[Esapi-user] Authenticator

NChoate at fruit.com NChoate at fruit.com
Wed Apr 21 11:13:24 EDT 2010


Jim,

I entered Issue 118 into the bug/feature tracking system. 

Thanks for your help.

Nicholas Choate



Jim Manico <jim.manico at owasp.org> 
Sent by: esapi-user-bounces at lists.owasp.org
04/21/2010 09:31 AM

To
NChoate at fruit.com
cc
esapi-user at lists.owasp.org
Subject
Re: [Esapi-user] Authenticator






This is an excellent idea worth further consideration.

Can you please enter this request in our bug/feature tracking system at 
Google Code?

http://code.google.com/p/owasp-esapi-java/issues/entry

Thanks for your feedback, Nicholas,
-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net



All, 

I'm considering using ESAPI for my Java web application, however I have 
some questions/concerns. 

I was looking at the Authenticator class for Java and noticed methods for 
"verifyPasswordStrength" and "generateStrongPassword".  I would like to 
use both methods to augment our existing portal architecture which does 
not support (or at least is not obvious to me) password strength checking 
other than requiring passwords of a configurable length.  As the portal 
handles the authentication for our application, I wasn't keen on trying to 
map the internal portal SDK to the Authenticator Interface, just to get 
support for password strength validation.  I may be alone in my thinking, 
but shouldn't these stand-alone methods be moved to a separate concrete 
class with static implementations of the methods.  Or at minimum another 
interface, AuthenticatorUtil for instance, that has these methods and can 
be overridden to provide a custom implementation or the base reference 
implementation can be used.   

I'd be happy to hear an alternative proposal to what I suggested, as I'm a 
new to ESAPI or even an alternative way to doing what I've suggested. 

Nicholas Choate 
**********************************************************************
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the intended
recipient(s). If you are not the intended recipient(s), please note
that any distribution, copying or use of this communication or the
information in it is strictly prohibited. If you have received this
communication in error, please notify the sender immediately and
then destroy any copies of it.
**********************************************************************


_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
 



_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100421/73b6a5e6/attachment.html 


More information about the Esapi-user mailing list