Properties and properties files that are required, even if esapi logging is not used
davidmichaelkarr opened this issue · 3 comments
Our project uses the esapi library, but only for the encoding tools. We don't use esapi logging. I recently upgraded from v2.1.0.1 to 2.5.0.0, and I noticed that now it requires this "esapi-java-logging.properties" file, even though we don't use esapi logging. At this point, it appears that just creating an empty file works, but it's just a little weird that we have to do this. I also noticed that I had to add several new properties to ESAPI.properties, again, specific to esapi logging, which we don't use. If I don't set those properties, a fatal error occurs.
Properties should have reasonable default values, and it doesn't make sense to require a properties file to exist if it's going to be empty.
Although your project may not call the ESAPI logging API directly, it is still referenced at runtime and is required by the library components you are using. ESAPI Logging is a transitive requirement of any other feature provided by the library.
In Short: ESAPI components use the ESAPI logging configuration.
My current understanding is that this is presently expected behavior, which is why there has been a great deal of documentation generated around the logging configuration requirements and changes in the last few releases.
Ok, well, that's a very good point. I'll examine what we're using from ESAPI, I do believe it's only the encoder, and examine a transition to the OWASP encoder.