cloudbees & ESAPI - how do I point to the ESAPI directory?

Question

I'm using ESAPI for my project, and added the ESAPI configuration directory to src/main/resources so it is copied to my WAR file (I downloaded the WAR from cloudbees, I can see it was put in WEB-INF/classes/esapi/ directory)

Locally, I just point to where the directory is and all works fine, but on cloudbees it just doesn't work for me.

In order to access its properties, ESAPI project tries all kinds of stuff, including checking the org.owasp.esapi.resources system property, so I've added the following code to cloudbees-web.xml:

<sysprop name="org.owasp.esapi.resources" value="WEB-INF/classes/esapi/" />

and I can see that the system property value is found because of the following error in the logs:

Not found in 'org.owasp.esapi.resources' directory or file not readable: /var/genapp/apps/akld3873/WEB-INF/classes/esapi/ESAPI.properties

so it finds the system property (because the path is like I've specified), but when it looks for the actual directory and files in it, I guess the directory is either not there or not readable.

Do I need to move it somewhere else? Inside the WEB-INF directory maybe? Is the setting not right? I've read that others solved similar issues by building a JAR just for this directory, but this doesn't seem like a good solution, there must be a simple setup that will work for cloudbees.

Answer 1

Ok so after searching and testing, I finally figured it out. Cloudbees deploys your web app to the following directory:

staxcat/install/webapp.war/

notice that this is a relative path, with prefix of this path attached it looks something like this:

/var/genapp/apps/xxxxxxxx/staxcat/install/webapp.war/WEB-INF/esapi/ESAPI.properties

so, in order to get ESAPI to work, I had to set the following in cloudbees-web.xml:

<sysprop name="org.owasp.esapi.resources" value="staxcat/install/webapp.war/WEB-INF/esapi" />

this will enable ESAPI to find the directory if in your project it is located under:

src/main/webapp/WEB-INF/esapi

and you should get the following log line:

Found in 'org.owasp.esapi.resources' directory: /var/genapp/apps/xxxxxxxxx/staxcat/install/webapp.war/WEB-INF/esapi/ESAPI.properties

Answer 2

Design for ESAPI lib to require a directory access to configuration is not very flexible. A general purpose option is to use ServletContext.getRealPath to resolve the absolute filesystem path to this directory and pass it to ESAPI.

Another option is for you to have some init code to copy WEB-INF/classes/esapi content in a temporary directory (using java.io.temp system property to point to the currently configured temp dir for your app) and point ESAPI lib to this path.