[Esapi-user] Authenticator

Brent Shikoski brent.shikoski at gmail.com
Tue Apr 20 22:41:53 EDT 2010


Nicholas,

I have been contemplating many changes to the Authenticator classes.  I'd
like to extract more functionality out of the FileBasedAuthenticator
reference implementation and I could see making the methods you mentioned
accessible outside of the Authenticator interface as well.  I'm not sure if
it would be desirable to add a new ESAPI interface, but that would be my
first inclination.

The password strength check could use some additional rules, there are two
open issues on that subject.  It very well might make sense to devote an
entire class to the task. None of this is going to make the 2.0 release
though,  but hopefully not far after.


Brent Shikoski


On Tue, Apr 20, 2010 at 10:19 AM, <NChoate at fruit.com> wrote:

>
> All,
>
> I'm considering using ESAPI for my Java web application, however I have
> some questions/concerns.
>
> I was looking at the Authenticator class for Java and noticed methods for
> "verifyPasswordStrength" and "generateStrongPassword".  I would like to use
> both methods to augment our existing portal architecture which does not
> support (or at least is not obvious to me) password strength checking other
> than requiring passwords of a configurable length.  As the portal handles
> the authentication for our application, I wasn't keen on trying to map the
> internal portal SDK to the Authenticator Interface, just to get support for
> password strength validation.  I may be alone in my thinking, but shouldn't
> these stand-alone methods be moved to a separate concrete class with static
> implementations of the methods.  Or at minimum another interface,
> AuthenticatorUtil for instance, that has these methods and can be overridden
> to provide a custom implementation or the base reference implementation can
> be used.
>
> I'd be happy to hear an alternative proposal to what I suggested, as I'm a
> new to ESAPI or even an alternative way to doing what I've suggested.
>
> Nicholas Choate
>
> **********************************************************************
>
> This communication contains information which is confidential and
>
> may also be privileged. It is for the exclusive use of the intended
>
> recipient(s). If you are not the intended recipient(s), please note
>
> that any distribution, copying or use of this communication or the
>
> information in it is strictly prohibited. If you have received this
>
> communication in error, please notify the sender immediately and
>
> then destroy any copies of it.
>
> **********************************************************************
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100420/f0f7b03d/attachment.html 


More information about the Esapi-user mailing list