![](/img/trans.png)
[英]ESAPI Logger throwing org.owasp.esapi.errors.ConfigurationException: SecurityConfiguration for HttpUtilities.MaxHeaderNameSize has incorrect type
[英]ESAPI throwing org.owasp.esapi.errors.ConfigurationException when trying to log a warning
我們已經在Spring Web應用程序中添加了一個過濾器,該過濾器會檢查所有傳入請求中是否有可能導致XSS漏洞的內容。 但是,當它嘗試寫入日志時,我們得到以下堆棧跟蹤:
com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)
我在類路徑上有ESAPI.properties,似乎可以正常工作,但確實配置了“缺少”類:
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
並且DefaultHTTPUtilities也在類路徑上。
事實證明,我還導入了一個名為opensaml的庫(作為其他依賴項的依賴項)。 該庫具有自己的SecurityConfiguration實現,ESAPI用來加載配置的接口。 由於某種原因,opensaml幾乎實現了所有方法以返回null或0:
package org.opensaml;
/**
* Minimal implementation of OWASP ESAPI {@link SecurityConfiguration}, providing the support used within OpenSAML.
*/
public class ESAPISecurityConfig implements SecurityConfiguration {
/** Constructor. */
public ESAPISecurityConfig() {
}
// snip...
/** {@inheritDoc} */
public String getHTTPUtilitiesImplementation() {
return null;
}
// snip....
}
在一個名為DefaultBootstrap的類中,這在我的應用程序啟動期間的某個地方被執行,它覆蓋了ESAPI的默認實現:
protected static void initializeESAPI() {
ESAPI.initialize("org.opensaml.ESAPISecurityConfig");
}
我無法擺脫opensaml庫,因此必須更改代碼,以便在調用ESAPI之前將其覆蓋為默認實現:
ESAPI.initialize("org.owasp.esapi.reference.DefaultSecurityConfiguration");
value = ESAPI.encoder().canonicalize(value);
遵循Suresh的注釋...為此,請查看捕獲stdout的位置,然后查找“嘗試加載ESAPI.properties”,並遵循該路線。 它看起來應該像這樣:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/ESAPI.properties
Found in SystemResource Directory/resourceDirectory: /home/kww/Code/GitHub/kwwall/esapi-java-legacy/target/test-classes/esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
並且他們確保它正在從您期望加載的位置加載ESAPI.properties。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.