I was looking for the same file as when deploying my webapp, which I was getting -
Mar 08, 2017 1:23:12 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [mvc-dispatcher] in context with path [/WebDynamo] threw exception [org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.] with root cause java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:667)
In any case, for my webapp, I just added ESAPI.properties to the original root folder (src folder) (do not add it to any package) . And the file is just empty. And the web application is working fine. I see the following logs in webapp, so if you ever wondered where this file is located, refer to it -
Attempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: /Applications/Eclipse.app/Contents/MacOS/ESAPI.properties Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties Not found in 'user.home' (/Users/athakur) directory: /Users/athakur/esapi/ESAPI.properties Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException Attempting to load ESAPI.properties via the classpath. SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader! SecurityConfiguration for Validator.ConfigurationFile not found in ESAPI.properties. Using default: validation.properties Attempting to load validation.properties via file I/O. Attempting to load validation.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: /Applications/Eclipse.app/Contents/MacOS/validation.properties Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties Not found in 'user.home' (/Users/athakur) directory: /Users/athakur/esapi/validation.properties Loading validation.properties via file I/O failed. Attempting to load validation.properties via the classpath. validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. SecurityConfiguration for ESAPI.printProperties not found in ESAPI.properties. Using default: false SecurityConfiguration for Encryptor.CipherTransformation not found in ESAPI.properties. Using default: AES/CBC/PKCS5Padding SecurityConfiguration for ESAPI.Encoder not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultEncoder SecurityConfiguration for ESAPI.Logger not found in ESAPI.properties. Using default: org.owasp.esapi.reference.JavaLogFactory SecurityConfiguration for Logger.LogApplicationName not found in ESAPI.properties. Using default: true SecurityConfiguration for Logger.LogServerIP not found in ESAPI.properties. Using default: true SecurityConfiguration for Logger.ApplicationName not found in ESAPI.properties. Using default: DefaultName
I am sure that these are custom and other files that you can add to the src folder. I also found this file in the folder
https://github.com/OWASP/EJSF/blob/master/esapi_master_FULL/WebContent/ESAPI.properties
The file is quite large to embed here, but based on the default values that it sets in accordance with the logs described above, the following things -
ESAPI.printProperties=true Encryptor.CipherTransformation=AES/CBC/PKCS5Padding ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
Aniket thakur
source share