Wednesday 15 July 2015

java - ESAPI validation properties from database -



java - ESAPI validation properties from database -

is there way have esapi read validation properties database table instead of using default validation.properties file?

the short answer: no.

check out code here.

the relevant reply in documentation:

/** * securityconfiguration manages settings used esapi in single place. in reference * implementation, resources can set in several locations, searched in next order: * <p> * 1) within directory set phone call securityconfiguration.setresourcedirectory( "c:\temp\resources" ). * <p> * 2) within system.getproperty( "org.owasp.esapi.resources" ) directory. * can set on java command line * follows (for example): java -dorg.owasp.esapi.resources="c:\temp\resources". may have add together * batch script starts web server. example, in "catalina" script * starts tomcat, can set java_opts variable -d string above. * <p> * 3) within system.getproperty( "user.home" ) + "/.esapi" directory * <p> * 4) in ".esapi" directory on classpath * <p> * 1 time configuration initialized resource directory, can edit set things master * keys , passwords, logging locations, error thresholds, , allowed file extensions. * <p> * warning: not forget update esapi.properties alter master key , other security critical settings. * * @author mike fauzy (mike.fauzy@aspectsecurity.com) * @author jim manico (jim.manico@aspectsecurity.com) * @author jeff williams (jeff.williams .at. aspectsecurity.com) <a * href="http://www.aspectsecurity.com">aspect security</a> */

if want kind of behavior you'll have manually alter esapi source , (hopefully) in way can ignore specific database implementations.

also consider security library, little less secure manage many of these things in database. recommendation owasp manually compile library properties files in src/main/resources directory. way, external actor able alter configuration, have have unix business relationship on machine, assuming you're keeping java standards. (web-inf/ naturally protected.) if set in database, in theory security configurations open sql injection threats... why risk it?

having files in library puts them straight on class path makes much more hard alter. if decide implement in database, extremely careful toctou errors (time of check time of use).

java database oracle esapi

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)