Trying to Use ESAPI But getting Error

After having this problem and looking at the installation documentation (esapi-x.x.x-dist\documentation\esapi4java-core-x-x-install-guide.pdf) I found a very useful section which detailed that the properties file can be anywhere, provided a vm flag (-Dorg.owasp.esapi.resources=path") points to a particular directory. For example, if I stick the file in a "resources" folder at the root of my project directory, then the flag would be:

-Dorg.owasp.esapi.resources="path\to\project\root\resources"

I just struggled through this one myself.

1. I created a folder called esapi in my C:/users/myname/ directory and loaded up the ESAPI.properties, validation.properties, and the ESAPI-AccessControlPolicy.xml which got me past all the not finding files errors. ESAPI looks in several places for the files. I'm running Windows 7 64 bit by the way.
2. Then I had to update some of the jars. I should have done this from the beginning, but I didn't know it. I was getting this error: AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception. for every jar that needed to be a newer version, like commons collections or log4j. At the bottom of the stack trace it would reference the offending jar.

When I added the newer jars from the esapi lib directory everything just worked!

I got this message at the end in my console:

ESAPI.accessController found: org.owasp.esapi.reference.DefaultAccessController@1cb8deef

Note: There is an ESAPI_en_US.properties file, but it's the one with only a few lines in it. Just use the file in: \esapi-2.1.0-dist\src\test\resources\esapi\ESAPI.properties. That is the full complete file.

The ESAPI.properties file should have more than 3 lines in it. See for example:

https://web.archive.org/web/20150904064147/http://code.google.com:80/p/owasp-esapi-java/source/browse/trunk/configuration/esapi/ESAPI.properties

In my experience the ESAPI.properties file either needs to be in the same folder as the esapi.jar or needs to be compiled into the jar in a resources directory.

/resources/ESAPI.properties

I believe that either one should work. If ESAPI does not find the file it one location it looks in others.

The code for that is here around line 620:

https://web.archive.org/web/20161005210258/http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java