/**
* Load the preferred JCE provider for ESAPI based on the <b>ESAPI.properties</b> property {@code
* Encryptor.PreferredJCEProvider}. If this property is null (i.e., unset) or set to an empty
* string, then no JCE provider is inserted at the "preferred" position and thus the Java VM
* continues to use whatever the default it was using for this (generally specified in the file
* {@code $JAVA_HOME/jre/security/java.security}).
*
* @return The actual preference position at which the provider was added, (which is expected to
* be 1) or -1 if the provider was not added because it is already installed at some other
* position. -1 is also returned if the {@code Encryptor.PreferredJCEProvider} was not set or
* set to an empty string, i.e., if the application <i>has</i> no preferred JCE provider.
* @exception NoSuchProviderException - thrown if the provider class could not be loaded or added
* to the {@code SecurityManager} or any other reason for failure.
* @see <a
* href="http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.htm">
* ESAPI 2.0 Symmetric Encryption User Guide</a>
*/
public static int loadESAPIPreferredJCEProvider() throws NoSuchProviderException {
String prefJCEProvider = ESAPI.securityConfiguration().getPreferredJCEProvider();
try {
// If unset or set to empty string, then don't try to change it.
if (prefJCEProvider == null || prefJCEProvider.trim().length() == 0) {
// Always log, per NSA suggestion.
logger.always(Logger.SECURITY_AUDIT, "No Encryptor.PreferredJCEProvider specified.");
return -1; // Unchanged; it is, whatever it is.
} else {
return insertProviderAt(prefJCEProvider, 1);
}
} catch (NoSuchProviderException ex) {
// Will already have logged with exception msg.
String msg = "failed to load *preferred* " + "JCE crypto provider, " + prefJCEProvider;
logger.always(Logger.SECURITY_AUDIT, msg); // Per NSA suggestion.
logger.error(Logger.SECURITY_FAILURE, msg);
throw ex;
}
}
/**
* Returns a <code>String</code> containing the real path for a given virtual path. For example,
* the path "/index.html" returns the absolute file path on the server's filesystem would be
* served by a request for "http://host/contextPath/index.html", where contextPath is the context
* path of this ServletContext..
*
* <p>The real path returned will be in a form appropriate to the computer and operating system on
* which the servlet container is running, including the proper path separators. This method
* returns <code>null</code> if the servlet container cannot translate the virtual path to a real
* path for any reason (such as when the content is being made available from a <code>.war</code>
* archive).
*
* @param path a <code>String</code> specifying a virtual path
* @return a <code>String</code> specifying the real path, or null if the translation cannot be
* performed
*/
public String getRealPath(String path) {
return ESAPI.securityConfiguration().getResourceFile(path).getAbsolutePath();
}