Merge pull request #1 from HJW8472/issue-#310

Issue ESAPI#310

Author: HJW8472

src/main/java/org/owasp/esapi/SecurityConfiguration.java

@@ -640,6 +640,12 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
      */
     InputStream getResourceStream( String filename ) throws IOException;
 
+    /**
+     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
+     *
+     * @param fileName The resource file filename.
+     */
+	InputStream getResourceStreamFromClasspath( String fileName );
 
 	/**
 	 * Sets the ESAPI resource directory.

src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

@@ -627,6 +627,64 @@ public File getResourceFile(String filename) {
 		return null;
 	}
 
+    /**
+     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
+     *
+     * @param fileName The resource file filename.
+     */
+	public InputStream getResourceStreamFromClasspath(String fileName) {
+		InputStream resourceStream = null;
+		
+		ClassLoader[] loaders = new ClassLoader[] {
+				Thread.currentThread().getContextClassLoader(),
+				ClassLoader.getSystemClassLoader(),
+				getClass().getClassLoader() 
+		};
+		
+        for (ClassLoader loader : loaders) {
+			// try root
+			String currentClasspathSearchLocation = "/ (root)";
+            resourceStream = loader.getResourceAsStream(DefaultSearchPath.ROOT.value() + fileName);
+			
+			// try resourceDirectory folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = resourceDirectory + "/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCE_DIRECTORY.value() + fileName);
+			}
+			
+			// try .esapi folder. Look here first for backward compatibility.
+			if (resourceStream == null){
+				currentClasspathSearchLocation = ".esapi/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.DOT_ESAPI.value() + fileName);
+			}
+
+			// try esapi folder (new directory)
+			if (resourceStream == null){
+				currentClasspathSearchLocation = "esapi/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.ESAPI.value() + fileName);
+			}
+
+			// try resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = "resources/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCES.value() + fileName);
+			}
+
+			// try src/main/resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = "src/main/resources/";
+				resourceStream = loader.getResourceAsStream(DefaultSearchPath.SRC_MAIN_RESOURCES.value() + fileName);
+			}
+
+            if (resourceStream != null) {
+				logSpecial("SUCCESSFULLY LOADED " + fileName + " via the CLASSPATH from '" + currentClasspathSearchLocation + "'!");
+                break; // Outta here since we've found and loaded it.
+            }
+        }
+		
+		return resourceStream;
+	}
+	
     /**
      * Used to load ESAPI.properties from a variety of different classpath locations.
      *

src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java

@@ -46,22 +46,29 @@ public class HTMLValidationRule extends StringValidationRule {
 	/** OWASP AntiSamy markup verification policy */
 	private static Policy antiSamyPolicy = null;
 	private static final Logger LOGGER = ESAPI.getLogger( "HTMLValidationRule" );
+	private static final String ANTISAMYPOLICY_FILENAME = "antisamy-esapi.xml";
 
 	static {
         InputStream resourceStream = null;
 		try {
-			resourceStream = ESAPI.securityConfiguration().getResourceStream("antisamy-esapi.xml");
+			resourceStream = ESAPI.securityConfiguration().getResourceStream(ANTISAMYPOLICY_FILENAME);
 		} catch (IOException e) {
-			throw new ConfigurationException("Couldn't find antisamy-esapi.xml", e);
-	            }
+			
+			LOGGER.info(Logger.EVENT_FAILURE, "Loading " + ANTISAMYPOLICY_FILENAME + " from classpaths");
+
+			resourceStream = ESAPI.securityConfiguration().getResourceStreamFromClasspath(ANTISAMYPOLICY_FILENAME);
+		}
         if (resourceStream != null) {
         	try {
 				antiSamyPolicy = Policy.getInstance(resourceStream);
 			} catch (PolicyException e) {
-				throw new ConfigurationException("Couldn't parse antisamy policy", e);
-		        }
-			}
+				throw new ConfigurationException("Couldn't parse " + ANTISAMYPOLICY_FILENAME, e);
+	        }
 		}
+        else {
+            throw new ConfigurationException("Couldn't find " + ANTISAMYPOLICY_FILENAME);
+		}
+	}
 
 	public HTMLValidationRule( String typeName ) {
 		super( typeName );

src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java

@@ -13,7 +13,7 @@
  * @author [email protected]
  * @since 2019
  */
-package org.owasp.esapi.reference;
+package org.owasp.esapi.reference.validation;
 
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.EncoderConstants;

src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleThrowsTest.java

@@ -13,7 +13,7 @@
  * @author [email protected]
  * @since 2019
  */
-package org.owasp.esapi.reference;
+package org.owasp.esapi.reference.validation;
 
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.SecurityConfiguration;