Migrating from java8 to java 17 with spring boot 3 causing ESAPI issues

Question

I have migrated from java 8 to java 17 and spring boot to 3.0.4. I have jwt security protection in my code that uses jwtRequestFilter class as shown below

public class JwtRequestFilter extends OncePerRequestFilter 

which overrides the following method

 @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException

in this method im using esapi httpUtilities to add a header as below

 ESAPI.httpUtilities().addHeader(HttpServletResponse response, String name, String value);

but its throwing the following compilation error

The type javax.servlet.http.HttpServletResponse cannot be resolved. It is indirectly referenced from required type org.owasp.esapi.ESAPI

since with spring boot 3.x javax.servlet.http.HttpServletResponse; is not supported im using jakarta.servlet.http.HttpServletResponse; but ESAPI internally using javax.servlet.http.HttpServletResponse; so im getting that exception.

Please let mw know if Is there any other way that I can configure to make my code work?

Answer 1

They are not planning to move to Jakarta packages, but there is a workaround if you want to get it to work with Spring 6.

Quote:

Special note regarding Spring Boot 3, Spring 6, Tomcat 10 and other applications / libraries requiring Jakarta EE

IMPORTANT: We are aware that all versions of ESAPI (unless you are using very select parts) do not work with Jakarta EE. Jakarta EE relies on jakarta.servlet-api. ESAPI is built to use javax.servlet-api. This causes things like Spring Boot 3, Spring 6, Tomcat 10, the latest version of Jetty, etc. to fail to load certain (well, many) ESAPI classes. The reason for this is that the package names between these 2 libraryes are different! The dependency javax.servlet-api has a package namespace of javax.servlet. The jakarta.servlet-api library is using the package namespace of jakarta.servlet. So references to things like ServletRequest, ServletResponse, etc. in ESAPI are using javax.servlet.ServletRequest and javax.servlet.ServletResponse respectively. We cannot make it work for both at once and we will not stop supporting javax.servlet-api, which is what most of our existing ESAPI clients are using.

Therefore PLEASE STOP sending us emails and/or creating GitHub issues regarding this! Instead, please read ongoing the GitHub discussion #768 for further details.

https://github.com/ESAPI/esapi-java-legacy/discussions/768