如何从 servlet 容器开始使用 ESAPI
How to get started with ESAPI out of a servlet container
任何人都可以考虑在非网络环境中开始使用 ESAPI 吗?
我进行了这个验证字符串 DefaultValidator.isValidCreditCard 的小测试,但我遇到了一些网络容器依赖性错误。
Junit 测试使用了以下方法:
@Override
public ValidationErrorList creditCard(String value) {
this.value = value;
ValidationErrorList errorList = new ValidationErrorList();
try {
isValid = validator.isValidCreditCard(null, value, false, errorList);
}catch(Exception ie){
System.out.println(">>> CCValidator: [ " + value + "] " + ie.getMessage());
messages = (ArrayList) errorList.errors();
}
return messages;
}
这是我得到的错误(相关部分)当然我不是 运行 在容器中:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Found in 'org.owasp.esapi.resources' directory: C:\foundation\validation\providers\esapi\ESAPI.properties
Loaded 'ESAPI.properties' properties file
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Found in 'org.owasp.esapi.resources' directory: C:\foundation\validation\providers\esapi\validation.properties
Loaded 'validation.properties' properties file
SecurityConfiguration for Encoder.AllowMixedEncoding not found in ESAPI.properties. Using default: false
SecurityConfiguration for Encoder.AllowMixedEncoding not found in ESAPI.properties. Using default: false
javax/servlet/ServletRequest
java.lang.NoClassDefFoundError: javax/servlet/ServletRequest
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:434)
...
调用 ESAPI..xxxMethods() 也会引发依赖性错误。
任何入门建议都将不胜感激。
最佳,
何塞
ESAPI 有一个 servlet 过滤器 API 需要 javax.servlet.ServletRequest 在类路径上。 ESAPI 属于 OWASP --> "Open Web Application Security Project." 因此,ESAPI 是为 Web 应用程序设计的。
如果您不是在编写 Web 应用程序,那么它要么是控制台应用程序,要么是富客户端应用程序。如果您不希望使用它连接到外部世界,那么您真正需要担心的主要安全做法是 ensuring that you always use safely parameterized queries, and that any data passed into your application from a source that IS connected to the outside world is properly escaped. For that, the only thing you need is OWASP's encoder project.
任何人都可以考虑在非网络环境中开始使用 ESAPI 吗? 我进行了这个验证字符串 DefaultValidator.isValidCreditCard 的小测试,但我遇到了一些网络容器依赖性错误。
Junit 测试使用了以下方法:
@Override
public ValidationErrorList creditCard(String value) {
this.value = value;
ValidationErrorList errorList = new ValidationErrorList();
try {
isValid = validator.isValidCreditCard(null, value, false, errorList);
}catch(Exception ie){
System.out.println(">>> CCValidator: [ " + value + "] " + ie.getMessage());
messages = (ArrayList) errorList.errors();
}
return messages;
}
这是我得到的错误(相关部分)当然我不是 运行 在容器中:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Found in 'org.owasp.esapi.resources' directory: C:\foundation\validation\providers\esapi\ESAPI.properties
Loaded 'ESAPI.properties' properties file
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Found in 'org.owasp.esapi.resources' directory: C:\foundation\validation\providers\esapi\validation.properties
Loaded 'validation.properties' properties file
SecurityConfiguration for Encoder.AllowMixedEncoding not found in ESAPI.properties. Using default: false
SecurityConfiguration for Encoder.AllowMixedEncoding not found in ESAPI.properties. Using default: false
javax/servlet/ServletRequest
java.lang.NoClassDefFoundError: javax/servlet/ServletRequest
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:434)
...
调用 ESAPI..xxxMethods() 也会引发依赖性错误。
任何入门建议都将不胜感激。
最佳,
何塞
ESAPI 有一个 servlet 过滤器 API 需要 javax.servlet.ServletRequest 在类路径上。 ESAPI 属于 OWASP --> "Open Web Application Security Project." 因此,ESAPI 是为 Web 应用程序设计的。
如果您不是在编写 Web 应用程序,那么它要么是控制台应用程序,要么是富客户端应用程序。如果您不希望使用它连接到外部世界,那么您真正需要担心的主要安全做法是 ensuring that you always use safely parameterized queries, and that any data passed into your application from a source that IS connected to the outside world is properly escaped. For that, the only thing you need is OWASP's encoder project.