private access of 'properties' filed in DefaultSecurityConfiguration.java prevents overriding of loadConfiguration()

[meg23]

From [email protected] on May 02, 2011 18:06:24

What steps will reproduce the problem? 1. Extend DefaultSecurityConfiguration 2. Override loadConfiguration() in the extending class 3. Call any method in the super class that references 'properties' object, and you'll get a null pointer exception. What is the expected output? What do you see instead? We want to extend DefaultSecurityConfiguration and override its property loading mechanism. We override the protected method loadConfiguration(), but due to private access on 'properties', that field can't be accessed by the overriding method and so remains set to null in the superclass. Therefore, any method in the superclass that's not overriden in the subclass and that accesses the 'properties' field will throw a null pointer exception. What version of the product are you using? On what operating system? ESAPI 2.0rc11, linux Does this issue affect only a specified browser or set of browsers? no Please provide any additional information below.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=222

[meg23]

From [email protected] on May 04, 2011 15:18:17

Extension of DefaultSecurityConfiguration is also made more awkward by private access on the following fields and methods:

String cipherXformFromESAPIProp String cipherXformCurrent String resourceDirectory

loadConfigurationFromClasspath(String fileName) logSpecial(String message) logSpecial(String message, Throwable e) setCipherXProperties()

[meg23]

From [email protected] on May 09, 2011 07:53:48

Note: an easy fix to the original issue would be to give protected access to the 'properties' field. Alternatively, a protected setter on that field would also work.

[kwwall]

The current group of ESAPI contributors have discussed this privately amongst ourselves and concluded that some things should be left as-is because of security concerns. Were it up to me, I would have made the class DefaultSecurityConfiguration final and force a completely new implementation to change the behavior. (In fact, I think that all the reference implementation classes should be made final. (Convince me why they shouldn't be. ESAPI is a security library after all.)

As a compromise, we have introduced the System property org.owasp.esapi.logSpecial.discard which will cause all the log messages normally logged by the method logSpecial() to be discarded if the System property is set to true.