[Esapi-dev] ESAPI4J - org.owasp.esapi.ESAPI
jim.manico at owasp.org
Wed Jan 20 15:50:08 EST 2010
You have been granted commit access to the ESAPI for Java project via
your brent.shikoski at gmail.com account. Welcome! :)
We are currently working on trunk sprinting towards a 2.0 release. I
would like to see your DefaultSecurityConfiguration patch inside of 2.0
so please commit to trunk. Have no fear, we can always roll your commits
SVN access instructions are at
http://code.google.com/p/owasp-esapi-java/source/checkout (please be
sure to log into Google code first via brent.shikoski at gmail.com).
I'm looking forward to your contributions!
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
> Give me access and I will commit. Are you sure you want me to commit
> to the head instead of a branch? I will have some time this week to
> make at least some of the proposed changes.
> On Wed, Jan 20, 2010 at 12:58 AM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> I think these are very well though out changes. I would like to
> see these in the 2.0 release and I think the changes are fairly
> straight forward.
> If you would like to see it done now, I'd like to invite you to
> the project and give you commit access to trunk. Do you have time
> to work on this over the next few days per chance?
> All in favor?
> - Jim
>> In regards to Issue #91.
>> Changes to the ESAPI class might not be directly related to issue
>> 91, but I do have some thoughts on it.
>> 1. Most importantly (at least to me), I was wondering if
>> DefaultSecurityConfiguration instantiation could be done away
>> with in the securityConfiguration field declaration.
>> *private* *static* SecurityConfiguration
>> /securityConfiguration/ = *new* DefaultSecurityConfiguration();
>> If creation is delayed until the securityConfiguration()
>> method is invoked, it would allow an application to create a
>> SecurityConfiguration implementation and set it on the ESAPI
>> class, so the DefaultSecurityConfiguration constructor will
>> never be invoked and it's file loading requirements don't need to
>> be dealt with.
>> 2. I think the SecurityConfiguration implementation, be it the
>> DefaultSecurityConfiguration or another should be constructed
>> through reflection. With the direct reference of the
>> DefaultSecurityConfiguration class in the ESAPI class, the
>> org.owasp.esapi package is dependant upon the
>> org.owasp.esapi.reference package, which is undesirable. This
>> would be become even more important if the reference
>> implementations were to be separated more from the pure api, as
>> has been suggested.
>> 3. If the SecurityConfiguration implementation is loaded through
>> reflection, perhaps the implementation class name can be
>> configured via a system property.
>> There is a large comment section at the top of the ESAPI class
>> that details the following items, maybe they have already been
>> - The setters should have access control checks that would be
>> verified by the Security Manager.
>> -- I'm all in favor of this, but it's probably not a high
>> priority item.
>> - The setters should return the previous value.
>> -- Sounds like a good idea, I don't see why not.
>> - The setters & getters are not thread safe.
>> -- I think this should be fixed immediately.
>> I saw Jim mention somewhere yesterday that he would like to
>> substantially change the ESAPI class and replace it with some
>> factories. That may well obviate some of these modifications.
>> This e-mail is confidential. If you are not the intended
>> recipient, you must not disclose or use the information contained
>> in it. If you have received this e-mail in error, please tell us
>> immediately by return e-mail and delete the document.
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org <mailto:Esapi-dev at lists.owasp.org>
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org <mailto:Esapi-dev at lists.owasp.org>
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-dev