ESAPI 2.5.3.0 released

[Kevin W. Wall]

See https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.5.3.0

There's a LOT of important things there. Read it as it is important even if you do NOT intend to upgrade to 2.5.3.0.

That is all.

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

[Jeffrey Walton]

On Fri, Nov 24, 2023 at 5:08 PM Kevin W. Wall <kevin....@gmail.com> wrote:
>
> See https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.5.3.0
>
> There's a LOT of important things there. Read it as it is important even if you do NOT intend to upgrade to 2.5.3.0.
>
> That is all.

Congrats man!

[Kevin W. Wall]

Related to the ESAPI 2.5.3.0, I just wrote up instructions on the ESAPI GitHub wiki page

• Using ESAPI with Jakarta EE Servlet API Specification 5.0 and later

Those of you using ESAPI with something like the latest version of Tomcat or Jetty or Spring Boot 3.0 (or later) or Spring Framework 6.0 (or later) will want to look at those instructions.

-kevin

On Fri, Nov 24, 2023 at 5:08 PM Kevin W. Wall <kevin....@gmail.com> wrote:

[David Karr]

Glad to see this release.

I have a related, but technically tangential question about this.  In implementing this classifier-based solution, did you end up with a lot of duplicated code, or were you able to engineer the code and build to avoid that? If the latter, can you describe some techniques you used to achieve that?  There's an in-house library in my organization that may need to produce a similar classifier-based solution for the same problem, and I'd like to give them some advice to avoid some duplication pain.

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAOPE6PgQn2EM66KvajoBBQq7jb4uBnp488-f0GK8-wnDVeippw%40mail.gmail.com.

[Kevin W. Wall]

David,

Great question. I made zero code changes to ESAPI other than changing our pom.xml. I suppose if we are calling a dependency somewhere along the line which is using javax.servlet namespace, it may eventually result in a separate sort of runtime error at some point, but to my knowledge we don't call any dependencies with any class in the javax.servlet namespace. (And if we did, I am relying on all you folks using Jakarta EE Servlet API to let us know where we need to address it. 😁)

But the Eclipse Transformer plugin operates by rewriting the byte code which is why ESAPI didn't have to change anything.

Do please let us know if you find anything wrong with the Jakarta version of ESAPI though. 

Thanks,

-kevin

[David Karr]

Ah. The eclipse transformer plugin. Time to read some docs.