[Owasp-appsensor-project] Custom AppSensorSecurityConfiguration

John Melton jtmelton at gmail.com
Wed Aug 24 09:31:21 EDT 2011


Theo,
That's an interesting solution. If you feel like you might want to exert the
energy to contribute the code, I think it would probably fit better into
ESAPI, so would suggest you email the esapi dev list with the paragraph
description below, and get feedback from those guys. Then you can push the
code into ESAPI as an optional key management solution. There are many
possible solutions the key management issue, and the implementation of those
are often difficult to get right b/c of certain nuances.
Thanks,
John

On Wed, Aug 24, 2011 at 9:24 AM, Theo van Niekerk <theovn at owasp.org> wrote:

> Hi John
>
> Thanks for your reply - I'll try and file a bug/issue.
>
> I store the Master-key (password protected) in a Key-store (also password
> protected).
> My app has an obscure webpage that asks for these 2 passwords to load the
> Master-key in memory where it is kept
> The app won't run - returns 503 on most dynamic pages - unless the key is
> loaded.
> Downside is on a server restart, an operator needs to enter the passwords.
> Upside is that one can make the statement that 2 operators each with their
> own password are required to start the app.
> I think that if you are not involved/aware of a server/app restart then you
> are doing something wrong.
>
> I don't mind sharing/contributing the code - it works for me, but it's not
> a work of art.
>
> Cheers
> Theo
>
> On 24 Aug 2011, at 14:54, John Melton wrote:
>
> > Theo,
> > In short, this is currently not possible with AppSensor. Could you file a
> > bug at http://code.google.com/p/appsensor/issues/list so that we can
> track
> > this and get the functionality added in to handle it?
> > Also, just a quick question - if you can offer specifics, what are you
> doing
> > generally to "encrypt/protect the key"? I know a lot of folks have
> > complained that they would like to separate the master key out to another
> > file, but it's not encrypted then - just filesystem controls on the
> actual
> > key file. The issue is if you encrypt it, then you have another key to
> > manage ... so what are you actually doing?
> >
> > Thanks,
> > John
> >
> > On Wed, Aug 24, 2011 at 7:52 AM, Theo van Niekerk <theovn at owasp.org>
> wrote:
> >
> >> Hi
> >>
> >> I'm using my own SecurityConfiguration class for ESAPI. I have a
> >> requirement to protect/encrypt the Master key and the
> >> DefaultSecurityConfiguration setup can't do that.
> >>
> >> I want to use AppSensor, but it requires ESAPI to use the
> >> org.owasp.appsensor.AppSensorSecurityConfiguration.
> >>
> >> I can adapt my own SecurityConfiguration to include the
> >> AppSensorSecurityConfiguration stuff but how to I configure AppSensor to
> use
> >> this config. AppSensor ignores the
> >> -Dorg.owasp.esapi.SecurityConfiguration=... setting.
> >>
> >> What to do?
> >>
> >> Cheers
> >> Theo
> >> _______________________________________________
> >> Owasp-appsensor-project mailing list
> >> Owasp-appsensor-project at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> >>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20110824/480f6c06/attachment.html 


More information about the Owasp-appsensor-project mailing list