尝试记录警告时,ESAPI正在抛出org.owasp.esapi.errors.ConfigurationException

时间:2016-04-14 23:24:16

标签: java spring esapi

我们在spring webapp中添加了一个过滤器,用于检查所有可能导致XSS漏洞的传入请求。但是,当它尝试写入日志时,我们得到以下堆栈跟踪:

com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
    at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
    at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
    at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
    at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
    at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
    at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
    at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)

我在类路径上有ESAPI.properties,这似乎是有效的,确实有#34;缺少"类配置:

ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities

DefaultHTTPUtilities也在类路径上。

2 个答案:

答案 0 :(得分:2)

事实证明我还导入了一个名为opensaml的库(作为其他依赖项的依赖项)。该库有自己的SecurityConfiguration实现,它是ESAPI用于加载配置的接口。由于某种原因,opensaml实现了几乎所有方法只返回n​​ull或0:

package org.opensaml;
/**
 * Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
 */
public class ESAPISecurityConfig implements SecurityConfiguration {
    /** Constructor. */
    public ESAPISecurityConfig() {
    }
    // snip...
    /** {@inheritDoc} */
    public String getHTTPUtilitiesImplementation() {
        return null;
    }
    // snip....
}

在一个名为DefaultBootstrap的类中,这在我的应用程序启动期间的某个地方执行,这会覆盖ESAPI的默认实现:

protected static void initializeESAPI() {
    ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}

我无法摆脱opensaml库,所以我不得不更改我的代码,以便在调用ESAPI之前,我将其覆盖回默认实现:

        ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
        value = ESAPI.encoder().canonicalize(value);

答案 1 :(得分:0)

跟进Suresh的评论......为此,请查看您捕获stdout的任何地方并查找“尝试加载ESAPI.properties”并按照该跟踪进行操作。看起来应该是这样的:

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/ESAPI.properties
Found in SystemResource Directory/resourceDirectory: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/target/test-classes/esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file

他们确保从您希望加载的位置加载ESAPI.properties。

相关问题
最新问题