Properties and properties files that are required, even if esapi logging is not used

[davidmichaelkarr]

Our project uses the esapi library, but only for the encoding tools. We don't use esapi logging. I recently upgraded from v2.1.0.1 to 2.5.0.0, and I noticed that now it requires this "esapi-java-logging.properties" file, even though we don't use esapi logging. At this point, it appears that just creating an empty file works, but it's just a little weird that we have to do this. I also noticed that I had to add several new properties to ESAPI.properties, again, specific to esapi logging, which we don't use. If I don't set those properties, a fatal error occurs.

Properties should have reasonable default values, and it doesn't make sense to require a properties file to exist if it's going to be empty.

[jeremiahjstacey]

Although your project may not call the ESAPI logging API directly, it is still referenced at runtime and is required by the library components you are using. ESAPI Logging is a transitive requirement of any other feature provided by the library.

In Short: ESAPI components use the ESAPI logging configuration.

My current understanding is that this is presently expected behavior, which is why there has been a great deal of documentation generated around the logging configuration requirements and changes in the last few releases.

[kwwall]

To be honest, if ALL you are using from ESAPI it the Encoder, you probably should switch to using the OWASP Java Encoder Project. It's a lot smaller and has way less dependencies.

…

On Sun, Sep 11, 2022, 12:01 PM jeremiahjstacey ***@***.***> wrote: Although your project may not call the ESAPI logging API directly, it is still referenced at runtime and is required by the library components you are using. ESAPI Logging is a transitive requirement of any other feature provided by the library. In Short: ESAPI components use the ESAPI logging configuration. My current understanding is that this is presently expected behavior, which is why there has been a great deal of documentation generated around the logging configuration requirements and changes in the last few releases. — Reply to this email directly, view it on GitHub <#742 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO6PG6MH7AFQIWFVG2AD7TV5X64FANCNFSM6AAAAAAQJ2RN5Y> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[davidmichaelkarr]

Ok, well, that's a very good point. I'll examine what we're using from ESAPI, I do believe it's only the encoder, and examine a transition to the OWASP encoder.