We are on kettle 5.0.
On startup of our web application, we have seen many of these errors in stdout such as SystemOut.log for WebSphere:
[12/7/16 10:31:14:790 AST] 0000e995 SystemOut O SecurityConfiguration for Logger.LogEncodingRequired not found in ESAPI.properties. Using default: false
(repeated hundreds of times).

The reason behind the messages is esapi is logging (meaning using System.out.println) messages when properties are not found in the default configuration. These are innocuous messages (albeit esapi should not be logging these using System.out, but that's a different matter.) If you look at the code in esapi.jar:

Looking at the code in esapi jar file:
- Log4JLogger.java calls "ESAPI.securityConfiguration().getLogEncodingRequired()"
- DefaultSecurityConfiguration.java has the implementation for getLogEncodingRequired() and it calls a method called "getESAPIProperty(...)" and it has this code that clearly writes to system out.

protected boolean getESAPIProperty( String key, boolean def ) {
        String property = properties.getProperty(key);
        if ( property == null ) {
            logSpecial( "SecurityConfiguration for " + key + " not found in ESAPI.properties. Using default: " + def, null );
            return def;
        if ( property.equalsIgnoreCase("true") || property.equalsIgnoreCase("yes" ) ) {
            return true;
        if ( property.equalsIgnoreCase("false") || property.equalsIgnoreCase( "no" ) ) {
            return false;
        logSpecial( "SecurityConfiguration for " + key + " not either \"true\" or \"false\" in ESAPI.properties. Using default: " + def, null );
        return def;
and logSpecial method above just does this:

private void logSpecial(String message, Throwable e) {
        StringBuffer msg = new StringBuffer(message);
        if (e != null) {
            msg.append(" Exception was: ").append( e.toString() );
        System.out.println( msg.toString() );
        // if ( e != null) e.printStackTrace();        // TODO ??? Do we want this?
The only way to get rid of these annoying messages is to update the ESAPI.properties in the kettle-core.jar file and set the property :

false is the default anyway that esapi uses, but the absence of this property is what is making esapi log all those annoying messages.

Do you think you can update the ESAPI.properties file in a future release so that this property is set and we no longer will see these messages?

Thank you.