[Esapi-user] Authenticator

Tue Apr 20 11:19:49 EDT 2010

All, 

I'm considering using ESAPI for my Java web application, however I have 
some questions/concerns. 

I was looking at the Authenticator class for Java and noticed methods for 
"verifyPasswordStrength" and "generateStrongPassword".  I would like to 
use both methods to augment our existing portal architecture which does 
not support (or at least is not obvious to me) password strength checking 
other than requiring passwords of a configurable length.  As the portal 
handles the authentication for our application, I wasn't keen on trying to 
map the internal portal SDK to the Authenticator Interface, just to get 
support for password strength validation.  I may be alone in my thinking, 
but shouldn't these stand-alone methods be moved to a separate concrete 
class with static implementations of the methods.  Or at minimum another 
interface, AuthenticatorUtil for instance, that has these methods and can 
be overridden to provide a custom implementation or the base reference 
implementation can be used.   

I'd be happy to hear an alternative proposal to what I suggested, as I'm a 
new to ESAPI or even an alternative way to doing what I've suggested. 

Nicholas Choate
**********************************************************************
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the intended
recipient(s). If you are not the intended recipient(s), please note
that any distribution, copying or use of this communication or the
information in it is strictly prohibited. If you have received this
communication in error, please notify the sender immediately and
then destroy any copies of it.
**********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100420/4df5da24/attachment.html 