尝试使用ESAPI getValidInput但收到错误

时间:2015-05-18 08:13:26

标签: validation esapi

尝试验证输入时会生成以下错误:

org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:184)
    at org.owasp.esapi.ESAPI.validator(ESAPI.java:191)
    at crypton.RSACripto.main(RSACripto.java:160)
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:592)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 3 more
Caused by: org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:227)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:75)
    ... 8 more
Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:653)
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:436)
    ... 10 more

这发生在以下行:

    String validInput=ESAPI.validator().getValidInput("GetValidInput:", "hola.txt", "Validator.FileName", 10,false);

我已在下面添加了ESAPI配置:

 # ESAPI Configuration
 #
 # If true, then print all the ESAPI properties set here when they are loaded.
 # If false, they are not printed. Useful to reduce output when running JUnit tests.
 # If you need to troubleshoot a properties related problem, turning this on may help,
 # but we leave it off for running JUnit tests. (It will be 'true' in the one delivered
 # as part of production ESAPI, mostly for backward compatibility.)
 ESAPI.printProperties=false

 # ESAPI is designed to be easily extensible. You can use the reference implementation
 # or implement your own providers to take advantage of your enterprise's security
 # infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
 #
 #    String ciphertext =
 #      ESAPI.encryptor().encrypt("Secret message");   // Deprecated in 2.0
 #    CipherText cipherText =
 #      ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
 #
 # Below you can specify the classname for the provider that you wish to use in your
 # application. The only requirement is that it implement the appropriate ESAPI interface.
 # This allows you to switch security implementations in the future without rewriting the
 # entire application.
 #
 # ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
 ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
 # FileBasedAuthenticator requires users.txt file in .esapi directory
 ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
 ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
 ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor

 ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
 ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
 ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
 # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
 ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
 #ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
 #ESAPI.Logger=org.owasp.esapi.reference.ExampleExtendedLog4JLogFactory
 ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
 ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator

 #===========================================================================
 # ESAPI Authenticator
 #
 Authenticator.AllowedLoginAttempts=3
 Authenticator.MaxOldPasswordHashes=13
 Authenticator.UsernameParameterName=username
 Authenticator.PasswordParameterName=password
 # RememberTokenDuration (in days)
 Authenticator.RememberTokenDuration=14
 # Session Timeouts (in minutes)
 Authenticator.IdleTimeoutDuration=20
 Authenticator.AbsoluteTimeoutDuration=120

 #===========================================================================
 # ESAPI Encoder
 #
 # ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
 # Failure to canonicalize input is a very common mistake when implementing validation schemes.
 # Canonicalization is automatic when using the ESAPI Validator, but you can also use the
 # following code to canonicalize data.
 #
 #      ESAPI.Encoder().canonicalize( "%22hello world&#x22;" );
 #  
 # Multiple encoding is when a single encoding format is applied multiple times. Allowing
 # multiple encoding is strongly discouraged.
 Encoder.AllowMultipleEncoding=false

 # Mixed encoding is when multiple different encoding formats are applied, or when
 # multiple formats are nested. Allowing multiple encoding is strongly discouraged.
 Encoder.AllowMixedEncoding=false

 # The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
 # for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
 # inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
 Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec


 #===========================================================================
 # ESAPI Encryption
 #
 # The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
 # To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
 # There is not currently any support for key rotation, so be careful when changing your key and salt as it
 # will invalidate all signed, encrypted, and hashed data.
 #
 # WARNING: Not all combinations of algorithms and key lengths are supported.
 # If you choose to use a key length greater than 128, you MUST download the
 # unlimited strength policy files and install in the lib directory of your JRE/JDK.
 # See http://java.sun.com/javase/downloads/index.jsp for more information.
 #
 # Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
 # methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
 # possible, these methods should be avoided as they use ECB cipher mode, which in almost
 # all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
 # for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0.  In general, you
 # should only use this compatibility setting if you have persistent data encrypted with
 # version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
 # you have decrypted all of your old encrypted data and then re-encrypted it with
 # ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
 # with the new 2.0 methods, make sure that you use the same cipher algorithm for both
 # (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
 # more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
 # where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
 # that requires downloading the special jurisdiction policy files mentioned above.)
 #
 #      ***** IMPORTANT: These are for JUnit testing. Test files may have been
 #                       encrypted using these values so do not change these or
 #                       those tests will fail. The version under
 #                          src/main/resources/.esapi/ESAPI.properties
 #                       will be delivered with Encryptor.MasterKey and
 #                       Encryptor.MasterSalt set to the empty string.
 #
 #                       FINAL NOTE:
 #                           If Maven changes these when run, that needs to be fixed.
 #       256-bit key... requires unlimited strength jurisdiction policy files
 ### Encryptor.MasterKey=pJhlri8JbuFYDgkqtHmm9s0Ziug2PE7ovZDyEPm4j14=
 #       128-bit key
 Encryptor.MasterKey=a6H9is3hEVGKB4Jut+lOVA==
 Encryptor.MasterSalt=SbftnvmEWD5ZHHP+pX3fqugNysc=
 # Encryptor.MasterSalt=

 # Provides the default JCE provider that ESAPI will "prefer" for its symmetric
 # encryption and hashing. (That is it will look to this provider first, but it
 # will defer to other providers if the requested algorithm is not implemented
 # by this provider.) If left unset, ESAPI will just use your Java VM's current
 # preferred JCE provider, which is generally set in the file
 # "$JAVA_HOME/jre/lib/security/java.security".
 #
 # The main intent of this is to allow ESAPI symmetric encryption to be
 # used with a FIPS 140-2 compliant crypto-module. For details, see the section
 # "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
 # the ESAPI 2.0 Symmetric Encryption User Guide, at:
 # http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
 # However, this property also allows you to easily use an alternate JCE provider
 # such as "Bouncy Castle" without having to make changes to "java.security".
 # See Javadoc for SecurityProviderLoader for further details. If you wish to use
 # a provider that is not known to SecurityProviderLoader, you may specify the
 # fully-qualified class name of the JCE provider class that implements
 # java.security.Provider. If the name contains a '.', this is interpreted as
 # a fully-qualified class name that implements java.security.Provider.
 #
 # NOTE: Setting this property has the side-effect of changing it in your application
 #       as well, so if you are using JCE in your application directly rather than
 #       through ESAPI (you wouldn't do that, would you? ;-), it will change the
 #       preferred JCE provider there as well.
 #
 # Default: Keeps the JCE provider set to whatever JVM sets it to.
 Encryptor.PreferredJCEProvider=

 # AES is the most widely used and strongest encryption algorithm. This
 # should agree with your Encryptor.CipherTransformation property.
 # By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is
 # very weak. It is essentially a password-based encryption key, hashed
 # with MD5 around 1K times and then encrypted with the weak DES algorithm
 # (56-bits) using ECB mode and an unspecified padding (it is
 # JCE provider specific, but most likely "NoPadding"). However, 2.0 uses
 # "AES/CBC/PKCSPadding". If you want to change these, change them here.
 # Warning: This property does not control the default reference implementation for
 #         ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
 #         in the future.
 # @deprecated
 Encryptor.EncryptionAlgorithm=AES
 #      For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
 Encryptor.CipherTransformation=AES/CBC/PKCS5Padding

 # Applies to ESAPI 2.0 and later only!
 # Comma-separated list of cipher modes that provide *BOTH*
 # confidentiality *AND* message authenticity. (NIST refers to such cipher
 # modes as "combined modes" so that's what we shall call them.) If any of these
 # cipher modes are used then no MAC is calculated and stored
 # in the CipherText upon encryption. Likewise, if one of these
 # cipher modes is used with decryption, no attempt will be made
 # to validate the MAC contained in the CipherText object regardless
 # of whether it contains one or not. Since the expectation is that
 # these cipher modes support support message authenticity already,
 # injecting a MAC in the CipherText object would be at best redundant.
 #
 # Note that as of JDK 1.5, the SunJCE provider does not support *any*
 # of these cipher modes. Of these listed, only GCM and CCM are currently
 # NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
 # GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
 # padding modes.
 Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC

 # Applies to ESAPI 2.0 and later only!
 # Additional cipher modes allowed for ESAPI 2.0 encryption. These
 # cipher modes are in _addition_ to those specified by the property
 # 'Encryptor.cipher_modes.combined_modes'.
 # Note: We will add support for streaming modes like CFB & OFB once
 # we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
 # (probably in ESAPI 2.1).
 #
 #  IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB
 #                  here as this is an extremely weak mode. However, we *must*
 #                  allow it here so we can test ECB mode. That is important
 #                  since the logic is somewhat different (i.e., ECB mode does
 #                  not use an IV).
 # DISCUSS: Better name?
 #  NOTE: ECB added only for testing purposes. Don't try this at home!
 Encryptor.cipher_modes.additional_allowed=CBC,ECB

 # 128-bit is almost always sufficient and appears to be more resistant to
 # related key attacks than is 256-bit AES. Use '_' to use default key size
 # for cipher algorithms (where it makes sense because the algorithm supports
 # a variable key size). Key length must agree to what's provided as the
 # cipher transformation, otherwise this will be ignored after logging a
 # warning.
 #
 # NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
 Encryptor.EncryptionKeyLength=128

 # Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
 # (All cipher modes except ECB require an IV.) There are two choices: we can either
 # use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
 # the IV does not need to be hidden from adversaries, it is important that the
 # adversary not be allowed to choose it. Also, random IVs are generally much more
 # secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
 # such as CFB and OFB use a different IV for each encryption with a given key so
 # in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
 # IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
 # uncomment the Encryptor.fixedIV.
 #
 # Valid values:        random|fixed|specified      'specified' not yet implemented; planned for 2.1
 Encryptor.ChooseIVMethod=random
 # If you choose to use a fixed IV, then you must place a fixed IV here that
 # is known to all others who are sharing your secret key. The format should
 # be a hex string that is the same length as the cipher block size for the
 # cipher algorithm that you are using. The following is an example for AES
 # from an AES test vector for AES-128/CBC as described in:
 # NIST Special Publication 800-38A (2001 Edition)
 # "Recommendation for Block Cipher Modes of Operation".
 # (Note that the block size for AES is 16 bytes == 128 bits.)
 #
 Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f

 # Whether or not CipherText should use a message authentication code (MAC) with it.
 # This prevents an adversary from altering the IV as well as allowing a more
 # fool-proof way of determining the decryption failed because of an incorrect
 # key being supplied. This refers to the "separate" MAC calculated and stored
 # in CipherText, not part of any MAC that is calculated as a result of a
 # "combined mode" cipher mode.
 #
 # If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
 # set this property to false.
 Encryptor.CipherText.useMAC=true

 # Whether or not the PlainText object may be overwritten and then marked
 # eligible for garbage collection. If not set, this is still treated as 'true'.
 Encryptor.PlainText.overwrite=true

 # Do not use DES except in a legacy situations. 56-bit is way too small key size.
 #Encryptor.EncryptionKeyLength=56
 #Encryptor.EncryptionAlgorithm=DES

 # TripleDES is considered strong enough for most purposes.
 #  Note:   There is also a 112-bit version of DESede. Using the 168-bit version
 #          requires downloading the special jurisdiction policy from Sun.
 #Encryptor.EncryptionKeyLength=168
 #Encryptor.EncryptionAlgorithm=DESede

 Encryptor.HashAlgorithm=SHA-512
 Encryptor.HashIterations=1024
 Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
 Encryptor.DigitalSignatureKeyLength=1024
 Encryptor.RandomAlgorithm=SHA1PRNG
 Encryptor.CharacterEncoding=UTF-8
 # Currently supported choices for JDK 1.5 and 1.6 are:
 #  HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and
 #  HmacSHA512 (512 bits).
 # Note that HmacMD5 is *not* supported for the PRF used by the KDF even though
 # these JDKs support it.
 Encryptor.KDF.PRF=HmacSHA256

 #===========================================================================
 # ESAPI HttpUtilties
 #
 # The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods 
 # protect against malicious data from attackers, such as unprintable characters, escaped characters,
 # and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
 # headers, and CSRF tokens.
 #
 # Default file upload location (remember to escape backslashes with \\)
 HttpUtilities.UploadDir=C\:\\ESAPI\\testUpload
 # let this default to java.io.tmpdir for testing
 #HttpUtilities.UploadTempDir=C:\\temp
 # Force flags on cookies, if you use HttpUtilities to set cookies
 HttpUtilities.ForceHttpOnlySession=false
 HttpUtilities.ForceSecureSession=false
 HttpUtilities.ForceHttpOnlyCookies=true
 HttpUtilities.ForceSecureCookies=true
 # Maximum size of HTTP headers
 HttpUtilities.MaxHeaderSize=4096
 # File upload configuration
 HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
 HttpUtilities.MaxUploadFileBytes=500000000
 # Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
 # container, and any other technologies you may be using. Failure to do this may expose you
 # to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
 HttpUtilities.ResponseContentType=text/html; charset=UTF-8
 # This is the name of the cookie used to represent the HTTP session
 # Typically this will be the default "JSESSIONID" 
 HttpUtilities.HttpSessionIdName=JSESSIONID



 #===========================================================================
 # ESAPI Executor
 # CHECKME - Not sure what this is used for, but surely it should be made OS independent.
 Executor.WorkingDirectory=C\:\\Windows\\Temp
 Executor.ApprovedExecutables=C\:\\Windows\\System32\\cmd.exe,C\:\\Windows\\System32\\runas.exe


 #===========================================================================
 # ESAPI Logging
 # Set the application name if these logs are combined with other applications
 Logger.ApplicationName=ExampleApplication
 # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
 Logger.LogEncodingRequired=false
 # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
 Logger.LogApplicationName=true
 # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
 Logger.LogServerIP=true
 # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
 # want to place it in a specific directory.
 Logger.LogFileName=ESAPI_logging_file
 # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
 Logger.MaxLogFileSize=10000000


 #===========================================================================
 # ESAPI Intrusion Detection
 #
 # Each event has a base to which .count, .interval, and .action are added
 # The IntrusionException will fire if we receive "count" events within "interval" seconds
 # The IntrusionDetector is configurable to take the following actions: log, logout, and disable
 #  (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
 #
 # Custom Events
 # Names must start with "event." as the base
 # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
 # You can also disable intrusion detection completely by changing
 # the following parameter to true
 #
 IntrusionDetector.Disable=false
 #
 IntrusionDetector.event.test.count=2
 IntrusionDetector.event.test.interval=10
 IntrusionDetector.event.test.actions=disable,log

 # Exception Events
 # All EnterpriseSecurityExceptions are registered automatically
 # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
 # Use the fully qualified classname of the exception as the base

 # any intrusion is an attack
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout

 # for test purposes
 # CHECKME: Shouldn't there be something in the property name itself that designates
 #         that these are for testing???
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout

 # rapid validation errors indicate scans or attacks in progress
 # org.owasp.esapi.errors.ValidationException.count=10
 # org.owasp.esapi.errors.ValidationException.interval=10
 # org.owasp.esapi.errors.ValidationException.actions=log,logout

 # sessions jumping between hosts indicates session hijacking
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout


 #===========================================================================
 # ESAPI Validation
 #
 # The ESAPI Validator works on regular expressions with defined names. You can define names
 # either here, or you may define application specific patterns in a separate file defined below.
 # This allows enterprises to specify both organizational standards as well as application specific
 # validation rules.
 #
 Validator.ConfigurationFile=validation.properties

 # Validators used by ESAPI
 Validator.AccountName=^[a-zA-Z0-9]{3,20}$
 Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
 Validator.RoleName=^[a-z]{1,20}$
 Validator.Redirect=^(/[a-zA-Z0-9.\\-_]*)*?[a-zA-Z0-9.\\-_\=&]*$

 # Global HTTP Validation Rules
 # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+\=_ ]*$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-\=\\*\\.\\?;,+\\/\:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
 Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
 Validator.HTTPURL=^.*$
 Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$

 # Contributed by Fraenku@gmx.ch
 # Googlecode Issue 116 (http://code.google.com/p/owasp-esapi-java/issues/detail?id=116)
 Validator.HTTPParameterName=^[a-zA-Z0-9_\\-]{1,32}$
 Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+\=_ \!$*?@]{0,1000}$
 Validator.HTTPContextPath=^/[a-zA-Z0-9.\\-_]*$
 Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}\=[\\p{L}\\p{N}.\\-/+\=_\!$*?@%]*&?)*$
 Validator.HTTPURI=^(/[a-zA-Z0-9.\\-_]*)*?[a-zA-Z0-9.\\-_\=&]*$


 # Validation of file related input
 Validator.FileName=^[a-zA-Z0-9(.|\\|/|-|' ')]*[a-zA-Z0-9]+$
 Validator.DirectoryName=^[a-zA-Z0-9\:/\\\\\!@\#$%^&{}\\[\\]()_+\\-\=,.~'`]{1,255}$

 # Validation of dates. Controls whether or not 'lenient' dates are accepted.
 # See DataFormat.setLenient(boolean flag) for further details.
 Validator.AcceptLenientDates=false

我的研究似乎表明它与ESAPI属性文件有关,但是我将属性文件放在与jar相同的文件夹中,但它不起作用。

有人能帮帮我吗?

2 个答案:

答案 0 :(得分:1)

解决了,我只需要在我的classpath项目中添加具有属性文件并且刚刚工作的文件夹,现在我有一个不同的错误,但那很好

答案 1 :(得分:1)

您可以在您的网络应用程序根源文件夹(src)中将其删除。不要把它放在任何包装中。对我来说,空文件已经解决了。虽然它也在其他地方搜索过。您可以参考以下日志 -

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /Applications/Eclipse.app/Contents/MacOS/ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
Not found in 'user.home' (/Users/athakur) directory: /Users/athakur/esapi/ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile not found in ESAPI.properties. Using default: validation.properties
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /Applications/Eclipse.app/Contents/MacOS/validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
Not found in 'user.home' (/Users/athakur) directory: /Users/athakur/esapi/validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
SecurityConfiguration for ESAPI.printProperties not found in ESAPI.properties. Using default: false
SecurityConfiguration for Encryptor.CipherTransformation not found in ESAPI.properties. Using default: AES/CBC/PKCS5Padding
SecurityConfiguration for ESAPI.Encoder not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultEncoder
SecurityConfiguration for ESAPI.Logger not found in ESAPI.properties. Using default: org.owasp.esapi.reference.JavaLogFactory
SecurityConfiguration for Logger.LogApplicationName not found in ESAPI.properties. Using default: true
SecurityConfiguration for Logger.LogServerIP not found in ESAPI.properties. Using default: true
SecurityConfiguration for Logger.ApplicationName not found in ESAPI.properties. Using default: DefaultName

基于以上日志,我在源文件夹的根目录中创建了一个空的ESAPI.properties文件,并在其中添加了以下内容 -

ESAPI.printProperties=true
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
Logger.LogApplicationName=true
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
Logger.LogServerIP=true
# Set the application name if these logs are combined with other applications
Logger.ApplicationName=ExampleApplication