Trying to Use ESAPI but getting Error as ConfigurationException

Question

ESAPI: WARNING: System property org.owasp.esapi.opsteam is not set ESAPI: WARNING: System property org.owasp.esapi.devteam is not set ESAPI: Attempting to load ESAPI.properties via file I/O. ESAPI: Attempting to load ESAPI.properties as resource file via file I/O. ESAPI: Not found in org.owasp.esapi.resources directory or file not readable: ESAPI.properties

ESAPI: Loading validation.properties via file I/O failed. ESAPI: Attempting to load validation.properties via the classpath. ESAPI: validation.properties could not be loaded by any means. fail.. Caught java.lang.IllegalArgumentException; exception message was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. ESAPI: SecurityConfiguration for ESAPI.printProperties not found in ESAPI.properties. Using default: false

ESAPI: SecurityConfiguration for Encoder.DefaultCodecList not found in ESAPI.properties. Using default: [org.owasp.esapi.codecs.HTMLEntityCodec, org.owasp.esapi.codecs.PercentCodec, org.owasp.esapi.codecs.JavaScriptCodec]

org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

Answer 1

You can safely ignore those warning messages. It's a red herring. That's referring to a more secure configuration option that you can use (although most people don't) when deploying an application that uses ESAPI.

[Aside: The idea is that it allows you to split the ESAPI.properties file into two files, one controlled by the dev team and the other controlled by the operations (ops) team. Any property found in the one controlled by the ops team overrides and identical property in the dev version.

This feature was developed in the days before DevOps became as prevalent as it is today (and long before things like HashiCorp Vault), so perhaps it doesn't make as much sense now, but the intent was to allow the devs to have there own ESAPI.properties file with properties like Encryptor.MasterKey that all the developers can safely share, but that the operations team can set a separate version for QA and production deployments. (It of course applied to other properties as well, but I think that was the properties that drove it.)

So that explains the warnings part.]

But your actual problem is that ESAPI cannot find your ESAPI.properties file anywhere. Looks at this for an explanation of how ESAPI tries to locate your configuration files: https://www.javadoc.io/static/org.owasp.esapi/esapi/2.5.1.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html

If you are still having trouble, what I generally recommend is setting the system property 'org.owasp.esapi.resources' on the 'java' command line.

If for some reason that you don't want to do that, you will have to provide us with more details, like ALL the messages, including the complete exception stack trace.

Hope that helps.