ESAPI 2.5.3.0 released
12 views
Skip to first unread message
Kevin W. Wall
Nov 24, 2023, 5:08:53 PM11/24/23
to esapi-project-users, esapi-project-dev, Matt Seil, Jeremiah J. Stacey
There's a LOT of important things there. Read it as it is important even if you do NOT intend to upgrade to 2.5.3.0.
That is all.
-kevin
-- Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
NSA: All your crypto bit are belong to us.
Kevin W. Wall
Nov 26, 2023, 12:38:01 PM11/26/23
to esapi-project-users, esapi-project-dev, Matt Seil, Jeremiah J. Stacey
Related to the ESAPI 2.5.3.0, I just wrote up instructions on the ESAPI GitHub wiki page
Those of you using ESAPI with something like the latest version of Tomcat or Jetty or Spring Boot 3.0 (or later) or Spring Framework 6.0 (or later) will want to look at those instructions.
-kevin
Kevin W. Wall
Nov 29, 2023, 4:30:59 PM11/29/23
to David Karr, esapi-project-users, esapi-project-dev, Matt Seil, Jeremiah J. Stacey
David,
Great question. I made zero code changes to ESAPI other than changing our pom.xml. I suppose if we are calling a dependency somewhere along the line which is using javax.servlet namespace, it may eventually result in a separate sort of runtime error at some point, but to my knowledge we don't call any dependencies with any class in the javax.servlet namespace. (And if we did, I am relying on all you folks using Jakarta EE Servlet API to let us know where we need to address it. 😁)
Great question. I made zero code changes to ESAPI other than changing our pom.xml. I suppose if we are calling a dependency somewhere along the line which is using javax.servlet namespace, it may eventually result in a separate sort of runtime error at some point, but to my knowledge we don't call any dependencies with any class in the javax.servlet namespace. (And if we did, I am relying on all you folks using Jakarta EE Servlet API to let us know where we need to address it. 😁)
But the Eclipse Transformer plugin operates by rewriting the byte code which is why ESAPI didn't have to change anything.
Do please let us know if you find anything wrong with the Jakarta version of ESAPI though.
Thanks,
-kevin
On Wed, Nov 29, 2023, 4:17 PM David Karr <davidmic...@gmail.com> wrote:
Glad to see this release.I have a related, but technically tangential question about this. In implementing this classifier-based solution, did you end up with a lot of duplicated code, or were you able to engineer the code and build to avoid that? If the latter, can you describe some techniques you used to achieve that? There's an in-house library in my organization that may need to produce a similar classifier-based solution for the same problem, and I'd like to give them some advice to avoid some duplication pain.
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAOPE6PgQn2EM66KvajoBBQq7jb4uBnp488-f0GK8-wnDVeippw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages