有没有办法让ESAPI从数据库表中读取验证属性,而不是使用默认的validation.properties文件?
答案 0 :(得分:2)
答案简短:不。
查看代码here。
相关答案在文档中:
/**
* The SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference
* implementation, resources can be put in several locations, which are searched in the following order:
* <p>
* 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
* <p>
* 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
* You can set this on the java command line
* as follows (for example): java -Dorg.owasp.esapi.resources="C:\temp\resources". You may have to add this
* to the batch script that starts your web server. For example, in the "catalina" script that
* starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.
* <p>
* 3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory
* <p>
* 4) In an ".esapi" directory on the classpath
* <p>
* Once the Configuration is initialized with a resource directory, you can edit it to set things like master
* keys and passwords, logging locations, error thresholds, and allowed file extensions.
* <p>
* WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
*
* @author Mike Fauzy (mike.fauzy@aspectsecurity.com)
* @author Jim Manico (jim.manico@aspectsecurity.com)
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
* href="http://www.aspectsecurity.com">Aspect Security</a>
*/
如果您需要这种行为,则必须手动更改esapi源,并且(希望)以可忽略特定数据库实现的方式执行此操作。
还要考虑到对于安全库来说,在数据库中管理这些东西的安全性稍差一点。 OWASP的建议是使用src / main / resources目录中的属性文件自行手动编译该库。这样,为了让外部参与者能够改变您的配置,他们必须在您的计算机上拥有一个unix帐户,假设您遵守Java标准。 (WEB-INF /自然受到保护。)如果你把它放在数据库中,那么理论上你的安全配置对SQL注入威胁是开放的......为什么要冒风险呢?
将这些文件放在库本身中会直接将它们放在类路径上,这使得更改变得更加困难。如果您决定在数据库中实现此功能,请非常小心TOCTOU错误(检查时间到使用时间)。