问题描述

我正在Tomcat war应用程序中使用ESAPI加密.我想从战争之外的目录中加载ESAPI.properties文件，以便对每个环境使用不同的键和盐.我也希望每次战争都有一个不同的ESAPI.properties文件，以便每个应用程序都可以个性化配置.根据org.owasp.esapi.reference.DefaultSecurityConfiguration的文档，实现此目标的方法很少.

I'm using ESAPI encryption in Tomcat war application. I want to load the ESAPI.properties file from a directory outside of the war, in order to have a different key and salt to each environment.I also wish that each war will have a different ESAPI.properties file so each application will be individuality configured.According to the documentation of org.owasp.esapi.reference.DefaultSecurityConfiguration there are few ways to achive that.

1)SecurityConfiguration.setResourceDirectory("C:\ temp \ resources").

1) SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).

2)System.getProperty("org.owasp.esapi.resources")

2) System.getProperty( "org.owasp.esapi.resources" )

3)在System.getProperty("user.home")+"/.esapi"目录中

3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory

4)类路径上的第一个".esapi"或"esapi"目录.

4) The first ".esapi" or "esapi" directory on the classpath.

前三个选项将为每个tomcat强制执行一个配置.意味着属性文件的位置在所有部署的战争中都被强制执行. (第一个选项使用ClassLoader.getSystemResource-要求该路径是类路径的一部分)

The first 3 options will enforce one configuration per tomcat. Meaning the properties file location is enforced on all deployed wars. (The first option uses ClassLoader.getSystemResource -requires the path to be part of the class path)

是否可以使用Tomcat配置来完成它?

Is there a way to accomplish it using Tomcat configuration?

我还找到了一种覆盖ESAPI默认安全配置的方法，在该方法中，我可以扩展DefaultSecurityConfiguration并覆盖getResourceFile，但是ESAPI javadoc表示应使用此方法从不"-我不确定这是什么原因

I also found a way to override ESAPI default security configuration, where I can extend the DefaultSecurityConfiguration and override getResourceFile, but ESAPI javadoc says that this method should "NEVER" be used - I'm not sure what is the reason for that.

 package org.owasp.esapi;
 public final class ESAPI{
 /**
 * Overrides the current security configuration with a new implementation. This is meant
 * to be used as a temporary means to alter the behavior of the ESAPI and should *NEVER*
 * be used in a production environment as it will affect the behavior and configuration of
 * the ESAPI *GLOBALLY*.
 *
 * To clear an overridden Configuration, simple call this method with null for the config
 * parameter.
 *
 * @param config
 * @return
 */
public static void override( SecurityConfiguration config ) {
    overrideConfig = config;
}

有什么建议吗?

推荐答案

如果要为特定实例配置tomcat，首先想到的是使用tomcat的setenv.sh脚本对其进行设置.像

If you want a tomcat configuration for a specific instance, the first thing that comes to mind is setting it up using tomcat's setenv.sh script. Something like

export JAVA_OPTS='$JAVA_OPTS -Dorg.owasp.esapi.resources="/path/resources"'

这篇关于Tomcat中的ESAPI属性文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！