I'm using ESAPI encryption in Tomcat war application. I want to load the ESAPI.properties file from a directory outside of the war, in order to have a different key and salt to each environment. I also wish that each war will have a different ESAPI.properties file so each application will be individuality configured. According to the documentation of org.owasp.esapi.reference.DefaultSecurityConfiguration there are few ways to achive that.
1) SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
2) System.getProperty( "org.owasp.esapi.resources" )
3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory
4) The first ".esapi" or "esapi" directory on the classpath.
The first 3 options will enforce one configuration per tomcat. Meaning the properties file location is enforced on all deployed wars. (The first option uses ClassLoader.getSystemResource -requires the path to be part of the class path)
Is there a way to accomplish it using Tomcat configuration?
I also found a way to override ESAPI default security configuration, where I can extend the DefaultSecurityConfiguration and override getResourceFile, but ESAPI javadoc says that this method should "NEVER" be used - I'm not sure what is the reason for that.
package org.owasp.esapi;
public final class ESAPI{
/**
* Overrides the current security configuration with a new implementation. This is meant
* to be used as a temporary means to alter the behavior of the ESAPI and should *NEVER*
* be used in a production environment as it will affect the behavior and configuration of
* the ESAPI *GLOBALLY*.
*
* To clear an overridden Configuration, simple call this method with null for the config
* parameter.
*
* @param config
* @return
*/
public static void override( SecurityConfiguration config ) {
overrideConfig = config;
}
Any suggestions?
