[Esapi-user] Authenticator

NChoate at fruit.com NChoate at fruit.com
Wed Apr 21 11:13:24 EDT 2010


I entered Issue 118 into the bug/feature tracking system. 

Thanks for your help.

Nicholas Choate

Jim Manico <jim.manico at owasp.org> 
Sent by: esapi-user-bounces at lists.owasp.org
04/21/2010 09:31 AM

NChoate at fruit.com
esapi-user at lists.owasp.org
Re: [Esapi-user] Authenticator

This is an excellent idea worth further consideration.

Can you please enter this request in our bug/feature tracking system at 
Google Code?


Thanks for your feedback, Nicholas,
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager


I'm considering using ESAPI for my Java web application, however I have 
some questions/concerns. 

I was looking at the Authenticator class for Java and noticed methods for 
"verifyPasswordStrength" and "generateStrongPassword".  I would like to 
use both methods to augment our existing portal architecture which does 
not support (or at least is not obvious to me) password strength checking 
other than requiring passwords of a configurable length.  As the portal 
handles the authentication for our application, I wasn't keen on trying to 
map the internal portal SDK to the Authenticator Interface, just to get 
support for password strength validation.  I may be alone in my thinking, 
but shouldn't these stand-alone methods be moved to a separate concrete 
class with static implementations of the methods.  Or at minimum another 
interface, AuthenticatorUtil for instance, that has these methods and can 
be overridden to provide a custom implementation or the base reference 
implementation can be used.   

I'd be happy to hear an alternative proposal to what I suggested, as I'm a 
new to ESAPI or even an alternative way to doing what I've suggested. 

Nicholas Choate 
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the intended
recipient(s). If you are not the intended recipient(s), please note
that any distribution, copying or use of this communication or the
information in it is strictly prohibited. If you have received this
communication in error, please notify the sender immediately and
then destroy any copies of it.

Esapi-user mailing list
Esapi-user at lists.owasp.org

Esapi-user mailing list
Esapi-user at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100421/73b6a5e6/attachment.html 

More information about the Esapi-user mailing list