{"id":13765618,"url":"https://github.com/ESAPI/esapi-java-legacy","last_synced_at":"2025-05-10T21:31:28.638Z","repository":{"id":20576971,"uuid":"23857463","full_name":"ESAPI/esapi-java-legacy","owner":"ESAPI","description":"ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.","archived":false,"fork":false,"pushed_at":"2024-10-09T01:00:43.000Z","size":55387,"stargazers_count":613,"open_issues_count":119,"forks_count":367,"subscribers_count":57,"default_branch":"develop","last_synced_at":"2024-11-03T04:32:41.331Z","etag":null,"topics":["java","security"],"latest_commit_sha":null,"homepage":"https://owasp.org/www-project-enterprise-security-api/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ESAPI.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING-TO-ESAPI.txt","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-09-10T02:12:29.000Z","updated_at":"2024-10-16T03:48:46.000Z","dependencies_parsed_at":"2023-02-14T19:16:11.769Z","dependency_job_id":"e0067454-ca21-44fa-9671-00e323fee419","html_url":"https://github.com/ESAPI/esapi-java-legacy","commit_stats":null,"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ESAPI%2Fesapi-java-legacy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ESAPI%2Fesapi-java-legacy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ESAPI%2Fesapi-java-legacy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ESAPI%2Fesapi-java-legacy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ESAPI","download_url":"https://codeload.github.com/ESAPI/esapi-java-legacy/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224989358,"owners_count":17403408,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","security"],"created_at":"2024-08-03T16:00:42.806Z","updated_at":"2025-05-10T21:31:28.624Z","avatar_url":"https://github.com/ESAPI.png","language":"Java","readme":"Enterprise Security API for Java (Legacy)\n=================\n\n[![Build Status](https://travis-ci.org/bkimminich/esapi-java-legacy.svg?branch=master)](https://travis-ci.org/bkimminich/esapi-java-legacy)\n[![Coverage Status](https://coveralls.io/repos/github/bkimminich/esapi-java-legacy/badge.svg?branch=develop)](https://coveralls.io/github/bkimminich/esapi-java-legacy?branch=develop)\n[![Coverity Status](https://scan.coverity.com/projects/8517/badge.svg)](https://scan.coverity.com/projects/bkimminich-esapi-java-legacy)\n[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/137/badge)](https://bestpractices.coreinfrastructure.org/projects/137)\n\n\u003ctable border=10\u003e\n\u003ctr\u003e\n\u003ctd\u003e\nOWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI for Java library is designed to make it easier for programmers to retrofit security into existing applications. ESAPI for Java also serves as a solid foundation for new development.\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\n# Jakarta EE Support\n**IMPORTANT:**\nESAPI has supported the Jakarta Servlet API (i.e., **jakarta.servlet.api**) since release\n2.5.3.0.  (Unfortunately, this information was previously missing in this **README** file.)\n\nTherefore, for release 2.5.3.0 and later versions of ESAPI, ESAPI ought to be able to support Spring Boot 3, Spring 6, Tomcat 10,\nand other applications or libraries requiring Jarkata EE. (If you find a case where it does\nnot, please file a GitHub issue for it.)\n\nThe ESAPI jar file supporting Jakarta will be named esapi-_version_-jakarta.jar. To use that\nspecific Jakarta version of ESAPI, in Maven, you would specify your ESAPI dependency in your\n**pom.xml** as:\n```xml\n\u003cdependency\u003e\n    \u003cgroupId\u003eorg.owasp.esapi\u003c/groupId\u003e\n    \u003cartifactId\u003eesapi\u003c/artifactId\u003e\n    \u003cversion\u003e2.6.0.0\u003c/version\u003e  \u003c!-- Preferably the latest version, but \u003e 2.5.3.0 --\u003e\n    \u003cclassifier\u003ejakarta\u003c/classifier\u003e\n\u003c/dependency\u003e\n```\n(or any other version later than 2.5.3.0). Thanks to Jonathon Putney for creating a PR to\nfix this. There is a long discussion in GitHub Discussion [#768](https://github.com/ESAPI/esapi-java-legacy/discussions/768)\nwhere this was first announced, for those of you have insomnia or really long attention\nspans and are interested in the approaches that were tried.\n\nOf course, ESAPI also still continues to support the older Java EE Servlet API (i.e., **javax.servlet** namespace) as well. In\nfact, without the\n```xml\n\u003cclassifier\u003ejakarta\u003c/classifier\u003e\n```\nthat's the version that will be used by default.\n\n\n# A word about ESAPI vulnerabilities\nA summary of all the vulnerabilities that we have written about in either the\nESAPI Security Bulletins or in the GitHub Security Advisories may be found\nin this [Vulnerability Summary](https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md).\nIt is too lengthy, and if you are using the latest available ESAPI version--generally not relevant--to\nplace in this **README** file.\n\n# Where are the OWASP ESAPI wiki pages?\nYou can find the official OWASP ESAPI Project wiki pages at\n[https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/).\nThe ESAPI legacy GitHub repo also has several useful [wiki pages](https://github.com/ESAPI/esapi-java-legacy/wiki).\n\n# What does Legacy mean?\nThis is the legacy branch of ESAPI which means it is an actively maintained branch of the project, however significant *new* **feature development** for this branch will *not* be done. Features that have already been scheduled for the 2.x branch will move forward.\nDevelopment for the \"next generation\" of ESAPI (starting with ESAPI 3.0), will be done at the\nGitHub repository at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java).\n\n**IMPORTANT NOTES:**\n* The default branch for ESAPI legacy is the 'develop' branch (rather than the 'main' (formerly 'master') branch), where future development, bug fixes, etc. are now being done. The 'main' branch is now marked as \"protected\"; it reflects the latest stable ESAPI release (2.5.3.1 as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.\n* Also, the *minimal* baseline Java version to use ESAPI is now Java 8. (This was changed from Java 7 during the 2.4.0.0 release.)\n* Support was dropped for Log4J 1 during ESAPI 2.5.0.0 release. If you need it, configure it via SLF4J. See  the\n  [2.5.0.0 release notes](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.0.0-release-notes.txt)\nfor details.\n\n# Where can I find ESAPI 3.x?\nAs mentioned above, you can find it at [https://github.com/ESAPI/esapi-java](https://github.com/ESAPI/esapi-java).\n\nNote however that work on ESAPI 3 has not yet begun in earnest and is only\nin its earliest planning stages. Even the code that is presently there\nwill likely change.\n\n# ESAPI Release Notes\nThe ESAPI release notes may be found in ESAPI's \"documentation\" directory. They are generally named \"esapi4java-core-*2.#.#.#*-release-notes.txt\", where \"*2.#.#.#*\" refers to the ESAPI release number (which uses semantic versioning).\n\nSee the GitHub [Releases](https://github.com/ESAPI/esapi-java-legacy/releases) information for a list of releases which generally\nlink to the specific release notes.\n\n### Really IMPORTANT information in release notes - Ignore at your peril\n* Starting with ESAPI 2.2.1.0, important details changed reading the ESAPI\n  Logger. If you have are getting things like ClassNotFoundException, you\n  probably have not read it. Please be sure to read this specific section\n  of the\n  [2.2.1.0 release notes](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.0-release-notes.txt#L128-L155)\n* Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and\n  does XML schema validation on the AntiSamy policy files. Please **READ** this\n  section from the\n  [2.2.3.0 release notes](https://github.com/ESAPI/esapi-java-legacy/blob/1312102e79d4ed98d1396f5c56e12f437534d62b/documentation/esapi4java-core-2.2.3.0-release-notes.txt#L22-L34)\n  (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!!\n* ESAPI 2.3.0.0 is the last release to support Java 7 as the minimal JDK.\n  Starting with release 2.4.0.0, Java 8 or later is required.\n* Starting with ESAPI 2.5.4.0, if you were using ESAPI's default logger, JUL\n  (i.e., you had the property **ESAPI.Logger** set to \"org.owasp.esapi.logging.java.JavaLogFactory\"),\n  then you must remove (or rename) the old ESAPI configuration file **esapi-java-logger.properties**.\n  Failure to do so will cause ESAPI to throw a `ConfigurationException`, thereby\n  preventing your application from starting. For important additional details, please see\n  the ESAPI GitHub Discussion https://github.com/ESAPI/esapi-java-legacy/discussions/841.\n\n# Locating ESAPI Jar files\nThe [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.6.0.0.\nAll the *regular* ESAPI jars, with the exception of the ESAPI configuration\njar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached\nGPG signature, are available from Maven Central. The ESAPI configuration\njars are linked under the 'Assets' section to each of the specific\nESAPI releases under the\nGitHub [Releases page](https://github.com/ESAPI/esapi-java-legacy/releases).\n\n\nHowever, **before** you start a *new* project using ESAPI, but sure to read \"[Should I use ESAPI?](https://owasp.org/www-project-enterprise-security-api/#div-shouldiuseesapi)\".\n\n# ESAPI Deprecation Policy\nUnless we unintentionally screw-up, our intent is to keep classes, methods,\nand/or fields which have been annotated as \"@deprecated\" for a\nminimum of two (2) years or until the next major release number (e.g.,\n3.x as of now), which ever comes first, before we remove them. Note\nthat this policy does not apply to classes under\nthe **org.owasp.esapi.reference** package. You generally are not expected\nto be using such classes directly in your code. At the ESAPI team's discretion,\nit will also not apply for any known exploitable vulnerabilities for which\nno available workaround exists.\n\n## Exceptions to Deprecation Policy\nWe will make some exceptions to the normal 2 year period. In particular, in the\ncases were we believe that keeping a specific deprecated class or method around\ncan introduce security issues (generally because many of you have a habit of\ncompletely ignoring deprecation warnings), we sometimes will shorten that 2 year\nperiod. When we decide to do that, we will announce that as part of the\ndeprecation message.\n\n## Log4J 1.x Removal\n**IMPORTANT NOTES:** As of ESAPI 2.5.0.0, all the Log4J 1.x related code\nhas been removed from the ESAPI code base (with the exception of some\nreferences in documentation). If you must, you still should be able to\nuse Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release\nnotes for further details.\n\n# Quickstart - Maven Example\n### Step 1: Add the required dependencies.\nSee https://mvnrepository.com/artifact/org.owasp.esapi/esapi/latest, the tab for\nwhatever build tool you are using. If you need the Jakarta version, make sure to\nadd\n```xml\n    \u003cclassifier\u003ejakarta\u003c/classifier\u003e\n```\nand include whatever jakara.servlet:jakarta.servlet-api version you are using with\n```xml\n    \u003cscope\u003eprovided\u003c/scope\u003e\n```\n### Step 2: Obtain the 2 properties files ESAPI.properties and validation.properties\n1. Download these 2 files from the ESAPI release that you are using from https://github.com/ESAPI/esapi-java-legacy/releases\n   and download the esapi-\u003crelease\u003e-configuration.jar file (and the .asc file if you wish to confirm the GPG signature).\n2. Unjar that configuration file that you just downloaded and find the 2\n   properties files under the \"configuration/esapi\" subdirectory where you\n   unjarred the config jar.\n3. Read through Javadoc for [DefaultSecurityConfiguration](https://javadoc.io/static/org.owasp.esapi/esapi/2.5.4.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html)\n   to understand the ways that ESAPI locates these files and then use the mechanism that works best for you. Copy the 2 properties\n   files from the 'configuration/esapi' directory to the directory where you\n   choose to have them reside. Note that you may also edit them to customize\n   them according to your needs.\n\n# Contributing to ESAPI legacy\n### How can I contribute or help with fix bugs?\nFork and submit a pull request! Easy as pi! (How's that for an irrational\nstatement, you math nerds? :) We generally only accept bug fixes, not\nnew features because as a legacy project, we don't intend on adding new\nfeatures that we will have to maintain long term (although we may make\nexceptions; see the 'New Features' section in this **README**). If\nyou are interesting in doing bug fixes though, the best place to start is the\n[CONTRIBUTING-TO-ESAPI.txt](https://github.com/ESAPI/esapi-java-legacy/blob/develop/CONTRIBUTING-TO-ESAPI.txt)\n\nIf you are new to ESAPI, a good place to start is to look for GitHub issues labled as 'good first issue'. (E.g., to find all open issues with that label, use [https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22](https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).)\n\nAgain, please find additional important details in the file\n'[CONTRIBUTING-TO-ESAPI.txt](https://github.com/ESAPI/esapi-java-legacy/blob/develop/CONTRIBUTING-TO-ESAPI.txt)',\nwhich will also describe the tool requirements.\n\n#### Want to report an issue?\nIf you have found a bug, then create an issue on the esapi-legacy-java repo at [https://github.com/ESAPI/esapi-java-legacy/issues](https://github.com/ESAPI/esapi-java-legacy/issues)\nAs of May 11, 2022, we switched back to using (GitHub) issue templates. (We previously used issue templates when our source code repository was still on Google Code.) You can read more about our issue templates in this brief\n[announcement](https://github.com/ESAPI/esapi-java-legacy/discussions/700).\n\nNOTE: Please do **NOT** use GitHub issues to ask questions about ESAPI.\nIf you wish to ask questions, instead, post to either of the 2 mailing\nlists (now on Google Groups) found the References section at the bottom\nof this page. If we find questions posted as GitHub issues, we simply will\nclose them and direct you to do this anyhow. Alternately you may use the new\n[Q\u0026A](https://github.com/ESAPI/esapi-java-legacy/discussions/categories/q-a) section of our GitHub\n[Discussions](https://github.com/ESAPI/esapi-java-legacy/discussions) page to ask questions.\n\nWhen reporting an issue or just asking a question, please be clear and try\nto ensure that the ESAPI development team has sufficient information to be\nable to reproduce your results or to understand your question. If you have\nnot already done so, this might be a good time to read Eric S. Raymond's classic\n\"[How to Ask Questions the Smart Way](http://www.catb.org/esr/faqs/smart-questions.html)\"\nbefore posting your issue.\n\n#### Find a Vulnerability?\nIf believe you have found a vulnerability in ESAPI legacy, for the sake of the\nESAPI community, please practice Responsible Disclosure. (Note: We will be sure\nyou get credit and will work with you to create a GitHub Security Advisory, and\nif you so choose, to pursue filing a CVE via the GitHub CNA.)\n\nYou are of course encouraged to first search our GitHub issues list (see above)\nto see if it has already been reported. If it has not, then please contact\nboth Kevin W. Wall (kevin.w.wall at gmail.com) and\nMatt Seil (matt.seil at owasp.org) directly. Please do not report\nvulnerabilities via GitHub issues or via the ESAPI mailing lists as\nwe wish to keep our users secure while a patch is implemented and\ndeployed. If you wish to be acknowledged for finding the vulnerability,\nthen please follow this process. Also, when you post the email describing\nthe vulnerability, please do so from an email address that you usually\nmonitor.\n\nMore detail is available in the file\n'[SECURITY.md](https://github.com/ESAPI/esapi-java-legacy/blob/develop/SECURITY.md)'.\nhttps://raw.githubusercontent.com/ESAPI/esapi-java-legacy/blob/develop/SECURITY.md)'.\n\n### New Features\nIf you wish to propose a new feature, the best place to discuss it is via\nnew 'Discussions' board, probably under\n'[Ideas](https://github.com/ESAPI/esapi-java-legacy/discussions/categories/ideas)',\nor on the ESAPI-DEV mailing list mentioned below under the References section.\nAs mentioned previously, we generally are not considering new features\nfor ESAPI 2.x. This is because:\n- ESAPI is already too monolithic and has too many dependencies for its size.\n- We are trying to wind down support of ESAPI 2.x and get ESAPI 3.0 going so any\n  resources we throw at ESAPI 2.x will slow down that goal.\n\nThat said, if you believe you have an idea for an additional simple feature that\ndoes not pull in any additional 3rd party libraries, toss it out there for\ndiscussion or even show us how it works with a PR. (Note that we vet all pull\nrequests, including coding style of any contributions, so please use the same\ncoding style found in the files you are already editing.)\n\n# References: Where to Find More Information on ESAPI\n**OWASP Wiki:** https://owasp.org/www-project-enterprise-security-api/\n\n**GitHub ESAPI Wiki:** https://github.com/ESAPI/esapi-java-legacy/wiki\n\n**General Documentation:** Under the '[documentation](https://github.com/ESAPI/esapi-java-legacy/tree/develop/documentation)' folder.\n\n**OWASP Slack Channel:** [#owasp-esapi](https://owasp.slack.com/archives/CQ2ET27AN)\n\n**GitHub Discussions:** [Discussions](https://github.com/ESAPI/esapi-java-legacy/discussions) - Not a lot there yet, but we only started this on May 11, 2022.\n\n**Mailing lists:**\n* As of 2019-03-25, ESAPI's 2 mailing lists were officially moved OFF of their Mailman mailing lists to a new home on Google Groups.\n* The names of the 2 Google Groups are \"[esapi-project-users](mailto:esapi-project-users@owasp.org)\" and \"[esapi-project-dev](mailto:esapi-project-dev@owasp.org)\", which you may POST to *after* you subscribe to them via \"[Subscribe to ESAPI Users list](https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-users/join)\" and \"[Subscribe to ESAPI Developers list](https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/join)\" respectively.\n* Old archives for the old Mailman mailing lists for ESAPI-Users and ESAPI-Dev are still available at https://lists.owasp.org/pipermail/esapi-users/ and https://lists.owasp.org/pipermail/esapi-dev/ respectively.\n* For a general overview of Google Groups and its web interface, see [https://groups.google.com/forum/#!overview](https://groups.google.com/forum/#!overview)\n* For assistance subscribing and unsubscribing to Google Groups, see [https://webapps.stackexchange.com/questions/13508/how-can-i-subscribe-to-a-google-mailing-list-with-a-non-google-e-mail-address/15593#15593](https://webapps.stackexchange.com/questions/13508/how-can-i-subscribe-to-a-google-mailing-list-with-a-non-google-e-mail-address/15593#15593).\n\n----------\nOWASP is a registered trademark of the OWASP Foundation, Inc.\n","funding_links":[],"categories":["安全","Web Framework Hardening"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FESAPI%2Fesapi-java-legacy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FESAPI%2Fesapi-java-legacy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FESAPI%2Fesapi-java-legacy/lists"}