ESAPI Swingset Interactive - InitialSetup
Initial Setup Tutorial
1. Download ESAPI
This version of Swingset has been tested with ESAPI Release candidate 4 which can be downloaded from -
http://code.google.com/p/owasp-esapi-java/downloads/detail?name=ESAPI-2.0-rc4.zip&can=2&q=
2. Copy ESAPI and Log4J jar files to WEB-INF/lib directory
From the extracted zip file that you downloaded copy
- ESAPI-2.0-rc4\ESAPI-2.0-rc4.jar
- ESAPI-2.0-rc4\lib\required\log4j\log4j\1.2.12\log4j-1.2.12.jar
- SwingSet\WebContent\WEB-INF\lib
3. Configure 'org.owasp.esapi.resources' directory
There are a number of esapi properties files that are generally located in a '.esapi' folder. This folder is configured by setting 'org.owasp.esapi.resources' as a Java VM Argument. In the extracted zip file that you downloaded, a sample .esapi folder is contained in ESAPI-2.0-rc5\configuration\.esapi
To do this in Tomcat -
- Open the Server Overview by double clicking on the instance of your server in the 'Server' view.
- Click on 'Open Launch Configuration'
- Click on the 'Arguments' tab.
- In the 'VM Arguments' list, enter the following
-Dorg.owasp.esapi.resources="INSERT_PATH__HERE\.esapi" - Click 'Apply' then 'Ok'
4. Replace encryption key
You MUST replace the ESAPI Encryptor.MasterKey and Encryptor.MasterSalt in ESAPI.properties (located in the .esapi directory configured in the previous step) with ones you personally generate. By default, the ESAPI.properties file has neither of these set and therefore any many encryption related things will fail until you properly set them. Change them now by using:
cd "directory containing ESAPI jar"
java -Dorg.owasp.esapi.resources="configuration\.esapi" -classpath ESAPI-2.0-rc4.jar;lib\required\log4j\log4j\1.2.12\log4j-1.2.12.jar org.owasp.esapi.reference.JavaEncryptor
The final lines of output from this will look something like:
Copy and paste this into ESAPI.properties
Encryptor.MasterKey="something here"
Encryptor.MasterSalt="something here"
Simply take the two generated entries and paste them into your ESAPI.properties, replacing the empty ones already there. These are the unique key and salt for your ESAPI installation.
5. Configure SSL
SSL is required for the login functionality of ESAPI. Details of how to set up SSL for tomcat can be found at
Set up SSL for tomcat 6.0
Make sure your .keystore file is in your User Home directory.
6. How Application is Structured?
Give brief overview of how application is structured to help initial users.