Logs printed using println() are always printed and no option to disable them.

[aabhasg]

Describe the bug
Below logs are printed using System.out.println() and hence there is no option to disable them from printing in logs. In our project, we have a check in place to report logs which have logger level or logger message empty. After implementing ESAPI, we found there are lot of places where we are using System.out.println() to print ESAPI initial logs.

ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set
ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set
ESAPI: Attempting to load ESAPI.properties via file I/O.
ESAPI: Attempting to load ESAPI.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /Users/gupta13/git/aldts/aldts-tasks/ESAPI.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
ESAPI: Not found in 'user.home' (/Users/gupta13) directory: /Users/gupta13/esapi/ESAPI.properties
ESAPI: Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
ESAPI: Attempting to load ESAPI.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
ESAPI: SecurityConfiguration for Validator.ConfigurationFile not found in ESAPI.properties. Using default: validation.properties
ESAPI: Attempting to load validation.properties via file I/O.
ESAPI: Attempting to load validation.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /Users/gupta13/git/aldts/aldts-tasks/validation.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
ESAPI: Not found in 'user.home' (/Users/gupta13) directory: /Users/gupta13/esapi/validation.properties
ESAPI: Loading validation.properties via file I/O failed.
ESAPI: Attempting to load validation.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
ESAPI: SecurityConfiguration for ESAPI.printProperties not found in ESAPI.properties. Using default: false
ESAPI: SecurityConfiguration for Encryptor.CipherTransformation not found in ESAPI.properties. Using default: AES/CBC/PKCS5Padding
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI: SecurityConfiguration for HttpUtilities.MaxUploadFileBytes not found in ESAPI.properties. Using default: 5000000
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI: SecurityConfiguration for ESAPI.Authenticator not found in ESAPI.properties. Using default: org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI: SecurityConfiguration for ESAPI.HTTPUtilities not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultHTTPUtilities

Specify what ESAPI version(s) you are experiencing this bug in
Latest version

To Reproduce
NA

Expected behavior
There should be some configuration by which either we can disable above logs or replace println() statements with logger.

Screenshots
NA

Platform environment (please complete the following information):
NA

Additional context
NA

[jeremiahjstacey]

You can set the optional system property -Dorg.owasp.esapi.logSpecial.discard=true as part of your JVM startup. Setting this value disables the output in question.

Source Code References
https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/PropNames.java line 128
https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java lines 269 - 281 and 884 - 903

[kwwall]

Closed, as this as it is a duplicate of issue #500. You already can be disabled by setting the system property org.owasp.esapi.logSpecial.discard to 'true' before your application starts up; e.g.,

$ java -Dorg.owasp.esapi.logSpecial.discard=true ...

Unfortunately, it is important to leave this so that it defaults to 'false', otherwise the ESAPI team would spend way too much time answer questions about why ESAPI can't find its ESAPI.properties file. It is annoying once you get it working, but it is very helpful if you can't figure out why it is failing.

Admittedly, it's a bit obtuse as to where it's documented in the Javadoc. Apologies for that; we could to better. I've been meaning to add a FAQ to our GitHub wiki pages and add it there, and I have even considered adding something like:

To suppress these ESAPI start-up configuration messages, consider running as:
    java -Dorg.owasp.esapi.logSpecial.discard=true ...

but of course, to some, that would just add more needless noise and probably lots of people wouldn't notice it anyway.

Even though we're closing this, if someone thinks that ESAPI should emit a message similar to the hypothetical one mentioned above, feel free to create a new enhancement GitHub ticket.