diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 000000000..4c095cb35
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,118 @@
+# Contributing to ESAPI -- Details
+
+## Getting Started
+If you have not already done so, go back and read the section
+"[Contributing to ESAPI legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)" in ESAPI's README.md file. It
+may contain updates and advice not contained herein.
+
+### A Special Note on GitHub Authentication
+GitHub has announced that they are deprecating password based authentication
+using username / password and beginning 2021-08-13, you will no longer be
+able to your password to authenticate to 'git' operations on GitHub.com.
+Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
+for details and plan accordingly.
+
+### A Special Note Regarding Making Commits for PRs
+Shortly after the 2.5.1.0 ESAPI release in late November 2022, the ESAPI
+team decided to lock down the 'develop' amd 'main' branches. Merges from
+PRs are done to the 'develop' branch. That means that if you intend to
+contribute to ESAPI, you must be signing your commits. Please see the
+GitHub instructions at
+ https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
+for details.
+
+### Git Branching Model
+We are following the branching model described in
+ https://nvie.com/posts/a-successful-git-branching-model
+If you are unfamiliar with it, you would be advised to give it a quick
+perusal. The major point is that the 'main' (formerly 'master') branch is
+reserved for official releases (which will be tagged), the 'develop' branch
+is used for ongoing development work and is the default branch, and we
+generally work off 'issue' branches named 'issue-#' where # is the GitHub
+issue number. (The last is not an absolute requirement, but rather a
+suggested approach.)
+
+Finally, we recommend setting the git property 'core.autocrlf' to 'input'
+in your $HOME/.gitconfig file; e.g., that file should contain something
+like this:
+
+ [core]
+ autocrlf = input
+
+
+### Required Software
+We use Maven for building. Maven 3.6.3 or later is required. You also need
+JDK 8 or later. [Note: If you use JDK 9 or later, there will be multiple
+failures when you try to run 'mvn test' as well as some general warnings.
+See [ESAPI GitHub issue #496](https://github.com/ESAPI/esapi-java-legacy/issues/496) for details. We welcome volunteers to address
+this.]
+## Finding Something Interesting to Work on
+
+See the section [Contributing to ESAPI Legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)
+in the ESAPI README for suggestions. While you don't *have* to work on something labeled "good first issue"
+or "help wanted", those are good places to start for someone not yet familiar with the ESAPI code base.
+
+You will need a account on GitHub though. Once you create one, let us know
+what it is. Then if you want to work on a particular issue, we can assign
+it to you so someone else won't take it.
+
+If you have questions, email Kevin Wall (Kevin.W.Wall@gmail.com) or Matt
+Seil (xeno6696@gmail.com).
+
+
+## Building ESAPI
+See our local GitHub wiki page, [Building ESAPI](https://github.com/ESAPI/esapi-java-legacy/wiki/Building-ESAPI),
+which briefly discusses how to build ESAPI via Maven.
+
+You can also refer to [Using ESAPI for Java with Eclipse](https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-for-Java-with-Eclipse)
+if you prefer working from IDEs. There is also a much older ESAPI wiki page,
+[Building with Eclipse](https://www.owasp.org/index.php/ESAPI-BuildingWithEclipse)
+that might be useful.
+
+As always, any contributions to ESAPI's admittedly skimpy documentation in this area is welcome.
+In particular, contributing some hints about debugging applications using ESAPI
+would be very useful to our ESAPI clients.
+
+## Steps to work with ESAPI
+I usually do everything from the bash command prompt in Linux Mint,
+but other people use Windows. If you prefer an IDE, I can't help you
+much, but I can help with at least modest problems. If you have more
+difficult problems, I will probably refer you to my project co-leader,
+Matt who groks git a lot better than I.
+
+But the basic high level steps are:
+
+1. Fork https://github.com/ESAPI/esapi-java-legacy to your own GitHub repository using the GitHub web site.
+2. On your local laptop, clone your own GitHub ESAPI repo (i.e, the forked repo created in previous step)
+3. Create a new branch to work on an issue. I usually name the branch 'issue-#' where '#' is the GitHub issue # is will be working on, but you can call it whatever. E.g.,
+ ```bash
+ $ git checkout -b issue-#
+ ```
+4. Work on the GitHub issue on this newly created issue-# branch. Be sure that you also create new JUnit tests as required that confirm that the issue is corrected, or if you are introducing new functionality, ensure
+ that functionality is sufficiently covered.
+5. Make sure everything builds correctly and all the JUnit tests pass ('mvn test'). [Note: There are some known issues with test failures if your are running under Windows and your local ESAPI Git repo located anywhere other than the C: drive, where the test `ValidatorTest.testIsValidDirectoryPath()` fails.
+6. If you have added any dependencies, please also run OWASP Dependency-Check and look at the generated report left in 'target/dependency-check-report.html' to make sure there were not any CVEs introduced. (Alternately you can run 'mvn verify' which will first run the tests and then run Dependency-Check.) Note if this is the first time you have run Dependency-Check for ESAPI, expect it to take a while (often 30 minutes or so!). To execute Dependency Check from Maven, run:
+ ```bash
+ $ mvn org.owasp:dependency-check-maven:check
+ ```
+7. Commit your changes locally.
+8. Push your 'issue-#' branch to your personal, forked ESAPI GitHub repo. E.g.,
+ ```bash
+ $ git checkout issue-444
+ $ git remote -v | grep origin # Confirm 'origin' refers to YOUR PERSONAL GitHub repo
+ $ git push origin issue-444 # Push the committed changes on the 'issue-444' branch
+ ```
+9. Go to your personal, forked ESAPI GitHub repo (web interface) and create a 'Pull Request' (PR) from your 'issue-#' branch.
+10. Back on your local personal laptop / desktop, merge your issue branch with your local 'develop' branch. I.e.,
+ $ git checkout develop
+ $ git merge issue-444
+11. Do not remove your branch on your forked repository until your PR from your branch has been merged into the ESAPI/esapi-java/legacy 'develop' branch.
+ Note at least one the 3 main contributors on will review your commits before
+ merging them and they may do a formal code review and request further changes.
+ Once they are satisfied, they will merge your PR.
+
+In theory, you can do all this 'git' magic from Eclipse and presumably other
+IDEs like Oracle NetBeans or JetBrains IntelliJ IDEA. From Eclipse, it is right-click
+on the project and then select 'Team' to do the commits, etc. If you choose that
+route, you're pretty much on your own because none of us use that for Git
+interactions.
diff --git a/README.md b/README.md
index 71a0f1f98..c793d99c2 100644
--- a/README.md
+++ b/README.md
@@ -14,18 +14,38 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap
-# Special note regarding Spring Boot 3, Spring 6, Tomcat 10 and other applications / libraries requiring Jakarta EE
-
-
-
-IMPORTANT: We are aware that all versions of ESAPI (unless you are using very select parts) do not work with Jakarta EE. Jakarta EE relies on jakarta.servlet-api. ESAPI is built to use javax.servlet-api. This causes things like Spring Boot 3, Spring 6, Tomcat 10, the latest version of Jetty, etc. to fail to load certain (well, many) ESAPI classes. The reason for this is that the package names between these 2 libraryes are different! The dependency javax.servlet-api has a package namespace of javax.servlet. The jakarta.servlet-api library is using the package namespace of jakarta.servlet. So references to things like ServletRequest, ServletResponse, etc. in ESAPI are using javax.servlet.ServletRequest and javax.servlet.ServletResponse respectively. We cannot make it work for both at once and we will not stop supporting javax.servlet-api, which is what most of our existing ESAPI clients are using.
-
-Therefore PLEASE STOP sending us emails and/or creating GitHub issues regarding this! Instead, please
-read ongoing the GitHub discussion https://github.com/ESAPI/esapi-java-legacy/discussions/768 for further details.
-
-
-
-
+# Jakarta EE Support
+**IMPORTANT:**
+ESAPI has supported the Jakarta Servlet API (i.e., **jakarta.servlet.api**) since release
+2.5.3.0. (Unfortunately, this information was previously missing in this **README** file.)
+
+Therefore, for release 2.5.3.0 and later versions of ESAPI, ESAPI ought to be able to support Spring Boot 3, Spring 6, Tomcat 10,
+and other applications or libraries requiring Jarkata EE. (If you find a case where it does
+not, please file a GitHub issue for it.)
+
+The ESAPI jar file supporting Jakarta will be named esapi-_version_-jakarta.jar. To use that
+specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI dependency in your
+**pom.xml** as:
+```xml
+
+ org.owasp.esapi
+ esapi
+ 2.5.5.0
+ jakarta
+
+```
+(or any other version later than 2.5.3.0). Thanks to Jonathon Putney for creating a PR to
+fix this. There is a long discussion in GitHub Discussion [#768](https://github.com/ESAPI/esapi-java-legacy/discussions/768)
+where this was first announced, for those of you have insomnia or really long attention
+spans and are interested in the approaches that were tried.
+
+Of course, ESAPI also still continues to support the older Java EE Servlet API (i.e., **javax.servlet** namespace) as well. In
+fact, without the
+```xml
+jakarta
+```
+that's the version that will be used by default.
+
# A word about ESAPI vulnerabilities
A summary of all the vulnerabilities that we have written about in either the
@@ -64,7 +84,7 @@ The ESAPI release notes may be found in ESAPI's "documentation" directory. They
See the GitHub [Releases](https://github.com/ESAPI/esapi-java-legacy/releases) information for a list of releases which generally
link to the specific release notes.
-### Really IMPORTANT information in release notes
+### Really IMPORTANT information in release notes - Ignore at your peril
* Starting with ESAPI 2.2.1.0, important details changed reading the ESAPI
Logger. If you have are getting things like ClassNotFoundException, you
probably have not read it. Please be sure to read this specific section
@@ -77,9 +97,15 @@ link to the specific release notes.
(at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!!
* ESAPI 2.3.0.0 is the last release to support Java 7 as the minimal JDK.
Starting with release 2.4.0.0, Java 8 or later is required.
+* Starting with ESAPI 2.5.4.0, if you were using ESAPI's default logger, JUL
+ (i.e., you had the property **ESAPI.Logger** set to "org.owasp.esapi.logging.java.JavaLogFactory"),
+ then you must remove (or rename) the old ESAPI configuration file **esapi-java-logger.properties**.
+ Failure to do so will cause ESAPI to throw a `ConfigurationException`, thereby
+ preventing your application from starting. For important additional details, please see
+ the ESAPI GitHub Discussion https://github.com/ESAPI/esapi-java-legacy/discussions/841.
# Locating ESAPI Jar files
-The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.3.1.
+The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.5.4.0.
All the *regular* ESAPI jars, with the exception of the ESAPI configuration
jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached
GPG signature, are available from Maven Central. The ESAPI configuration
@@ -116,6 +142,30 @@ references in documentation). If you must, you still should be able to
use Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release
notes for further details.
+# Quickstart - Maven Example
+### Step 1: Add the required dependencies.
+See https://mvnrepository.com/artifact/org.owasp.esapi/esapi/latest, the tab for
+whatever build tool you are using. If you need the Jakarta version, make sure to
+add
+```xml
+ jakarta
+```
+and include whatever jakara.servlet:jakarta.servlet-api version you are using with
+```xml
+ provided
+```
+### Step 2: Obtain the 2 properties files ESAPI.properties and validation.properties
+1. Download these 2 files from the ESAPI release that you are using from https://github.com/ESAPI/esapi-java-legacy/releases
+ and download the esapi--configuration.jar file (and the .asc file if you wish to confirm the GPG signature).
+2. Unjar that configuration file that you just downloaded and find the 2
+ properties files under the "configuration/esapi" subdirectory where you
+ unjarred the config jar.
+3. Read through Javadoc for [DefaultSecurityConfiguration](https://javadoc.io/static/org.owasp.esapi/esapi/2.5.4.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html)
+ to understand the ways that ESAPI locates these files and then use the mechanism that works best for you. Copy the 2 properties
+ files from the 'configuration/esapi' directory to the directory where you
+ choose to have them reside. Note that you may also edit them to customize
+ them according to your needs.
+
# Contributing to ESAPI legacy
### How can I contribute or help with fix bugs?
Fork and submit a pull request! Easy as pi! (How's that for an irrational
@@ -190,19 +240,6 @@ discussion or even show us how it works with a PR. (Note that we vet all pull
requests, including coding style of any contributions, so please use the same
coding style found in the files you are already editing.)
-# Ancient History
-### What happened to Google code?
-In mid-2014 ESAPI migrated all code and issues from Google Code to GitHub. This migration was completed in November 2014.
-
-### What about the issues still located on Google Code?
-All issues from Google Code have been migrated to GitHub issues. We now
-use GitHut Issues for reporting everything *except* security vulnerabilities.
-Other bug tracking sites are undoubtedly more advanced, but as developers,
-we do not want to spent time having to close issues from multiple bug-tracking
-systems. Therefore, until the synchronization happens with the Atlassian Jira
-instance that we have (but are not using; see GitHub issue #371), please
-ONLY use GitHub Issues for reporting bugs.
-
# References: Where to Find More Information on ESAPI
**OWASP Wiki:** https://owasp.org/www-project-enterprise-security-api/
diff --git a/SECURITY.md b/SECURITY.md
index 455c21fc6..df4e09bfa 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,11 +1,19 @@
# Security Policy
+In general, because the ESAPI core development is so small (3 people, all
+working full time jobs), we can only support the latest version of ESAPI.
+If you are locked in to some previous version and are unable to upgrade
+to the latest version, perhaps one or more of us might consider back-porting
+a patch (especially if it is the only way to address an ESAPI vulnerability),
+but if it is anything but trivial, we would charge a TBD consulting fee.
+
## Supported Versions
+
| Version | Supported |
| ------- | ------------------ |
-| 2.5.1.0 (latest) | :white_check_mark: |
-| 2.1.0.1-2.5.0.0 | :x:, upgrade to latest release |
+| 2.5.4.0 (latest) | :white_check_mark: |
+| 2.1.0.1-2.5.3.1 | :x:, upgrade to latest release |
| <= 1.4.x | :x:, no longer supported AT ALL |
## Reporting a Vulnerability
diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties
index d489cdce8..b5b6aacc6 100644
--- a/configuration/esapi/ESAPI.properties
+++ b/configuration/esapi/ESAPI.properties
@@ -407,6 +407,10 @@ Logger.UserInfo=true
# Determines whether ESAPI should log the session id and client IP.
Logger.ClientInfo=true
+# Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME].
+# If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used
+Logger.LogPrefix=true
+
#===========================================================================
# ESAPI Intrusion Detection
#
diff --git a/documentation/esapi4java-core-2.5.5.0-release-notes.txt b/documentation/esapi4java-core-2.5.5.0-release-notes.txt
new file mode 100644
index 000000000..69a4e6e77
--- /dev/null
+++ b/documentation/esapi4java-core-2.5.5.0-release-notes.txt
@@ -0,0 +1,199 @@
+Release notes for ESAPI 2.5.5.0
+ Release date: 2024-10-07
+ Project leaders:
+ -Kevin W. Wall
+ -Matt Seil
+
+Previous release: ESAPI 2.5.4.0, 2024-05-30
+
+
+Executive Summary: Important Things to Note for this Release
+------------------------------------------------------------
+This is a minor release. All changes should be backward compatible with the previous ESAPI version.
+The updates cover the following areas:
+* Updates to dependencies and Maven plugins.
+* New logging feature added which should be useful in cloud environments where you are paying for log storage.
+ See GitHub issue https://github.com/ESAPI/esapi-java-legacy/issues/844 for details.
+* Documentation clean-up.
+
+Notes if you are not updating from the immediate previous release. release 2.5.4.0:
+ * You need to read through the series of release notes FIRST, going in order.
+ * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read:
+
+ esapi4java-core-2.4.0.0-release-notes.txt
+ esapi4java-core-2.5.0.0-release-notes.txt
+ esapi4java-core-2.5.1.0-release-notes.txt
+ esapi4java-core-2.5.2.0-release-notes.txt
+ ...etc., up through the current set of release notes...
+ esapi4java-core-2.x.y.z-release-notes.txt
+
+in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.)
+
+If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI.
+
+You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions.
+
+
+=================================================================================================================
+
+Basic ESAPI facts
+-----------------
+
+ESAPI 2.5.4.0 release:
+ 207 Java source files
+ 4297 JUnit tests in 131 Java source files (0 failures, 0 errors, 0 tests skipped)
+
+ESAPI 2.5.5.0 release:
+ 207 Java source files
+ 4315 JUnit tests in 133 Java source files (0 failures, 0 errors, 0 tests skipped)
+
+8 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive')
+(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2024-05-30)
+
+Issue # GitHub Issue Title
+----------------------------------------------------------------------------------------------
+844 Update the logging properties to opt-out of the prefix events Component-Logger enhancement
+846 ESAPI.encoder().canonicalize() converts "&or" or similar strings without having trailing semicolon as logical operator
+847 Update ESAPI pom to use latest version of AntiSamy (1.7.6)
+851 Fix typos
+
+
+-----------------------------------------------------------------------------
+
+ Changes Requiring Special Attention
+
+-----------------------------------------------------------------------------
+
+Important JDK Support Announcement
+* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason.
+ - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier.
+
+Important ESAPI Logging Changes
+
+* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are
+ - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0.
+ * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file.
+ - SLF4J (which your choice of supported SLF4J logging implemmentation)
+ * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file.
+* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at:
+ https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78
+
+If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here:
+ https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x
+
+-----------------------------------------------------------------------------
+
+ Remaining Known Issues / Problems
+
+-----------------------------------------------------------------------------
+None known, other than the remaining open issues on GitHub.
+
+-----------------------------------------------------------------------------
+
+ Other changes in this release, some of which not tracked via GitHub issues
+
+-----------------------------------------------------------------------------
+
+* Minor updates to README.md file with respect to version information.
+
+-----------------------------------------------------------------------------
+
+Developer Activity Report (Changes between release 2.5.4.0 and 2.5.5.0, i.e., between 2024-05-30 and 2024-10-07)
+Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
+Note: This only lists merged PRs, not those that were closed as rejected.
+
+Developer Total Total Number # Merged
+(GitHub ID) commits of Files Changed PRs
+============================================================
+DebajitKumarPhukan 7 1 1
+DarioViva42 57 44 1
+mickeyz07 10 12 1
+kwwall 11 8 2
+============================================================
+ Total PRs: 5
+
+-----------------------------------------------------------------------------
+
+CHANGELOG: Create your own. May I suggest:
+
+ git log --stat --since=2024-05-30 --reverse --pretty=medium
+
+ which will show all the commits since just after the previous (2.5.4.0) release.
+
+ Alternately, you can download the most recent ESAPI source and run
+
+ mvn site
+
+ which will create a CHANGELOG file named 'target/site/changelog.html'
+
+
+-----------------------------------------------------------------------------
+
+Direct and Transitive Runtime and Test Dependencies:
+
+ $ mvn -B dependency:tree
+ [INFO] -----------------------< org.owasp.esapi:esapi >------------------------
+ [INFO] Building ESAPI 2.5.5.0-SNAPSHOT
+ [INFO] --------------------------------[ jar ]---------------------------------
+ [INFO]
+ [INFO] --- maven-dependency-plugin:3.7.1:tree (default-cli) @ esapi ---
+ [INFO] org.owasp.esapi:esapi:jar:2.5.5.0-SNAPSHOT
+ [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
+ [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided
+ [INFO] +- xom:xom:jar:1.3.9:compile
+ [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
+ [INFO] | +- commons-logging:commons-logging:jar:1.2:compile
+ [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile
+ [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile
+ [INFO] +- commons-lang:commons-lang:jar:2.6:compile
+ [INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile
+ [INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M2:compile
+ [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
+ [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.6:compile
+ [INFO] | +- commons-io:commons-io:jar:2.16.1:compile
+ [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.3.1:compile
+ [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2.4:compile
+ [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2.5:compile
+ [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.17:compile
+ [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.17:compile
+ [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.17:compile
+ [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.17:compile
+ [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.17:compile
+ [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.9:compile
+ [INFO] | +- org.htmlunit:neko-htmlunit:jar:4.3.0:compile
+ [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile
+ [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
+ [INFO] +- org.slf4j:slf4j-api:jar:2.0.13:compile
+ [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
+ [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.8.6:compile (optional)
+ [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
+ [INFO] +- commons-codec:commons-codec:jar:1.17.0:test
+ [INFO] +- junit:junit:jar:4.13.2:test
+ [INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:test
+ [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test
+ [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test
+ [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test
+ [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test
+ [INFO] +- org.mockito:mockito-core:jar:3.12.4:test
+ [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test
+ [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test
+ [INFO] | \- org.objenesis:objenesis:jar:3.2:test
+ [INFO] +- org.powermock:powermock-core:jar:2.0.9:test
+ [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test
+ [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test
+ [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test
+ [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test
+ [INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test
+ [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test
+ [INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test
+ [INFO] ------------------------------------------------------------------------
+
+-----------------------------------------------------------------------------
+
+Acknowledgments:
+ A special shout-out to our new ESAPI contributors, mickeyz07, DarioViva42, and DebajitKumarPhukan.
+ Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you.
+
+A special thanks to the ESAPI community from the ESAPI project co-leaders:
+ Kevin W. Wall (kwwall) <== The irresponsible party for these release notes!
+ Matt Seil (xeno6696)
diff --git a/pom.xml b/pom.xml
index 49131449d..d8b63a31e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
4.0.0org.owasp.esapiesapi
- 2.5.4.0
+ 2.5.5.0jar
@@ -132,16 +132,16 @@
UTF-81.372.0.0-M3
- 2.0.0-M9
+ 2.0.0-M112.0.9
- 4.8.5
- 4.8.5.0
- 3.2.5
+ 4.8.6
+ 4.8.6.4
+ 3.5.11.8
- 2023-12-01 00:00:00
+ 2024-05-30 00:00:00
@@ -233,7 +233,7 @@
org.apache.commonscommons-collections4
- 4.5.0-M1
+ 4.5.0-M2org.apache-extras.beanshell
@@ -243,7 +243,7 @@
org.owasp.antisamyantisamy
- 1.7.5
+ 1.7.6
@@ -260,7 +260,7 @@
org.slf4jslf4j-api
- 2.0.13
+ 2.0.16xml-apis
@@ -274,21 +274,6 @@
1.4.01
-
-
-
- commons-io
- commons-io
- 2.15.1
-
-
com.github.spotbugs
@@ -301,7 +286,7 @@
commons-codeccommons-codec
- 1.17.0
+ 1.17.1test
@@ -318,8 +303,8 @@
org.bouncycastle
- bcprov-jdk15on
- 1.70
+ bcprov-jdk18on
+ 1.78.1test
@@ -423,17 +408,17 @@
org.apache.maven.pluginsmaven-dependency-plugin
- 3.6.1
+ 3.8.0org.apache.maven.pluginsmaven-release-plugin
- 3.0.1
+ 3.1.1org.codehaus.mojoversions-maven-plugin
- 2.16.2
+ 2.17.1file:${project.basedir}/versionRuleset.xml
@@ -446,7 +431,7 @@
org.cyclonedxcyclonedx-maven-plugin
- 2.8.0
+ 2.8.2package
@@ -488,7 +473,7 @@
org.apache.maven.pluginsmaven-clean-plugin
- 3.3.2
+ 3.4.0
@@ -528,7 +513,7 @@
org.apache.maven.pluginsmaven-deploy-plugin
- 3.1.2
+ 3.1.3
@@ -543,17 +528,17 @@
org.apache.maven.pluginsmaven-enforcer-plugin
- 3.4.1
+ 3.5.0org.codehaus.mojoextra-enforcer-rules
- 1.8.0
+ 1.9.0org.codehaus.mojoanimal-sniffer-enforcer-rule
- 1.23
+ 1.24
@@ -617,7 +602,7 @@
org.apache.maven.pluginsmaven-gpg-plugin
- 3.2.4
+ 3.2.7sign-artifacts
@@ -630,13 +615,13 @@
org.apache.maven.pluginsmaven-install-plugin
- 3.1.2
+ 3.1.3org.apache.maven.pluginsmaven-jar-plugin
- 3.4.1
+ 3.4.2
@@ -648,9 +633,9 @@
- org.apache.maven.plugins
- maven-javadoc-plugin
- 3.6.3
+ org.apache.maven.plugins
+ maven-javadoc-plugin
+ 3.10.18none
@@ -668,19 +653,19 @@
org.apache.maven.pluginsmaven-jxr-plugin
- 3.3.2
+ 3.5.0org.apache.maven.pluginsmaven-pmd-plugin
- 3.22.0
+ 3.25.0org.apache.maven.pluginsmaven-project-info-reports-plugin
- 3.5.0
+ 3.7.0
@@ -694,7 +679,7 @@
The skin is referenced in src/site/site.xml. -->
org.apache.maven.pluginsmaven-site-plugin
- 4.0.0-M14
+ 4.0.0-M16org.apache.maven.skins
@@ -755,7 +740,7 @@
org.owaspdependency-check-maven
- 9.2.0
+ 10.0.4${env.NVD_API_KEY}1.0
diff --git a/scripts/README.txt b/scripts/README.txt
index 75735efd3..0e28bb29c 100644
--- a/scripts/README.txt
+++ b/scripts/README.txt
@@ -1,5 +1,8 @@
This directory is for utilities used for building / packaging / releasing ESAPI.
+The scripts and configuration files in this directory are mostly used to create ESAPI release notes.
+(The 2 'mvnQuietTest' scripts are the major exceptions to that.)
+
========================
README.txt -- This readme file.
diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
index 280b85483..3aabe5d38 100644
--- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt
+++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt
@@ -48,6 +48,8 @@ ESAPI ${PREV_VERSION} release:
ESAPI ${VERSION} release:
@@@@ Count them and run 'mvn test' to get the # of tests.
+@@@@ Count Java source files by executing:
+@@@@ find src/main -type f -name '*.java' | wc -l
#### Java source files
#### JUnit tests in #### Java source files
diff --git a/scripts/vars.2.5.5.0 b/scripts/vars.2.5.5.0
new file mode 100644
index 000000000..1c0478de7
--- /dev/null
+++ b/scripts/vars.2.5.5.0
@@ -0,0 +1,14 @@
+# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script,
+# which should be run prior to the newReleaseNotes.sh script.
+
+# ESAPI (new / current) version
+VERSION=2.5.5.0
+
+# Previous ESAPI version
+PREV_VERSION=2.5.4.0
+
+# Release date of current version in yyyy-mm-dd format
+YYYY_MM_DD_RELEASE_DATE=2024-10-07
+
+# Previous ESAPI release date in same format
+PREV_RELEASE_DATE=2024-05-30
diff --git a/src/main/java/org/owasp/esapi/Authenticator.java b/src/main/java/org/owasp/esapi/Authenticator.java
index e113b0bdd..4e83903d5 100644
--- a/src/main/java/org/owasp/esapi/Authenticator.java
+++ b/src/main/java/org/owasp/esapi/Authenticator.java
@@ -148,7 +148,7 @@ public interface Authenticator {
*
* WARNING: The implementation of this method as defined in the
* default reference implementation class, {@code FileBasedAuthenticator},
- * uses a password hash algorthim that is known to be weak. You are advised
+ * uses a password hash algorithm that is known to be weak. You are advised
* to replace the default reference implementation class with your own custom
* implementation that uses a stronger password hashing algorithm.
* See class comments in * {@code FileBasedAuthenticator} for further details.
diff --git a/src/main/java/org/owasp/esapi/ESAPI.java b/src/main/java/org/owasp/esapi/ESAPI.java
index ef389d020..c42a21ff8 100644
--- a/src/main/java/org/owasp/esapi/ESAPI.java
+++ b/src/main/java/org/owasp/esapi/ESAPI.java
@@ -93,7 +93,7 @@ public static Authenticator authenticator() {
}
/**
- * The ESAPI Encoder is primarilly used to provide output encoding to
+ * The ESAPI Encoder is primarily used to provide output encoding to
* prevent Cross-Site Scripting (XSS).
* @return the current ESAPI Encoder object being used to encode and decode data for this application.
*/
diff --git a/src/main/java/org/owasp/esapi/Encoder.java b/src/main/java/org/owasp/esapi/Encoder.java
index 22ae8f94b..ad4950dc9 100644
--- a/src/main/java/org/owasp/esapi/Encoder.java
+++ b/src/main/java/org/owasp/esapi/Encoder.java
@@ -519,7 +519,7 @@ public interface Encoder {
*
* NB: The reference implementation encodes almost everything and may over-encode.
*
- * The difficulty with XPath encoding is that XPath has no built in mechanism for escaping
+ * The difficulty with XPath encoding is that XPath has no built-in mechanism for escaping
* characters. It is possible to use XQuery in a parameterized way to
* prevent injection.
*
diff --git a/src/main/java/org/owasp/esapi/Encryptor.java b/src/main/java/org/owasp/esapi/Encryptor.java
index 28bb896a3..c1729a839 100644
--- a/src/main/java/org/owasp/esapi/Encryptor.java
+++ b/src/main/java/org/owasp/esapi/Encryptor.java
@@ -162,8 +162,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext)
*
* @param ciphertext The {@code CipherText} object to be decrypted.
* @return The {@code PlainText} object resulting from decrypting the specified
- * ciphertext. Note that it it is desired to convert the returned
- * plaintext byte array to a Java String is should be done using
+ * ciphertext. Note that if it is desired to convert the returned
+ * plaintext byte array to a Java String it should be done using
* {@code new String(byte[], "UTF-8");} rather than simply using
* {@code new String(byte[]);} which uses native encoding and may
* not be portable across hardware and/or OS platforms.
@@ -186,8 +186,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext)
* @param key The {@code SecretKey} to use for encrypting the plaintext.
* @param ciphertext The {@code CipherText} object to be decrypted.
* @return The {@code PlainText} object resulting from decrypting the specified
- * ciphertext. Note that it it is desired to convert the returned
- * plaintext byte array to a Java String is should be done using
+ * ciphertext. Note that if it is desired to convert the returned
+ * plaintext byte array to a Java String it should be done using
* {@code new String(byte[], "UTF-8");} rather than simply using
* {@code new String(byte[]);} which uses native encoding and may
* not be portable across hardware and/or OS platforms.
diff --git a/src/main/java/org/owasp/esapi/HTTPUtilities.java b/src/main/java/org/owasp/esapi/HTTPUtilities.java
index 9cdfc36b0..582f1a1b7 100644
--- a/src/main/java/org/owasp/esapi/HTTPUtilities.java
+++ b/src/main/java/org/owasp/esapi/HTTPUtilities.java
@@ -377,7 +377,7 @@ public interface HTTPUtilities
* everything to keey your application and environment secure. Some of the more obvious omissions are the
* absence of examining the actual file content to determine the actual file type or running some AV scan
* on the uploaded files. You have to add that functionality to you if you want or need that. Some
- * reasource that you may find usefule are:
+ * resource that you may find useful are:
*
diff --git a/src/main/java/org/owasp/esapi/Logger.java b/src/main/java/org/owasp/esapi/Logger.java
index 288509b92..b0a5b7ccc 100644
--- a/src/main/java/org/owasp/esapi/Logger.java
+++ b/src/main/java/org/owasp/esapi/Logger.java
@@ -89,9 +89,9 @@
* the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above.
*
* Customization: It is expected that most organizations may wish to implement their own custom {@code Logger} class in
- * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations
+ * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI reference implementations
* can serve as a useful starting point to intended to provide a simple functional example of an implementation, but
- * they are also largely usuable out-of-the-box with some additional minimal log configuration.
+ * they are also largely usable out-of-the-box with some additional minimal log configuration.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
diff --git a/src/main/java/org/owasp/esapi/PropNames.java b/src/main/java/org/owasp/esapi/PropNames.java
index 2f3f8ee49..ab30e47fa 100644
--- a/src/main/java/org/owasp/esapi/PropNames.java
+++ b/src/main/java/org/owasp/esapi/PropNames.java
@@ -111,6 +111,7 @@ public final class PropNames {
public static final String LOG_ENCODING_REQUIRED = "Logger.LogEncodingRequired";
public static final String LOG_APPLICATION_NAME = "Logger.LogApplicationName";
public static final String LOG_SERVER_IP = "Logger.LogServerIP";
+ public static final String LOG_PREFIX = "Logger.LogPrefix";
public static final String VALIDATION_PROPERTIES = "Validator.ConfigurationFile";
public static final String VALIDATION_PROPERTIES_MULTIVALUED = "Validator.ConfigurationFile.MultiValued";
diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
index 564206de0..e0b529b49 100644
--- a/src/main/java/org/owasp/esapi/SecurityConfiguration.java
+++ b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
@@ -179,7 +179,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
* considered the default key size that ESAPI will use for symmetric
* ciphers supporting multiple key sizes. (Note that there is also an Encryptor.MinEncryptionKeyLength,
* which is the minimum key size (in bits) that ESAPI will support
- * for encryption. (There is no miminimum for decryption.)
+ * for encryption. (There is no minimum for decryption.)
*
* @return the key length (in bits)
* @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java
index 55f8c55a3..ef95a91ce 100644
--- a/src/main/java/org/owasp/esapi/StringUtilities.java
+++ b/src/main/java/org/owasp/esapi/StringUtilities.java
@@ -90,7 +90,7 @@ public static boolean contains(StringBuilder input, char c) {
}
/**
- * Returns the replace value if the value of test is null, "null", or ""
+ * Returns {@code replace} if {@code test} is null, "null" (case-insensitive), or blank, otherwise {@code test}
*
* @param test The value to test
* @param replace The replacement value
diff --git a/src/main/java/org/owasp/esapi/User.java b/src/main/java/org/owasp/esapi/User.java
index 6c29b4f59..fc5ca980c 100644
--- a/src/main/java/org/owasp/esapi/User.java
+++ b/src/main/java/org/owasp/esapi/User.java
@@ -380,7 +380,7 @@ public interface User extends Principal, Serializable {
/**
* Set the time of the last failed login for this user.
*
- * @param lastFailedLoginTime the date and time when the user just failed to login correctly.
+ * @param lastFailedLoginTime the date and time when the user just failed to authenticate correctly.
*/
void setLastFailedLoginTime(Date lastFailedLoginTime);
diff --git a/src/main/java/org/owasp/esapi/Validator.java b/src/main/java/org/owasp/esapi/Validator.java
index c662daaa1..be16fbf50 100644
--- a/src/main/java/org/owasp/esapi/Validator.java
+++ b/src/main/java/org/owasp/esapi/Validator.java
@@ -384,10 +384,10 @@ public interface Validator {
boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException;
/**
- * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that
+ * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that
* it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting
* returned value may omit input that is considered dangerous and cannot be safely sanitized and other input
- * that gets HTML encoded (e.g., a single quote (') might get chaged to """).
+ * that gets HTML encoded (e.g., a single quote (') might get changed to """).
*
* The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file
* (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your
@@ -414,10 +414,10 @@ public interface Validator {
String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException;
/**
- * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that
+ * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that
* it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting
* returned value may omit input that is considered dangerous and cannot be safely sanitized and other input
- * that gets HTML encoded (e.g., a single quote (') might get chaged to """).
+ * that gets HTML encoded (e.g., a single quote (') might get changed to """).
*
* The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file
* (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your
diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java
index 77c153fcd..5149b5d0a 100644
--- a/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java
+++ b/src/main/java/org/owasp/esapi/codecs/AbstractCodec.java
@@ -25,7 +25,7 @@
*
* Be sure to see the several WARNINGs associated with the detailed
* method descriptions. You will not find that in the "Method Summary" section
- * of the javadoc because that only shows the intial sentence.
+ * of the javadoc because that only shows the initial sentence.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
@@ -96,7 +96,7 @@ public String encodeCharacter( char[] immune, Character c ) {
/**
- * To prevent accidental footgun usage and calling
+ * To prevent accidental usage and calling
* {@link #encodeCharacter( char[], int)} when called with {@code char} and
* {@code char} is first silently converted to {@code int} and then the
* unexpected method is called.
diff --git a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java
index f90e07dbb..31b338d90 100644
--- a/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java
+++ b/src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java
@@ -19,7 +19,7 @@
/**
* This Abstract class provides the generic logic for using a {@link PushbackSequence}
- * in regards to iterating strings. The final Impl is intended for the user to supply
+ * in regard to iterating strings. The final Impl is intended for the user to supply
* a type T such that the pushback interface can be utilized for sequences
* of type T. Presently this generic class is limited by the fact that
* input is a String.
diff --git a/src/main/java/org/owasp/esapi/codecs/Base64.java b/src/main/java/org/owasp/esapi/codecs/Base64.java
index 1af941510..0d7097afd 100644
--- a/src/main/java/org/owasp/esapi/codecs/Base64.java
+++ b/src/main/java/org/owasp/esapi/codecs/Base64.java
@@ -72,7 +72,7 @@
* Added the ability to "suspend" encoding in the Output Stream so
* you can turn on and off the encoding if you need to embed base64
* data in an otherwise "normal" stream (like an XML file).
- *
v1.5 - Output stream pases on flush() command but doesn't do anything itself.
+ *
v1.5 - Output stream passes on flush() command but doesn't do anything itself.
* This helps when using GZIP streams.
* Added the ability to GZip-compress objects before encoding them.
*
v1.4 - Added helper methods to read/write files.
diff --git a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java
index 84ccb2ca5..d71b6e536 100644
--- a/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java
+++ b/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java
@@ -119,7 +119,7 @@ public String encodeCharacter( char[] immune, int codePoint ) {
* Returns the decoded version of the character starting at index, or
* null if no decoding is possible.
*
- * Formats all are legal both with and without semi-colon, upper/lower case:
+ * Formats all are legal both with and without semicolon, upper/lower case:
* &#dddd;
* &#xhhhh;
* &name;
@@ -198,7 +198,7 @@ private Integer parseNumber( PushbackSequence input ) {
sb.appendCodePoint( c );
input.next();
- // if character is a semi-colon, eat it and quit
+ // if character is a semicolon, eat it and quit
} else if (c == ';' ) {
input.next();
break;
@@ -239,7 +239,7 @@ private Integer parseHex( PushbackSequence input ) {
sb.appendCodePoint( c );
input.next();
- // if character is a semi-colon, eat it and quit
+ // if character is a semicolon, eat it and quit
} else if (c == ';' ) {
input.next();
break;
@@ -312,7 +312,7 @@ private Integer getNamedEntity( PushbackSequence input ) {
for(int i=0;i getLongestMatch(CharSequence key)
}
/**
- * Get the key value entry who's key is the longest prefix match.
+ * Get the key value entry whose key is the longest prefix match.
* @param keyIn Pushback reader to read the key from. This should
* have a buffer at least as large as {@link #getMaxKeyLength()}
* or an IOException may be thrown backing up.
@@ -549,7 +549,7 @@ public T get(Object key)
/**
* Get the number of entries.
- * @return the number or entries.
+ * @return the number of entries.
*/
public int size()
{
diff --git a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java
index 193dfa208..c507b0362 100644
--- a/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java
+++ b/src/main/java/org/owasp/esapi/codecs/MySQLCodec.java
@@ -63,7 +63,7 @@ public class MySQLCodec extends AbstractCharacterCodec {
* please see the Manual at
* @link http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html#sqlmode_ansi
*
- * Currently the only supported modes are:
+ * Currently, the only supported modes are:
* ANSI
* STANDARD
*/
@@ -195,7 +195,7 @@ private String encodeCharacterMySQL( Character c ) {
* Returns the decoded version of the character starting at index, or
* null if no decoding is possible.
*
- * Formats all are legal (case sensitive)
+ * Formats all are legal (case-sensitive)
* In ANSI_MODE '' decodes to '
* In MYSQL_MODE \x decodes to x (or a small list of specials)
*/
diff --git a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java
index 9f0c5223c..4f0847f1e 100644
--- a/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java
+++ b/src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java
@@ -60,9 +60,9 @@ public Integer nextOctal() {
}
/**
- * Returns true if the parameter character is a hexidecimal digit 0 through 9, a through f, or A through F.
+ * Returns true if the parameter character is a hexadecimal digit 0 through 9, a through f, or A through F.
* @param c
- * @return true if it is a hexidecimal digit, false otherwise.
+ * @return true if it is a hexadecimal digit, false otherwise.
*/
public static boolean isHexDigit( Integer c ) {
if ( c == null ) return false;
diff --git a/src/main/java/org/owasp/esapi/codecs/PushbackString.java b/src/main/java/org/owasp/esapi/codecs/PushbackString.java
index b25cc1f20..377ed829e 100644
--- a/src/main/java/org/owasp/esapi/codecs/PushbackString.java
+++ b/src/main/java/org/owasp/esapi/codecs/PushbackString.java
@@ -124,11 +124,11 @@ public Character nextOctal() {
}
/**
- * Returns true if the parameter character is a hexidecimal digit 0 through
+ * Returns true if the parameter character is a hexadecimal digit 0 through
* 9, a through f, or A through F.
*
* @param c
- * @return true if it is a hexidecimal digit, false otherwise.
+ * @return true if it is a hexadecimal digit, false otherwise.
*/
public static boolean isHexDigit(Character c) {
if (c == null){
diff --git a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java
index 309485428..9ca5c51a8 100644
--- a/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java
+++ b/src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java
@@ -89,7 +89,7 @@ public String restoreOriginalContent(String input) {
/**
* Allows the marker used as a replacement to be altered.
*
- * @param marker String replacment to use for regex matches.
+ * @param marker String replacement to use for regex matches.
*/
public void setReplacementMarker(String marker) {
if (!replacedContentList.isEmpty()) {
diff --git a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java
index 8869694ce..2ca897707 100644
--- a/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java
+++ b/src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java
@@ -7,7 +7,7 @@
import java.util.Properties;
/**
- * Abstrace class that supports two "levels" of priorities for ESAPI properties.
+ * Abstract class that supports two "levels" of priorities for ESAPI properties.
* The higher level is the property file supported by an "operations" team and
* the lower level is the property file intended to be supported by the
* "development" team. ESAPI properties defined in the lower level properties
@@ -42,7 +42,7 @@ public AbstractPrioritizedPropertyLoader(String filename, int priority) throws I
/**
* Get priority of this property loader. If two and more loaders can return value for the same property key,
- * the one with highest priority will be chosen.
+ * the one with the highest priority will be chosen.
* @return priority of this property loader
*/
public int priority() {
diff --git a/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java b/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java
index e5e330569..43df2fa1c 100644
--- a/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java
+++ b/src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java
@@ -16,7 +16,7 @@ public enum EsapiConfiguration {
String configName;
/**
- * Priority of configuration (higher numer - higher priority).
+ * Priority of configuration (higher number - higher priority).
*/
int priority;
diff --git a/src/main/java/org/owasp/esapi/crypto/CipherText.java b/src/main/java/org/owasp/esapi/crypto/CipherText.java
index e0b549da3..185ac5e14 100644
--- a/src/main/java/org/owasp/esapi/crypto/CipherText.java
+++ b/src/main/java/org/owasp/esapi/crypto/CipherText.java
@@ -494,7 +494,7 @@ public boolean validateMAC(SecretKey authKey) {
/**
* Return this {@code CipherText} object as a portable (i.e., network byte
* ordered) serialized byte array. Note this is not the same as
- * returning a serialized object using Java serialization. Instead this
+ * returning a serialized object using Java serialization. Instead, this
* is a representation that all ESAPI implementations will use to pass
* ciphertext between different programming language implementations.
*
diff --git a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java
index c5daa7d85..3e155f440 100644
--- a/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java
+++ b/src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java
@@ -26,7 +26,7 @@
* and do not have extensive support for the various implementation languages which ESAPI
* supports. (Perhaps wishful thinking that other ESAPI implementations such as
* ESAPI for .NET, ESAPI for C, ESAPI for C++, etc. will all support a single, common
- * serialization technique so they could exchange encrypted data.)
+ * serialization technique, so they could exchange encrypted data.)
*
* @author kevin.w.wall@gmail.com
* @since 2.0
@@ -207,7 +207,7 @@ private byte[] computeSerialization(int kdfInfo, long timestamp,
// All strings are written as UTF-8 encoded byte streams with the
// length prepended before it as a short. The prepended length is
- // more for the benefit of languages like C so they can pre-allocate
+ // more for the benefit of languages like C, so they can pre-allocate
// char arrays without worrying about buffer overflows.
private void writeString(ByteArrayOutputStream baos, String str) {
byte[] bytes;
@@ -405,7 +405,7 @@ private CipherText convertToCipherText(byte[] cipherTextSerializedBytes)
// Fixed in ESAPI crypto version 20130839. Previously is didn't really matter
// because there was only one version (20110203) and it defaulted to that
// version, which was the current version. But we don't want that as now there
- // are two versions and we could be decrypting data encrypted using the previous
+ // are two versions, and we could be decrypting data encrypted using the previous
// version.
ct.setKDF_PRF(kdfPrf);
ct.setKDFVersion(kdfVers);
diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java
index 922fbf33d..2254837ce 100644
--- a/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java
+++ b/src/main/java/org/owasp/esapi/crypto/CryptoHelper.java
@@ -50,7 +50,7 @@ public class CryptoHelper {
* @param keySize The key size, in bits.
* @return A random {@code SecretKey} is returned.
* @throws EncryptionException Thrown if cannot create secret key conforming to
- * requested algorithm with requested size. Typically this is caused by
+ * requested algorithm with requested size. Typically, this is caused by
* specifying an unavailable algorithm or invalid key size.
*/
public static SecretKey generateSecretKey(String alg, int keySize)
@@ -128,7 +128,7 @@ public static SecretKey generateSecretKey(String alg, int keySize)
* be a common encoding supported by all Java implementations. Support
* for it is usually in rt.jar.) This exception is also thrown if the
* requested {@code keySize} parameter exceeds the length of the number of
- * bytes provded in the {@code keyDerivationKey} parameter.
+ * bytes provided in the {@code keyDerivationKey} parameter.
* @throws InvalidKeyException Likely indicates a coding error. Should not happen.
* @throws EncryptionException Throw for some precondition violations.
* @deprecated Use same method in {@code KeyDerivationFunction} instead. This method will be removed as of
@@ -254,7 +254,7 @@ public static boolean isMACRequired(CipherText ct) {
* should be embedded within the {@code CipherText} object by using a
* derived key based on the specified {@code SecretKey}.
*
- * @param sk The {@code SecretKey} used to derived a key to check
+ * @param sk The {@code SecretKey} used to derive a key to check
* the authenticity via the MAC.
* @param ct The {@code CipherText} that we are checking for a
* valid MAC.
diff --git a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java
index c12ee10dc..c6171b75a 100644
--- a/src/main/java/org/owasp/esapi/crypto/CryptoToken.java
+++ b/src/main/java/org/owasp/esapi/crypto/CryptoToken.java
@@ -68,10 +68,10 @@
*
* The attribute value may contain any value. However, values containing
* either '=' or ';' will be quoted using '\'. Likewise, values containing '\'
- * will also be quoted using '\'. Hence if original name/value pair were
+ * will also be quoted using '\'. Hence, if original name/value pair were
* name=ab=xy\; * this would be represented as name=ab\=xy\\\;.
* To ensure things are "safe" (from a security perspective), attribute
- * names must conform the the Java regular expression
+ * names must conform to the Java regular expression
*
* [A-Za-z0-9_\.-]+
*
diff --git a/src/main/java/org/owasp/esapi/crypto/PlainText.java b/src/main/java/org/owasp/esapi/crypto/PlainText.java
index 60fda894c..4866b8048 100644
--- a/src/main/java/org/owasp/esapi/crypto/PlainText.java
+++ b/src/main/java/org/owasp/esapi/crypto/PlainText.java
@@ -16,7 +16,7 @@
* an {@code UnsupportedEncodingException}. However, UTF-8 encoding
* should be a standard encoding for all Java installations, so an
* {@code UnsupportedEncodingException} never actually be thrown. Therefore,
- * in order to to keep client code uncluttered, any possible
+ * in order to keep client code uncluttered, any possible
* {@code UnsupportedEncodingException}s will be first logged, and then
* re-thrown as a {@code RuntimeException} with the original
* {@code UnsupportedEncodingException} as the cause.
diff --git a/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java b/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java
index ed263e55e..47774b895 100644
--- a/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java
+++ b/src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java
@@ -62,7 +62,7 @@ public void init(FilterConfig filterConfig)
* Checks to see if the current session has exceeded the allowed number
* of requests in the specified time period. If the threshold has been
* exceeded, then a short error message is written to the output stream and
- * no further processing is done on the request. Otherwise the request is
+ * no further processing is done on the request. Otherwise, the request is
* processed as normal.
* @param request
* @param response
diff --git a/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java b/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java
index 26fa7a7a3..71c74c652 100644
--- a/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java
+++ b/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java
@@ -628,7 +628,7 @@ public String getRequestURI() {
/**
* Returns the URL from the HttpServletRequest after canonicalizing and
* filtering out any dangerous characters.
- * @return The currect request URL
+ * @return The current request URL
*/
public StringBuffer getRequestURL() {
String url = getHttpServletRequest().getRequestURL().toString();
diff --git a/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java b/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java
index 681839af5..93d3bd416 100644
--- a/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java
+++ b/src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java
@@ -30,18 +30,24 @@ public class EventTypeLogSupplier // implements Supplier
{
/** EventType reference to supply log representation of. */
private final EventType eventType;
+ /** Whether to log or not the event type */
+ private boolean logEventType = true;
/**
* Ctr
*
- * @param evtyp EventType reference to supply log representation for
+ * @param eventType EventType reference to supply log representation for
*/
- public EventTypeLogSupplier(EventType evtyp) {
- this.eventType = evtyp == null ? Logger.EVENT_UNSPECIFIED : evtyp;
+ public EventTypeLogSupplier(EventType eventType) {
+ this.eventType = eventType == null ? Logger.EVENT_UNSPECIFIED : eventType;
}
// @Override -- Uncomment when we switch to Java 8 as minimal baseline.
public String get() {
- return eventType.toString();
+ return logEventType ? eventType.toString() : "";
+ }
+
+ public void setLogEventType(boolean logEventType) {
+ this.logEventType = logEventType;
}
}
diff --git a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java
index 20f692ebf..237d43ac6 100644
--- a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java
+++ b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java
@@ -35,9 +35,11 @@ public class LogPrefixAppender implements LogAppender {
private final boolean logApplicationName;
/** Application Name to record. */
private final String appName;
+ /** Whether or not to print the prefix. */
+ private final boolean logPrefix;
/**
- * Ctr.
+ * Constructor
*
* @param logUserInfo Whether or not to record user information
* @param logClientInfo Whether or not to record client information
@@ -45,17 +47,34 @@ public class LogPrefixAppender implements LogAppender {
* @param logApplicationName Whether or not to record application name
* @param appName Application Name to record.
*/
+ @SuppressWarnings("JavadocReference")
public LogPrefixAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) {
+ this(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, true);
+ }
+
+ /**
+ * Constructor
+ *
+ * @param logUserInfo Whether or not to record user information
+ * @param logClientInfo Whether or not to record client information
+ * @param logServerIp Whether or not to record server ip information
+ * @param logApplicationName Whether or not to record application name
+ * @param appName Application Name to record.
+ * @param logPrefix Whether or not to print the prefix
+ */
+ public LogPrefixAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName, boolean logPrefix) {
this.logUserInfo = logUserInfo;
this.logClientInfo = logClientInfo;
this.logServerIp = logServerIp;
this.logApplicationName = logApplicationName;
this.appName = appName;
+ this.logPrefix = logPrefix;
}
@Override
public String appendTo(String logName, EventType eventType, String message) {
EventTypeLogSupplier eventTypeSupplier = new EventTypeLogSupplier(eventType);
+ eventTypeSupplier.setLogEventType(this.logPrefix);
UserInfoSupplier userInfoSupplier = new UserInfoSupplier();
userInfoSupplier.setLogUserInfo(logUserInfo);
@@ -66,6 +85,7 @@ public String appendTo(String logName, EventType eventType, String message) {
ServerInfoSupplier serverInfoSupplier = new ServerInfoSupplier(logName);
serverInfoSupplier.setLogServerIp(logServerIp);
serverInfoSupplier.setLogApplicationName(logApplicationName, appName);
+ serverInfoSupplier.setLogLogName(logPrefix);
String eventTypeMsg = eventTypeSupplier.get().trim();
String userInfoMsg = userInfoSupplier.get().trim();
@@ -80,17 +100,20 @@ public String appendTo(String logName, EventType eventType, String message) {
String[] optionalPrefixContent = new String[] {userInfoMsg + clientInfoMsg, serverInfoMsg};
- StringBuilder logPrefix = new StringBuilder();
- //EventType is always appended
- logPrefix.append(eventTypeMsg);
+ StringBuilder logPrefixBuilder = new StringBuilder();
+ //EventType is always appended (unless we specifically asked not to Log Prefix)
+ if (this.logPrefix) {
+ logPrefixBuilder.append(eventTypeMsg);
+ }
for (String element : optionalPrefixContent) {
if (!element.isEmpty()) {
- logPrefix.append(" ");
- logPrefix.append(element);
+ logPrefixBuilder.append(" ");
+ logPrefixBuilder.append(element);
}
}
- return String.format(RESULT_FORMAT, logPrefix.toString(), message);
+ String logPrefixContent = logPrefixBuilder.toString();
+ return logPrefixContent.trim().isEmpty() ? message : String.format(RESULT_FORMAT, logPrefixContent, message);
}
}
diff --git a/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java b/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java
index 45fb4da55..8d62a58f0 100644
--- a/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java
+++ b/src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java
@@ -34,7 +34,8 @@ public class ServerInfoSupplier // implements Supplier
private boolean logAppName = true;
/** The application name to log. */
private String applicationName = "";
-
+ /** Whether to log the Name */
+ private boolean logLogName = true;
/** Reference to the associated logname/module name. */
private final String logName;
@@ -57,10 +58,14 @@ public String get() {
appInfo.append(request.getLocalAddr()).append(":").append(request.getLocalPort());
}
}
- if (logAppName) {
- appInfo.append("/").append(applicationName);
+
+ if (this.logAppName) {
+ appInfo.append("/").append(this.applicationName);
+ }
+
+ if (this.logLogName) {
+ appInfo.append("/").append(logName);
}
- appInfo.append("/").append(logName);
return appInfo.toString();
}
@@ -74,6 +79,15 @@ public void setLogServerIp(boolean log) {
this.logServerIP = log;
}
+ /**
+ * Specify whether the instance should record the prefix.
+ *
+ * @param logLogName {@code true} to record
+ */
+ public void setLogLogName(boolean logLogName) {
+ this.logLogName = logLogName;
+ }
+
/**
* Specify whether the instance should record the application name
*
diff --git a/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java b/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java
index 1638ca51f..72da7f2ba 100644
--- a/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java
+++ b/src/main/java/org/owasp/esapi/logging/cleaning/CompositeLogScrubber.java
@@ -21,7 +21,7 @@
* LogScrubber implementation which performs iterative delegate to an ordered
* List of LogScrubbers.
* The results of the delegate list of LogScrubbers is additive, meaning that
- * the the original message is passed to the first delegate and its return value
+ * the original message is passed to the first delegate and its return value
* is passed to the second (etc).
*
*/
diff --git a/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java b/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java
index 078afdf9b..2d1243c05 100644
--- a/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java
+++ b/src/main/java/org/owasp/esapi/logging/java/JavaLogBridge.java
@@ -19,7 +19,7 @@
import org.owasp.esapi.Logger.EventType;
/**
- * Contract for translating an ESAPI log event into an Java log event.
+ * Contract for translating an ESAPI log event into a Java log event.
*
*/
public interface JavaLogBridge {
diff --git a/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java b/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java
index 9ebd52d92..8cca8fb25 100644
--- a/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java
+++ b/src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java
@@ -20,6 +20,7 @@
import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_PREFIX;
import java.io.IOException;
import java.io.InputStream;
@@ -79,7 +80,17 @@ public class JavaLogFactory implements LogFactory {
boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
- JAVA_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
+
+ boolean logPrefix = true;
+ try {
+ logPrefix = ESAPI.securityConfiguration().getBooleanProp(LOG_PREFIX);
+ } catch (ConfigurationException ex) {
+ System.out.println("ESAPI: Failed to read Log Prefix configuration " + LOG_PREFIX + ". Defaulting to enabled" +
+ ". Caught " + ex.getClass().getName() +
+ "; exception message was: " + ex);
+ }
+
+ JAVA_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix);
Map levelLookup = new HashMap<>();
levelLookup.put(Logger.ALL, JavaLogLevelHandlers.ALWAYS);
@@ -144,6 +155,20 @@ public class JavaLogFactory implements LogFactory {
return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
}
+ /**
+ * Populates the default log appender for use in factory-created loggers.
+ * @param appName
+ * @param logApplicationName
+ * @param logServerIp
+ * @param logClientInfo
+ * @param logPrefix
+ *
+ * @return LogAppender instance.
+ */
+ /*package*/ static LogAppender createLogAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName, boolean logPrefix) {
+ return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix);
+ }
+
@Override
public Logger getLogger(String moduleName) {
diff --git a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java
index af113b80c..5e1810a93 100644
--- a/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java
+++ b/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java
@@ -23,6 +23,7 @@
import org.owasp.esapi.LogFactory;
import org.owasp.esapi.Logger;
import org.owasp.esapi.codecs.HTMLEntityCodec;
+import org.owasp.esapi.errors.ConfigurationException;
import org.owasp.esapi.logging.appender.LogAppender;
import org.owasp.esapi.logging.appender.LogPrefixAppender;
import org.owasp.esapi.logging.cleaning.CodecLogScrubber;
@@ -36,6 +37,7 @@
import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
import static org.owasp.esapi.PropNames.APPLICATION_NAME;
import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
+import static org.owasp.esapi.PropNames.LOG_PREFIX;
import org.slf4j.LoggerFactory;
/**
* LogFactory implementation which creates SLF4J supporting Loggers.
@@ -69,7 +71,17 @@ public class Slf4JLogFactory implements LogFactory {
boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
- SLF4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
+
+ boolean logPrefix = true;
+ try {
+ logPrefix = ESAPI.securityConfiguration().getBooleanProp(LOG_PREFIX);
+ } catch (ConfigurationException ex) {
+ System.out.println("ESAPI: Failed to read Log Prefix configuration " + LOG_PREFIX + ". Defaulting to enabled" +
+ ". Caught " + ex.getClass().getName() +
+ "; exception message was: " + ex);
+ }
+
+ SLF4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix);
Map levelLookup = new HashMap<>();
levelLookup.put(Logger.ALL, Slf4JLogLevelHandlers.TRACE);
@@ -114,6 +126,19 @@ public class Slf4JLogFactory implements LogFactory {
return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
}
+ /**
+ * Populates the default log appender for use in factory-created loggers.
+ * @param appName
+ * @param logApplicationName
+ * @param logServerIp
+ * @param logClientInfo
+ * @param logPrefix
+ *
+ * @return LogAppender instance.
+ */
+ /*package*/ static LogAppender createLogAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName, boolean logPrefix) {
+ return new LogPrefixAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName, logPrefix);
+ }
@Override
public Logger getLogger(String moduleName) {
diff --git a/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java b/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java
index 242ff3e47..c17109913 100644
--- a/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java
+++ b/src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java
@@ -90,9 +90,9 @@ public AbstractAccessReferenceMap( int initialSize ) {
* the direct references
* @deprecated This constructor internally calls the abstract method
* {@link #getUniqueReference()}. Since this is a constructor, any
- * subclass that implements getUniqueReference() has not had it's
+ * subclass that implements getUniqueReference() has not had its
* own constructor run. This leads to strange bugs because subclass
- * internal state is initializaed after calls to getUniqueReference()
+ * internal state is initialized after calls to getUniqueReference()
* have already happened. If this constructor is desired in a
* subclass, consider running {@link #update(Set)} in the subclass
* constructor instead.
@@ -108,7 +108,7 @@ public AbstractAccessReferenceMap( Set