Trying to Use ESAPI But getting Error

Question

I am trying to use ESAPI.jar for providing security to my web application.Basically I have just started using ESAPI.jar. But problem is I am not able to run even a simple program using ESAPI. The small code snippet is:

String clean = ESAPI.encoder().canonicalize("someString"); Randomizer r=ESAPI.randomizer();     System.out.println(r); System.out.println(clean); 

I get this error:

Attempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Eclipse-Workspace\Test\ESAPI.properties Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties Not found in 'user.home' (C:\Documents and Settings\user.user) directory: C:\Documents and Settings\user.user\esapi\ESAPI.properties Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException Attempting to load ESAPI.properties via the classpath. ESAPI.properties could not be loaded by any means. Fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource. Exception in thread "main" org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.     at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)     at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:184)     at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)     at org.rancore.testJasp.TestEsapi.main(TestEsapi.java:59) Caused by: java.lang.reflect.InvocationTargetException     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)     at java.lang.reflect.Method.invoke(Unknown Source)     at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)     ... 3 more Caused by: org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.     at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)     at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:227)     at org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:75)     ... 8 more Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.     at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:667)     at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:436)     ... 10 more 

I have tried copying the 3 ESAPI properties files in my source folder and also configuring them on build path but still I have not succeeded. I have tried many permutations and combinations to no avail.

Please guide me.

The content of property file is:

# User Messages Error.creating.randomizer=Error creating randomizer  This.is.test.message=This {0} is {1} a test {2} message  # Validation Messages  # Log Messages 

Answer 1

The ESAPI.properties file should have more than 3 lines in it. See for example:

https://web.archive.org/web/20150904064147/http://code.google.com:80/p/owasp-esapi-java/source/browse/trunk/configuration/esapi/ESAPI.properties

In my experience the ESAPI.properties file either needs to be in the same folder as the esapi.jar or needs to be compiled into the jar in a resources directory.

/resources/ESAPI.properties 

I believe that either one should work. If ESAPI does not find the file it one location it looks in others.

The code for that is here around line 620:

https://web.archive.org/web/20161005210258/http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java