客戶需要使用ESAPI來驗證輸出入的參數是安全的,但我一開始嘗試使用就報錯:
org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:184)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at com.ctbc.mi.web.util.ServletUtil.getESAPIRequestParameter(ServletUtil.java:169)
at com.ctbc.mi.web.servlet.query.MIQueryServletMain.doProcess(MIQueryServletMain.java:35)
.......
.......
Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:667)
at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:436)
... 48 more
查看root exception:
Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
很明顯是設定錯誤,少了ESAPI.properties這個檔案,依照上述參考網站所述,建議放在src root下:
- Create a ESAPI.properties file in the root source directory of your web application. Do not place it in a package inside the root source directory because the DefaultSecurityConfiguration will not find it.
更改置放的位置後就可以順利執行了~
沒有留言:
張貼留言