSpecial( "SecurityConfiguration for " + key + " not found in ESAPI.properties. Using default: " + def, null );
        return def;
    }

    return value;
}

The property it's looking for here is a boolean called Logger.LogEncodingRequired. So if you want this first message to go away, you need something like:

boolean logEncodingRequired = true; // or false, your choice
System.setProperty("Logger.LogEncodingRequired", logEncodingRequired);

That takes care of your first issue:

SecurityConfiguration for Logger.LogEncodingRequired not found in ESAPI.properties. Using default: false

Your second issue is also a result of ESAPI choosing a DefaultSecurityConfiguration for you. This default configuration has an authenticator() method that returns an instance of FileBasedAuthenticator. And as that javadoc link explains, you need to have a users.txt file on your runtime classpath that contains all the serialized information about your users. And, of course, the FileBasedAuthenticator returns instances of DefaultUser which is why you're getting the 2nd issue (which is an actual exception):

java.lang.ClassCastException: org.owasp.esapi.reference.DefaultUser cannot be cast to com.bean.MyUserClass.

Because you can't cast the DefaultUser (passed back from the FileBasedAuthenticator) to your own MyUser class.

Confused? It's really not so bad. Just implement your own SecurityConfiguration and set it as a system property, and you will be all set. HTH.

IAmYourFaja
  • 55,468
  • 181
  • 466
  • 756
  • I see that setting security configuration property is set in **[ESAPI.java](http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/ESAPI.java)**. It may make me sound stupid but where should I put the statement `System.setProperty("org.owasp.esapi.SecurityConfiguration", "org.me.myapp.MyAppSecurityConfiguration");` ? – Abel Callejo Jan 24 '14 at 06:21