I've just started trying to use the OWASP ESAPI class in a RESTFul application I am building.
I installed the esapi stuff following their instructions on the website using svn, which didn't work.
I then included the jar file I needed manually by configuring the buildpath and adding it as an external JAR file. It then appeared in the Java Resources\Libraries folder and everything compiled and published fine. I am using glassfish with eclipse.
I don't understand how if I am able to compile the code, glassfish doesn't have the class? Do I need to install the jar on the server?
The relevant code is:
import org.owasp.esapi.ESAPI;
String clean = rs.getString(column_name); //saving column data to temp variable
clean = ESAPI.encoder().canonicalize(clean); //decoding data
clean = ESAPI.encoder().encodeForHTML(clean); //encoding data
Here is the error it is throwing:
2015-06-29T20:50:16.244+0100|Warning: StandardWrapperValve[Jersey Web Application]: Servlet.service() for servlet Jersey Web Application threw exception
java.lang.NoClassDefFoundError: org/owasp/esapi/ESAPI
at com.pododdle.util.ToJSON.toJSONArray(ToJSON.java:60)
at com.pododdle.dao.MySQL.runDBQuery(MySQL.java:55)
at com.pododdle.service.CategoryService.getAllCategories(CategoryService.java:10)
at com.pododdle.resources.CategoryResource.getCategories(CategoryResource.java:22)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
I have solved this by adding the esapi.properties file to the WEB-INF/classes folder. (I had to create this classes folder)
The esapi.properties file can be found in the "configuration" folder of the esapi 1.4.4 installation directory.
You need to restart your webserver, i think, and then it runs smoothly.
Extremely annoying bug, and I have no idea why this works, but hey!