Skip to content

Commit 73995a4

Browse files
kwwallkwwall
committed
No explicit changes; just did a add, followed by commit, but that seemed to fix the others.
1 parent 21f3992 commit 73995a4

6 files changed

+286
-286
lines changed

LICENSE-CONTENT

+78-78
Large diffs are not rendered by default.

LICENSE-README

+6-6
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
1-
Please note that:
2-
3-
1) The LICENSE file only refers to the licensing of the source and binary code of ESAPI.
4-
For example, the actual ESAPI JAR file is only licensed under "The BSD License".
5-
6-
2) The LICENSE-CONTENT file only refers to the licensing of the content and documentation of ESAPI.
1+
Please note that:
2+
3+
1) The LICENSE file only refers to the licensing of the source and binary code of ESAPI.
4+
For example, the actual ESAPI JAR file is only licensed under "The BSD License".
5+
6+
2) The LICENSE-CONTENT file only refers to the licensing of the content and documentation of ESAPI.
77
For example, the documentation directory is only licensed under the Creative Commons/ShareAlike 3.0 Unported license.

documentation/esapi4java-2.0-readme.txt

+60-60
Original file line numberDiff line numberDiff line change
@@ -1,60 +1,60 @@
1-
2-
Welcome to ESAPI for Java!
3-
4-
(This file best viewed full screen.)
5-
6-
Here are the most significant directories and files included the zip file for this release:
7-
8-
File / Directory Description
9-
=========================================================================================
10-
<root>/
11-
|
12-
+---configuration/ Directory of ESAPI configuration files
13-
| |
14-
| |---.esapi/
15-
| | |---waf-policies/ Directory containing Web Application Firewall policies
16-
| | |---ESAPI.properties The main ESAPI configuration file
17-
| | `---validation.properties Regular expressions used by the ESAPI validator
18-
| |
19-
| `---properties/ Examples of how to internationalize error messages???
20-
| |---ESAPI_en_US.properties in US/English
21-
| |---ESAPI_fr_FR.properties in French
22-
| `---ESAPI_zhs_CN.properties in Chinese
23-
|
24-
|---documentation/ ESAPI documentation
25-
| |
26-
| |---esapi4java-2.0-readme.txt The file you are now reading
27-
| |---esapi4java-core-2.0-release-notes.pdf ESAPI 2.0 release notes (draft)
28-
| |---esapi4java-core-2.0-install-guide.doc ESAPI 2.0 installation guide (draft)
29-
| |---esapi4java-2.0rc6-override-log4jloggingfactory.txt How to use log4j to override User logging
30-
| |---esapi4java-core-2.0-ciphertext-serialization.pdf Describes serialization layout of ESAPI 2.0 ciphertext representation
31-
| |---esapi4java-core-2.0-crypto-design-goals.doc (draft) Describes ESAPI 2.0 crypto design goals & design decisions
32-
| |---esapi4java-core-2.0-readme-crypto-changes.html Describes why crypto was changed from what was in ESAPI 1.4
33-
| |---esapi4java-core-2.0-symmetric-crypto-user-guide.html User guide for using symmetric encryption in ESAPI 2.0
34-
| |---esapi4java-core-2.1-release-notes.txt ESAPI 2.1 release notes
35-
| `---esapi4java-waf-2.0-policy-file-spec.pdf Describes how to configure ESAPI 2.0's Web Application Firewall
36-
|
37-
|---libs/ ESAPI dependencies
38-
|
39-
|---site/
40-
| |---apidocs ESAPI Javadoc
41-
| |---cobertura
42-
| `---testapidocs ESAPI Javadoc for its JUnit test cases
43-
|
44-
|---src/ ESAPI source code
45-
|
46-
|---esapi-<vers>.jar The ESAPI jar for version <vers> (e.g., <vers> == 2.0_rc10)
47-
|
48-
|---LICENSE.txt ESAPI license for source code and documentation
49-
|
50-
`---pom.xml Maven's pom.xml for building ESAPI from source via mvn.
51-
52-
===========================================================
53-
54-
Where to go from here -- please see the installation guide and the release
55-
notes.
56-
57-
Please address comments and questions concerning the API and this document to
58-
the ESAPI Users mailing list, <[email protected]>.
59-
60-
Copyright (C) 2009-2010 The OWASP Foundation.
1+
2+
Welcome to ESAPI for Java!
3+
4+
(This file best viewed full screen.)
5+
6+
Here are the most significant directories and files included the zip file for this release:
7+
8+
File / Directory Description
9+
=========================================================================================
10+
<root>/
11+
|
12+
+---configuration/ Directory of ESAPI configuration files
13+
| |
14+
| |---.esapi/
15+
| | |---waf-policies/ Directory containing Web Application Firewall policies
16+
| | |---ESAPI.properties The main ESAPI configuration file
17+
| | `---validation.properties Regular expressions used by the ESAPI validator
18+
| |
19+
| `---properties/ Examples of how to internationalize error messages???
20+
| |---ESAPI_en_US.properties in US/English
21+
| |---ESAPI_fr_FR.properties in French
22+
| `---ESAPI_zhs_CN.properties in Chinese
23+
|
24+
|---documentation/ ESAPI documentation
25+
| |
26+
| |---esapi4java-2.0-readme.txt The file you are now reading
27+
| |---esapi4java-core-2.0-release-notes.pdf ESAPI 2.0 release notes (draft)
28+
| |---esapi4java-core-2.0-install-guide.doc ESAPI 2.0 installation guide (draft)
29+
| |---esapi4java-2.0rc6-override-log4jloggingfactory.txt How to use log4j to override User logging
30+
| |---esapi4java-core-2.0-ciphertext-serialization.pdf Describes serialization layout of ESAPI 2.0 ciphertext representation
31+
| |---esapi4java-core-2.0-crypto-design-goals.doc (draft) Describes ESAPI 2.0 crypto design goals & design decisions
32+
| |---esapi4java-core-2.0-readme-crypto-changes.html Describes why crypto was changed from what was in ESAPI 1.4
33+
| |---esapi4java-core-2.0-symmetric-crypto-user-guide.html User guide for using symmetric encryption in ESAPI 2.0
34+
| |---esapi4java-core-2.1-release-notes.txt ESAPI 2.1 release notes
35+
| `---esapi4java-waf-2.0-policy-file-spec.pdf Describes how to configure ESAPI 2.0's Web Application Firewall
36+
|
37+
|---libs/ ESAPI dependencies
38+
|
39+
|---site/
40+
| |---apidocs ESAPI Javadoc
41+
| |---cobertura
42+
| `---testapidocs ESAPI Javadoc for its JUnit test cases
43+
|
44+
|---src/ ESAPI source code
45+
|
46+
|---esapi-<vers>.jar The ESAPI jar for version <vers> (e.g., <vers> == 2.0_rc10)
47+
|
48+
|---LICENSE.txt ESAPI license for source code and documentation
49+
|
50+
`---pom.xml Maven's pom.xml for building ESAPI from source via mvn.
51+
52+
===========================================================
53+
54+
Where to go from here -- please see the installation guide and the release
55+
notes.
56+
57+
Please address comments and questions concerning the API and this document to
58+
the ESAPI Users mailing list, <[email protected]>.
59+
60+
Copyright (C) 2009-2010 The OWASP Foundation.

documentation/esapi4java-2.0rc6-override-log4jloggingfactory.txt

+71-71
Original file line numberDiff line numberDiff line change
@@ -1,71 +1,71 @@
1-
This release includes critical changes to the ESAPI Log4JLogger that will now allow you to over-ride the user specific
2-
message using your own User or java.security.Principal implementation.
3-
4-
There are a three critical steps that need to be taken to over-ride the ESAPI Log4JLogger:
5-
6-
1) Please make a copy of http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/ExampleExtendedLog4JLogFactory.java and change the package and the class name (something like com.yourcompany.logging.ExtendedLog4JFactory). This class (not very big at all) gives you the exact “shell” that you will need to over-ride the user message of the ESAPI Log4JLogger.
7-
8-
2) In your new class, please change the following function to use your user object:
9-
10-
public String getUserInfo() {
11-
return "-EXTENDEDUSERINFO-";
12-
}
13-
14-
3) Change your copy of ESAPI.properties to use your new logging class
15-
16-
The ESAPI.properties entry looks like this now:
17-
18-
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
19-
20-
Please change it to the following, based on how you renamed your new logging class
21-
22-
ESAPI.Logger=com.yourcompany.logging.ExtendedLog4JFactory
23-
24-
And you should be all set!
25-
26-
PS: The original ESAPI Log4JLogging class used a secure random number as a replacement to logging the session ID. This allowed
27-
us to tie log messages from the same session together, without exposing the actual session id in the log file. The code looks
28-
like this, and you may wish to use it in your over-ridden version of getUserInfo.
29-
30-
HttpServletRequest request = ESAPI.httpUtilities().getCurrentRequest();
31-
if ( request != null ) {
32-
HttpSession session = request.getSession( false );
33-
if ( session != null ) {
34-
sid = (String)session.getAttribute("ESAPI_SESSION");
35-
// if there is no session ID for the user yet, we create one and store it in the user's session
36-
if ( sid == null ) {
37-
sid = ""+ ESAPI.randomizer().getRandomInteger(0, 1000000);
38-
session.setAttribute("ESAPI_SESSION", sid);
39-
}
40-
}
41-
}
42-
43-
In fact, here is the entire original getUserInfo() implementation (that was tied to the ESAPI request and user object) –
44-
you may wish to emulate some of this.
45-
46-
public String getUserInfo() {
47-
// create a random session number for the user to represent the user's 'session', if it doesn't exist already
48-
String sid = null;
49-
HttpServletRequest request = ESAPI.httpUtilities().getCurrentRequest();
50-
if ( request != null ) {
51-
HttpSession session = request.getSession( false );
52-
if ( session != null ) {
53-
sid = (String)session.getAttribute("ESAPI_SESSION");
54-
// if there is no session ID for the user yet, we create one and store it in the user's session
55-
if ( sid == null ) {
56-
sid = ""+ ESAPI.randomizer().getRandomInteger(0, 1000000);
57-
session.setAttribute("ESAPI_SESSION", sid);
58-
}
59-
}
60-
}
61-
62-
// log user information - username:session@ipaddr
63-
User user = ESAPI.authenticator().getCurrentUser();
64-
String userInfo = "";
65-
//TODO - make type logging configurable
66-
if ( user != null) {
67-
userInfo += user.getAccountName()+ ":" + sid + "@"+ user.getLastHostAddress();
68-
}
69-
70-
return userInfo;
71-
}
1+
This release includes critical changes to the ESAPI Log4JLogger that will now allow you to over-ride the user specific
2+
message using your own User or java.security.Principal implementation.
3+
4+
There are a three critical steps that need to be taken to over-ride the ESAPI Log4JLogger:
5+
6+
1) Please make a copy of http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/ExampleExtendedLog4JLogFactory.java and change the package and the class name (something like com.yourcompany.logging.ExtendedLog4JFactory). This class (not very big at all) gives you the exact “shell” that you will need to over-ride the user message of the ESAPI Log4JLogger.
7+
8+
2) In your new class, please change the following function to use your user object:
9+
10+
public String getUserInfo() {
11+
return "-EXTENDEDUSERINFO-";
12+
}
13+
14+
3) Change your copy of ESAPI.properties to use your new logging class
15+
16+
The ESAPI.properties entry looks like this now:
17+
18+
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
19+
20+
Please change it to the following, based on how you renamed your new logging class
21+
22+
ESAPI.Logger=com.yourcompany.logging.ExtendedLog4JFactory
23+
24+
And you should be all set!
25+
26+
PS: The original ESAPI Log4JLogging class used a secure random number as a replacement to logging the session ID. This allowed
27+
us to tie log messages from the same session together, without exposing the actual session id in the log file. The code looks
28+
like this, and you may wish to use it in your over-ridden version of getUserInfo.
29+
30+
HttpServletRequest request = ESAPI.httpUtilities().getCurrentRequest();
31+
if ( request != null ) {
32+
HttpSession session = request.getSession( false );
33+
if ( session != null ) {
34+
sid = (String)session.getAttribute("ESAPI_SESSION");
35+
// if there is no session ID for the user yet, we create one and store it in the user's session
36+
if ( sid == null ) {
37+
sid = ""+ ESAPI.randomizer().getRandomInteger(0, 1000000);
38+
session.setAttribute("ESAPI_SESSION", sid);
39+
}
40+
}
41+
}
42+
43+
In fact, here is the entire original getUserInfo() implementation (that was tied to the ESAPI request and user object) –
44+
you may wish to emulate some of this.
45+
46+
public String getUserInfo() {
47+
// create a random session number for the user to represent the user's 'session', if it doesn't exist already
48+
String sid = null;
49+
HttpServletRequest request = ESAPI.httpUtilities().getCurrentRequest();
50+
if ( request != null ) {
51+
HttpSession session = request.getSession( false );
52+
if ( session != null ) {
53+
sid = (String)session.getAttribute("ESAPI_SESSION");
54+
// if there is no session ID for the user yet, we create one and store it in the user's session
55+
if ( sid == null ) {
56+
sid = ""+ ESAPI.randomizer().getRandomInteger(0, 1000000);
57+
session.setAttribute("ESAPI_SESSION", sid);
58+
}
59+
}
60+
}
61+
62+
// log user information - username:session@ipaddr
63+
User user = ESAPI.authenticator().getCurrentUser();
64+
String userInfo = "";
65+
//TODO - make type logging configurable
66+
if ( user != null) {
67+
userInfo += user.getAccountName()+ ":" + sid + "@"+ user.getLastHostAddress();
68+
}
69+
70+
return userInfo;
71+
}

0 commit comments

Comments
 (0)