Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/security/4.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java 配置ESAPI安全编码库以防止XSS跨站点脚本问题_Java_Security_Xss_Owasp_Esapi - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java 配置ESAPI安全编码库以防止XSS跨站点脚本问题

Java 配置ESAPI安全编码库以防止XSS跨站点脚本问题

java security

Java 配置ESAPI安全编码库以防止XSS跨站点脚本问题,java,security,xss,owasp,esapi,Java,Security,Xss,Owasp,Esapi,我试图在webapp JSP中使用ESAPI进行安全编码,以防止XSS。我在WEB-INF/lib下添加了esapi-2.1.0.jar,并在JSP的下面几行添加了编码 ESAPI.encoder().encodeForHTML(request.getParameter("")) 但我得到一个例外如下 org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means.

我试图在webapp JSP中使用ESAPI进行安全编码,以防止XSS。我在WEB-INF/lib下添加了esapi-2.1.0.jar,并在JSP的下面几行添加了编码

ESAPI.encoder().encodeForHTML(request.getParameter(""))
但我得到一个例外如下

org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)
我知道问题在于缺少ESAPI.properties文件。我是否应该将此文件与esapi-2.1.0.jar一起下载?我可以看到ESAPI.properties不在ESAPI-2.1.0.jar中。我应该创建自己的文件还是可以获得默认文件,因为我不确定其中应该包含什么?感谢您的帮助。

最新的公共配置文件位于:

如果阅读中的注释/代码,您将看到如何处理文件位置

您需要esapi.properties和validation.properties才能正确使用库

以下是文档的摘录

/**
 * The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference
 * implementation, resources can be put in several locations, which are searched in the following order:
 * <p>
 * 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
 * <p>
 * 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
 * You can set this on the java command line as follows (for example):
 * <pre>
 *              java -Dorg.owasp.esapi.resources="C:\temp\resources"
 * </pre>
 * You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
 * in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the {@code -D} string above.
 * <p>
 * 3) Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
 * inside the {@code System.getProperty( "user.home" ) + "/esapi"} directory.
 * <p>
 * 4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
 * <p>
 * Once the Configuration is initialized with a resource directory, you can edit it to set things like master
 * keys and passwords, logging locations, error thresholds, and allowed file extensions.
 * <p>
 * WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
 *
 * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
 * @author Jim Manico (jim .at. manico.net) <a href="http://www.manico.net">Manico.net</a>
 * @author Kevin Wall (kevin.w.wall .at. gmail.com)
 */
谢谢你。你指的是esapi.properties和validation.properties?是的,我指的是两者。修正了这个!!谢谢你的接球,谢谢你。我应该使用esapi java还是esapi java legacy?如果您使用的是2.x esapi java legacy。另一个是esapi 3.x.Am的存根分支,它使用esapi-2.1.0.jar并从esapi java legacy中获取prop文件。希望它能起作用。感谢您的帮助:-如果我的答案对您的问题有效,请单击旁边的绿色复选标记接受我的答案,如果您觉得它特别有用,请向上投票!:-