[OWASP-ESAPI] IUser and RSAToken

[Jeff Williams]

Jim,

Interesting. I'm trying to keep to just the methods that pretty much every
web application or web service would have to have. But I definitely
understand the need for specialized User objects in most enterprises.  Do
you think we can come up with a way to handle these options in a way that
will be used in most apps?

I strongly encourage customization of the ESAPI for your enterprise.
Actually, I expect every enterprise will need their OWN ESAPI. I would
expect extensions like the ones you've proposed to the API itself (the
interfaces).  And I expect them to rip, mix, and burn the reference
implementation with their own services and internal needs.

I'm focused on the challenge of getting enterprises to agree that they
should define and institutionalize an ESAPI.  If they use ours, or one based
on ours, then great.  But it's still great if they make up their own.

--Jeff

-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Sunday, January 06, 2008 5:19 AM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] IUser and RSAToken

Jeff,

Many of the apps I'm writing for a certain large Enterprise involves a 
RSA token reference stored in the user profile. Would you suggest I 
extend the ESAPI user object, or  would you consider integrating this 
into EASPI in some way?

I'm thinking me might want a few different user types depending on the 
type of application:

1) StandardUser (user, pass only)
2) BankingUser (user, pass, map of auth questions, phishing image id)
3) EnterpriseUser (user, pass, rsa token identifier)

In fact, there are several over User authentication possibilities (SSO  
tech, for example)

And I moving in the wrong direction by bringing these issues up?

- Jim
_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi