Using ESAPI with Jakarta EE Servlet API Specification 5.0 and later - ESAPI/esapi-java-legacy GitHub Wiki
Starting with Jakarta Servlet API Specification 5.0, the package namespace for the Servlet API changed from javax.servlet to jakarta.servlet. This of course caused all sorts of compile-time and runtime problems when libraries and applications using these two different namespaces were mixed together.
Prior to ESAPI 2.5.3.0, ESAPI only supported the Java EE Servlet spec (i.e., the javax.servlet namespace). But according to the long ESAPI Discussion #768, Spring Framework 6.0 and Spring Boot 3.0 decided to adopt (well, require) Jakarta Servlet API Specification 5.0. This immediately caused problems trying to use ESAPI with those libraries.
(Note: This only works for ESAPI 2.5.3.0 and later.)
Several people suggested using the Maven Eclipse Transformer plugin to address this, but I was still unable to get it working correctly until @jcputney created PR #799 that had it worked out. That was merged as part of the ESAPI 2.5.3.0 release.
As you can see from https://repo1.maven.org/maven2/org/owasp/esapi/esapi/2.5.3.0/, there is a "esapi-2.5.3.0-jakarta.jar" file now in Maven Central. Unfortunately, the instructions in Maven Central for this ESAPI release does not how how to use this Jakarta version of ESAPI. For using it with Maven though, it is as simple as specifying
<classifier>jakarta</classifier>to your pom dependency for ESAPI. For example, to use it with ESAPI 2.5.3.0, you would just add
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.3.0</version>
<classifier>jakarta</classifier>
</dependency>to your pom.xml file.
I could not find a definitive answer for this, but it seems for Grable you might be able use something like this:
// https://mvnrepository.com/artifact/org.owasp.esapi/esapi
implementation 'org.owasp.esapi:esapi:2.5.3.0:jakarta'
I have not tested this. Please let me know if it works.
Kevin W. Wall, ESAPI project co-lead