[Esapi-dev] ESAPI4J - org.owasp.esapi.ESAPI

Jim Manico jim.manico at owasp.org
Wed Jan 20 15:50:08 EST 2010 

Brent,

You have been granted commit access to the ESAPI for Java project via
your brent.shikoski at gmail.com account. Welcome! :)

We are currently working on trunk sprinting towards a 2.0 release. I
would like to see your DefaultSecurityConfiguration patch inside of 2.0
so please commit to trunk. Have no fear, we can always roll your commits
back. :)

SVN access instructions are at
http://code.google.com/p/owasp-esapi-java/source/checkout (please be
sure to log into Google code first via brent.shikoski at gmail.com).

I'm looking forward to your contributions!

-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net


> Jim,
>
> Give me access and I will commit.  Are you sure you want me to commit
> to the head instead of a branch?  I will have some time this week to
> make at least some of the proposed changes.
>
>
> On Wed, Jan 20, 2010 at 12:58 AM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Brent,
>
>     I think these are very well though out changes. I would like to
>     see these in the 2.0 release and I think the changes are fairly
>     straight forward.
>
>     If you would like to see it done now, I'd like to invite you to
>     the project and give you commit access to trunk. Do you have time
>     to work on this over the next few days per chance?
>
>     All in favor?
>
>     - Jim
>
>>     In regards to Issue #91.
>>     <http://code.google.com/p/owasp-esapi-java/issues/detail?id=91>
>>     Changes to the ESAPI class might not be directly related to issue
>>     91, but I do have some thoughts on it.
>>
>>     1.  Most importantly (at least to me), I was wondering if
>>     DefaultSecurityConfiguration instantiation could be done away
>>     with in the securityConfiguration field declaration.
>>
>>             *private* *static* SecurityConfiguration
>>     /securityConfiguration/ = *new* DefaultSecurityConfiguration();  
>>          
>>
>>          If creation is delayed until the securityConfiguration()
>>     method is invoked, it would allow an application to create a
>>     SecurityConfiguration implementation and set it on the ESAPI
>>     class, so the   DefaultSecurityConfiguration constructor will
>>     never be invoked and it's file loading requirements don't need to
>>     be dealt with.
>>
>>     2.  I think the SecurityConfiguration implementation, be it the
>>     DefaultSecurityConfiguration or another should be constructed
>>     through reflection.  With the direct reference of the
>>     DefaultSecurityConfiguration class in the ESAPI class, the
>>     org.owasp.esapi package is dependant upon the
>>     org.owasp.esapi.reference package, which is undesirable.  This
>>     would be become even more important if the reference
>>     implementations were to be separated more from the pure api, as
>>     has been suggested.
>>
>>     3.  If the SecurityConfiguration implementation is loaded through
>>     reflection, perhaps the implementation class name can be
>>     configured via a system property.
>>
>>
>>
>>     There is a large comment section at the top of the ESAPI class
>>     that details the following items, maybe they have already been
>>     discussed?
>>     -  The setters should have access control checks that would be
>>     verified by the Security Manager.
>>             -- I'm all in favor of this, but it's probably not a high
>>     priority item.
>>
>>     -  The setters should return the previous value.
>>             -- Sounds like a good idea, I don't see why not.
>>
>>     -  The setters & getters are not thread safe.
>>             --  I think this should be fixed immediately.
>>
>>
>>     I saw Jim mention somewhere yesterday that he would like to
>>     substantially change the ESAPI class and replace it with some
>>     factories.  That may well obviate some of these modifications.
>>
>>
>>
>>     This e-mail is confidential. If you are not the intended
>>     recipient, you must not disclose or use the information contained
>>     in it. If you have received this e-mail in error, please tell us
>>     immediately by return e-mail and delete the document.
>>
>>
>>     _______________________________________________
>>     Esapi-dev mailing list
>>     Esapi-dev at lists.owasp.org <mailto:Esapi-dev at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/esapi-dev
>>       
>
>
>     _______________________________________________
>     Esapi-dev mailing list
>     Esapi-dev at lists.owasp.org <mailto:Esapi-dev at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>   


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100120/5fb384ae/attachment.html

More information about the Esapi-dev mailing list