[OWASP-ESAPI] IAuthenticator
Jeff Williams
jeff.williams at owasp.org
Thu Jan 3 10:41:38 EST 2008
Hi Jim,
> We could add
>
> IUser createUser(String accountName, String password1, String password2,
> Map questionAnswerMap) throws AuthenticationException;
I think we should do something to support forgotten passwords, but I'm not
sure the secret question approach is very good. I guess in the absence of a
clear best approach, I had planned to let people innovate their own
solutions. But providing support for this is something we should consider.
Anyone feel strongly about this?
> On a similar note - I assume you expect the caller of createUser
> function to hash the password before hitting it. Perhaps with a little
> inheritance we could force that - or at least add a little Javadoc at
Actually, the createUser() method does expect plaintext - basically exactly
what you'd get from the change password form (username, password1,
password2). This calls the User() constructor, which does the hashing
automatically. I'd rather not rely on developers to do this hashing
properly.
--Jeff
More information about the OWASP-ESAPI
mailing list