[Esapi-user] Authenticator

Jim Manico jim.manico at owasp.org
Wed Apr 21 16:07:08 EDT 2010


Fantastic, thank you!
- Jim

>
> Jim,
>
> I entered Issue 118 into the bug/feature tracking system.
>
> Thanks for your help.
>
> Nicholas Choate
>
>
> *Jim Manico <jim.manico at owasp.org>*
> Sent by: esapi-user-bounces at lists.owasp.org
>
> 04/21/2010 09:31 AM
>
> 	
> To
> 	NChoate at fruit.com
> cc
> 	esapi-user at lists.owasp.org
> Subject
> 	Re: [Esapi-user] Authenticator
>
>
>
> 	
>
>
>
>
>
> This is an excellent idea worth further consideration.
>
> Can you please enter this request in our bug/feature tracking system 
> at Google Code?
> _
> __http://code.google.com/p/owasp-esapi-java/issues/entry_
>
> Thanks for your feedback, Nicholas,
> -- 
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Manager
> _http://www.manico.net_ <http://www.manico.net/>
>
>
>
> All,
>
> I'm considering using ESAPI for my Java web application, however I 
> have some questions/concerns.
>
> I was looking at the Authenticator class for Java and noticed methods 
> for "verifyPasswordStrength" and "generateStrongPassword".  I would 
> like to use both methods to augment our existing portal architecture 
> which does not support (or at least is not obvious to me) password 
> strength checking other than requiring passwords of a configurable 
> length.  As the portal handles the authentication for our application, 
> I wasn't keen on trying to map the internal portal SDK to the 
> Authenticator Interface, just to get support for password strength 
> validation.  I may be alone in my thinking, but shouldn't these 
> stand-alone methods be moved to a separate concrete class with static 
> implementations of the methods.  Or at minimum another interface, 
> AuthenticatorUtil for instance, that has these methods and can be 
> overridden to provide a custom implementation or the base reference 
> implementation can be used.
>
> I'd be happy to hear an alternative proposal to what I suggested, as 
> I'm a new to ESAPI or even an alternative way to doing what I've 
> suggested.
>
> Nicholas Choate
>
> **********************************************************************
>
> This communication contains information which is confidential and
>
> may also be privileged. It is for the exclusive use of the intended
>
> recipient(s). If you are not the intended recipient(s), please note
>
> that any distribution, copying or use of this communication or the
>
> information in it is strictly prohibited. If you have received this
>
> communication in error, please notify the sender immediately and
>
> then destroy any copies of it.
>
> **********************************************************************
>
>
>
> _______________________________________________
> Esapi-user mailing list
> _Esapi-user at lists.owasp.org_ <mailto:Esapi-user at lists.owasp.org>
> _https://lists.owasp.org/mailman/listinfo/esapi-user_
>
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100421/4d9f0982/attachment.html 


More information about the Esapi-user mailing list