Issue #620 - changed DefaultSecurityConfiguration refs to PropNames.

Author: kwwall

src/main/java/org/owasp/esapi/crypto/KeyDerivationFunction.java

@@ -21,7 +21,7 @@
 import org.owasp.esapi.Logger;
 import org.owasp.esapi.errors.ConfigurationException;
 import org.owasp.esapi.errors.EncryptionException;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+import static org.owasp.esapi.PropNames.KDF_PRF_ALG;
 import org.owasp.esapi.util.ByteConversionUtil;
 
 /**
@@ -133,7 +133,7 @@ public KeyDerivationFunction() {
         if ( ! KeyDerivationFunction.isValidPRF(prfName) ) {
             throw new ConfigurationException("Algorithm name " + prfName +
                                 " not a valid algorithm name for property " +
-                                DefaultSecurityConfiguration.KDF_PRF_ALG);
+                                KDF_PRF_ALG);
         }
         prfAlg_ = prfName;
     }
@@ -159,8 +159,7 @@ static int getDefaultPRFSelection() {
             }
         }
         throw new ConfigurationException("Algorithm name " + prfName +
-                " not a valid algorithm name for property " +
-                DefaultSecurityConfiguration.KDF_PRF_ALG);
+                " not a valid algorithm name for property " + KDF_PRF_ALG);
     }
 
     /**

src/main/java/org/owasp/esapi/errors/EnterpriseSecurityException.java

@@ -18,12 +18,7 @@
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.Logger;
 
-// At some point, all these property names will be moved to a new class named
-//      org.owasp.esapi.PropNames
-// but until then, while this is an ugly kludge, we are importing it via a
-// reference implementation class until we have a chance to clean it up.
-// (Note: kwwall's Bitbucket code already has that class.)
-import static org.owasp.esapi.reference.DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION;
+import static org.owasp.esapi.PropNames.DISABLE_INTRUSION_DETECTION;
 
 
 /**

src/main/java/org/owasp/esapi/logging/java/JavaLogFactory.java

@@ -33,7 +33,14 @@
 import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
 import org.owasp.esapi.logging.cleaning.LogScrubber;
 import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
+
 /**
  * LogFactory implementation which creates JAVA supporting Loggers.
  * 
@@ -55,15 +62,15 @@ public class JavaLogFactory implements LogFactory {
     private static JavaLogBridge LOG_BRIDGE;
 
     static {
-        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
         JAVA_LOG_SCRUBBER = createLogScrubber(encodeLog);
 
 
-        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
-        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
-        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
-        String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
-        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+        String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
         JAVA_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
 
         Map<Integer, JavaLogLevelHandler> levelLookup = new HashMap<>();

src/main/java/org/owasp/esapi/logging/log4j/Log4JLogFactory.java

@@ -29,7 +29,14 @@
 import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
 import org.owasp.esapi.logging.cleaning.LogScrubber;
 import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
+
 /**
  * LogFactory implementation which creates Log4J supporting Loggers.
  *
@@ -48,15 +55,15 @@ public class Log4JLogFactory implements LogFactory {
     private static Log4JLogBridge LOG_BRIDGE;
 
     static {
-        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
         Log4J_LOG_SCRUBBER = createLogScrubber(encodeLog);
 
 
-        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
-        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
-        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
-        String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
-        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+        String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
         Log4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
 
         Map<Integer, Log4JLogLevelHandler> levelLookup = new HashMap<>();

src/main/java/org/owasp/esapi/logging/log4j/Log4JLoggerFactory.java

@@ -20,7 +20,13 @@
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.logging.appender.LogAppender;
 import org.owasp.esapi.logging.cleaning.LogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
 
 /**
  * Service Provider Interface implementation that can be provided as the org.apache.log4j.spi.LoggerFactory reference in a Log4J configuration.
@@ -37,14 +43,14 @@ public class Log4JLoggerFactory implements LoggerFactory {
     private static LogScrubber LOG4J_LOG_SCRUBBER;
 
     static {
-        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
         LOG4J_LOG_SCRUBBER = Log4JLogFactory.createLogScrubber(encodeLog);
 
-        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
-        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
-        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
-        String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
-        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+        String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
         LOG4J_LOG_APPENDER = Log4JLogFactory.createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
     }
 

src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java

@@ -29,7 +29,13 @@
 import org.owasp.esapi.logging.cleaning.CompositeLogScrubber;
 import org.owasp.esapi.logging.cleaning.LogScrubber;
 import org.owasp.esapi.logging.cleaning.NewlineLogScrubber;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration;
+
+import static org.owasp.esapi.PropNames.LOG_ENCODING_REQUIRED;
+import static org.owasp.esapi.PropNames.LOG_USER_INFO;
+import static org.owasp.esapi.PropNames.LOG_CLIENT_INFO;
+import static org.owasp.esapi.PropNames.LOG_APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.APPLICATION_NAME;
+import static org.owasp.esapi.PropNames.LOG_SERVER_IP;
 import org.slf4j.LoggerFactory;
 /**
  * LogFactory implementation which creates SLF4J supporting Loggers.
@@ -54,15 +60,15 @@ public class Slf4JLogFactory implements LogFactory {
     private static Slf4JLogBridge LOG_BRIDGE;
 
     static {
-        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_ENCODING_REQUIRED);
+        boolean encodeLog = ESAPI.securityConfiguration().getBooleanProp(LOG_ENCODING_REQUIRED);
         SLF4J_LOG_SCRUBBER = createLogScrubber(encodeLog);
 
 
-        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_USER_INFO);
-        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_CLIENT_INFO);
-        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_APPLICATION_NAME);
-        String appName = ESAPI.securityConfiguration().getStringProp(DefaultSecurityConfiguration.APPLICATION_NAME);
-        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(DefaultSecurityConfiguration.LOG_SERVER_IP);
+        boolean logUserInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_USER_INFO);
+        boolean logClientInfo = ESAPI.securityConfiguration().getBooleanProp(LOG_CLIENT_INFO);
+        boolean logApplicationName = ESAPI.securityConfiguration().getBooleanProp(LOG_APPLICATION_NAME);
+        String appName = ESAPI.securityConfiguration().getStringProp(APPLICATION_NAME);
+        boolean logServerIp = ESAPI.securityConfiguration().getBooleanProp(LOG_SERVER_IP);
         SLF4J_LOG_APPENDER = createLogAppender(logUserInfo, logClientInfo, logServerIp, logApplicationName, appName);
 
         Map<Integer, Slf4JLogLevelHandler> levelLookup = new HashMap<>();

src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java

@@ -30,7 +30,10 @@
 import org.owasp.esapi.StringUtilities;
 import org.owasp.esapi.errors.ConfigurationException;
 import org.owasp.esapi.errors.ValidationException;
-import org.owasp.esapi.reference.DefaultSecurityConfiguration.DefaultSearchPath;
+import org.owasp.esapi.PropNames.DefaultSearchPath;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_ACTION;
+import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE;
+
 import org.owasp.validator.html.AntiSamy;
 import org.owasp.validator.html.CleanResults;
 import org.owasp.validator.html.Policy;
@@ -106,13 +109,11 @@ public class HTMLValidationRule extends StringValidationRule {
     /*package */ static String resolveAntisamyFilename() {
         String antisamyPolicyFilename = ANTISAMYPOLICY_FILENAME;
         try {
-            antisamyPolicyFilename = ESAPI.securityConfiguration().getStringProp(
-                    // Future: This will be moved to a new PropNames class
-                org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE );
+            antisamyPolicyFilename = ESAPI.securityConfiguration().getStringProp( VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE );
         } catch (ConfigurationException cex) {
 
             LOGGER.info(Logger.EVENT_FAILURE, "ESAPI property " + 
-                           org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE +
+                           VALIDATOR_HTML_VALIDATION_CONFIGURATION_FILE +
                            " not set, using default value: " + ANTISAMYPOLICY_FILENAME);
         }
         return antisamyPolicyFilename;
@@ -197,9 +198,7 @@ private boolean legacyHtmlValidation() {
             // Hindsight: maybe we should have getBooleanProp(), getStringProp(),
             // getIntProp() methods that take a default arg as well?
             // At least for ESAPI 3.x.
-            propValue = ESAPI.securityConfiguration().getStringProp(
-                                // Future: This will be moved to a new PropNames class
-                            org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION );
+            propValue = ESAPI.securityConfiguration().getStringProp( VALIDATOR_HTML_VALIDATION_ACTION );
             switch ( propValue.toLowerCase() ) {
                 case "throw":
                     legacy = false;     // New, presumably correct behavior, as addressed by GitHub issue 509
@@ -209,7 +208,7 @@ private boolean legacyHtmlValidation() {
                     break;
                 default:
                     LOGGER.warning(Logger.EVENT_FAILURE, "ESAPI property " + 
-                                   org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION +
+                                   VALIDATOR_HTML_VALIDATION_ACTION +
                                    " was set to \"" + propValue + "\".  Must be set to either \"clean\"" +
                                    " (the default for legacy support) or \"throw\"; assuming \"clean\" for legacy behavior.");
                     legacy = true;
@@ -219,7 +218,7 @@ private boolean legacyHtmlValidation() {
             // OPEN ISSUE: Should we log this? I think so. Convince me otherwise. But maybe
             //             we should only log it once or every Nth time??
             LOGGER.warning(Logger.EVENT_FAILURE, "ESAPI property " + 
-                           org.owasp.esapi.reference.DefaultSecurityConfiguration.VALIDATOR_HTML_VALIDATION_ACTION +
+                           VALIDATOR_HTML_VALIDATION_ACTION +
                            " must be set to either \"clean\" (the default for legacy support) or \"throw\"; assuming \"clean\"",
                            cex);
         }

src/test/java/org/owasp/esapi/filters/SecurityWrapperRequestTest.java

@@ -22,8 +22,7 @@
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
-// A hack for now; eventually, I plan to move this into a new org.owasp.esapi.PropNames class. -kww
-import static org.owasp.esapi.reference.DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION;
+import static org.owasp.esapi.PropNames.DISABLE_INTRUSION_DETECTION;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;

src/test/java/org/owasp/esapi/filters/SecurityWrapperResponseTest.java

@@ -6,7 +6,7 @@
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
-import static org.owasp.esapi.reference.DefaultSecurityConfiguration.DISABLE_INTRUSION_DETECTION;
+import static org.owasp.esapi.PropNames.DISABLE_INTRUSION_DETECTION;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;