Using ESAPI jar without a framework filesystem layouts, maven or IDEs

[Jeffrey Walton]

Hi Everyone,

This is a general Java question, and not ESAPI in particular. It just
happens that ESAPI is the reason for the question.

We want to provide some _lean_ ESAPI examples using the command line.
So I downloaded esapi-2.5.2.0.jar from GitHub. Building the test code
from the command line results in:

$ javac ESAPITest.java && java -cp "$(pwd):esapi-2.5.2.0.jar"
ESAPITest "Hello World &"
ESAPITest.java:4: error: package org.owasp.esapi does not exist
import org.owasp.esapi.*;
^
ESAPITest.java:23: error: cannot find symbol
String encoded = ESAPI.encoder().encodeForURL(value);
^
symbol: variable ESAPI
location: class ESAPITest
2 errors

Are there any tricks to using just a jar, without the requirements of
framework filesystem layouts, maven or IDEs?

Jeff

[Kevin W. Wall]

Jeff,

Look under:

    src/examples

in ESAPI. There are some standalone Java programs there (under the 'java' subdirectory) that use the scripts in the 'scripts' subdirectory to execute. Specifically, look at the 'compile.sh' and 'runClass.sh' scripts. (I think they both use the 'findJars.sh' script; well, at least the runClass.sh one does.)

HTH,

-kevin

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAH8yC8koBDAQz1iZSSXc-a0HR1GS1aSaCQM6Z6iiZOs0CtfNGw%40mail.gmail.com.

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

[Jeffrey Walton]

Thanks Kevin,

Before I dig into test scripts... Given:

$ jar tf esapi-2.5.2.0.jar | grep Encoder
org/owasp/esapi/reference/DefaultEncoder$UriSegment.class
org/owasp/esapi/reference/DefaultEncoder.class
org/owasp/esapi/Encoder.class
org/owasp/esapi/EncoderConstants.class

Shouldn't Java be able to find the encoder class with:

$ javac -cp "$(pwd):esapi-2.5.2.0.jar" ESAPITest.java
ESAPITest.java:21: error: cannot find symbol
String encoded = org.owasp.esapi.Encoder().encodeForURL(value);
^
symbol: class esapi
location: package org.owasp
1 error

I'm having a hard time understanding how the Java compiler gets lost
once it finds 'org.owasp'. It seems like (to me) javac should be able
to find 'esapi' following 'org.owasp'.

Jeff

[Kevin W. Wall]

Typo. I think you want:

String encoded =

org.owasp.esapi.ESAPI.encoder().encodeForURL(value);

-kevin

[Jeffrey Walton]

> String encoded =
> org.owasp.esapi.ESAPI.encoder().encodeForURL(value);

Oh man, that was it. Thanks.

A shitty error message sent me down the rabbit hole. The shitty error
message said the problem was after 'owasp', not 'esapi'.

If I would have received a decent error message, I would have figured
that out myself. I was doing the name tiddling after 'owasp'.

Sorry about the noise.

Jeff

[Kevin W. Wall]

I should add that I think why what you did didn't work is because the Encoder is an interface so it has no CTOR. Because of that, I speculate that it might have "backed up" and looked for a class called "esapi" in the "org.owasp" package and then tried to interpret Encoder() as a static method for that "class". Just speculation though, but I agree that the Java compiler error message is a bit obtuse.

-kevin

[Kevin W. Wall]

Also,  compiling it (at least for this particular example) is the easy part. Collecting all the jars that even this simple example needs to run along with the configuration files is the harder part, whuis why I mentioned the runClass.sh bash script. That should help you with that.

-kevin