[OWASP-ESAPI] [Webappsec] ESAPI reference implementation - Client side API or Web service

Jeff Williams jeff.williams at owasp.org
Thu Jan 17 02:03:47 EST 2008 

Thanks Jim,

 

I appreciate the comments.

 

> In the reference implementation, due to the need for ThreadLocal in
Authenticator

> and HTTPUtilities classes, it appears that the API is meant to sit out on
the web tier

> and therefore does not truly provide central enterprise management.

 

The API (the interfaces) isn't tied to a particular tier, but the reference
architecture is intended for the web tier (for the reasons you mention).  I
fully expect that people will create their own implementation of the
interfaces to match their enterprise.

 

Really, ESAPI is just a collection of security primatives that you can use
to build a website, centralized security services, or even a rich client.

 

> In an SOA environment do you see ESAPI residing at multiple levels? 

 

Ultimately, I believe that you will need at least some of the calls in ESAPI
at all levels of your architecture.  Too many people try to pull security
out into a filter, device, or layer external to their business logic, and
they lose all the context that allows security decisions to be made.

 

Please let us know what you come up with!

 

--Jeff

 

Jeff Williams, Chair

 <http://www.owasp.org/> The OWASP Foundation

work: 410-707-1487

main: 301-604-4882

 

From: webappsec-bounces at lists.owasp.org
[mailto:webappsec-bounces at lists.owasp.org] On Behalf Of Telford, Jim
Sent: Wednesday, January 16, 2008 11:36 AM
To: webappsec at lists.owasp.org
Subject: [Webappsec] ESAPI reference implementation - Client side API or Web
service

 

ESAPI is Awesome, Great Ideas,  Very thorough and Well written!!!     

 

I have stepped through all the code for the reference implementation in
debug, I like the simplicity of it.  I would like to try to work this into a
truly centralized Security framework.  To do that I would like to use web
services.  In the reference implementation, due to the need for ThreadLocal
in Authenticator and HTTPUtilities classes, it appears that the API is meant
to sit out on the web tier and therefore does not truly provide central
enterprise management.

 

In an SOA environment do you see ESAPI residing at multiple levels?  For
example, certain "Parts" to be included by the client at the web tier and
then other parts that could be SOA services plugged into an ESB.  I suppose
parts may be at both level as well(?)

 

Thanks for your time, and again Kudos on ESAPI!!

 

Jim Telford 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20080117/42e75364/attachment.html

More information about the OWASP-ESAPI mailing list