stackoom
  简体   繁体   中英

ESAPI Logger throwing org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type

 原文  2021-12-17 21:03:27       java/ spring-boot/ log4j/ esapi

Question

Using the below code in my application for generating an excel file as a attachment to the API Response header.

App Code:

ESAPI.httpUtilities().setHeader(response,"Content-Disposition", "attachment;filename=" + fileName + "");

After changing to ESAPI 2.2.3.1 and excluding log4J due to the vulnerability issues and added the below lines in ESAPI.Properties ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory Logger.UserInfo=false Logger.ClientInfo=false i'm getting below error in my app. I have the same ESAPI.properties with ESAPI version 2.0.1 which is working fine for the above app code. Error Message:

org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type] with root cause
org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.getIntProp(DefaultSecurityConfiguration.java:1265)
    at org.owasp.esapi.reference.DefaultHTTPUtilities.setHeader(DefaultHTTPUtilities.java:890)
    at com.caremore.togetherness.controller.ExportDataController.getMemberReferralData(ExportDataController.java:93)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)

3 answers

solution1
 1 ACCPTED  2021-12-17 23:26:57

I think you have missed a property in your esapi.properties file in your project which is required in the latest dependency of org.owasp.esapi 2.2.3.1 library/jar Once you update the esapi.properties file to include the missing entry

HttpUtilities.MaxHeaderNameSize=256

Which I have noticed in this link . It might workout as expected.

solution2
 0  2021-12-18 00:08:16

Here is the link which has the difference between the files

solution3
 0  2022-06-14 15:50:09

When updating ESAPI, check history here for new properties and other changes you will have to/might want to apply as well: https://github.com/ESAPI/esapi-java-legacy/commits/develop/configuration/esapi/ESAPI.properties That one includes Logger.UserInfo and Logger.ClientInfo.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ESAPI 2.2.3.1 throwing org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException when using httpUtilities ESAPI throwing org.owasp.esapi.errors.ConfigurationException when trying to log a warning Exception in thread "main" org.owasp.esapi.errors.ConfigurationException: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Error while invoking ESAPI.encoder() how to ignore ESAPI exception “org.owasp.esapi.errors.IntrusionException: Input validation failure”? ClassCastException: org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger jBOSS+ ESAPI java.lang.ClassCastException: org.jboss.logmanager.log4j.BridgeLogger cannot be cast to org.owasp.esapi.Logger log4j logger filtering by package name is ignored for OWASP ESAPI ClassNotFoundException: org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter while applying ESAPIWebApplicationFirewallFilter What is difference b/w org.owasp.esapi.Encoder.encodeForHTML and org.owasp.esapi.Encoder.encodeForJavaScript methods
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM