[Esapi-user] Has anyone created a "UserEffect" kind of ESAPI control...

Boberski, Michael [USA] boberski_michael at bah.com
Mon Apr 26 10:56:22 EDT 2010


... that triggers on failures, regardless of IntrusionDetector use/configuration?

E.g., to wrap HTTP 500 error message generation, or e.g. to do a lookup for some kind of context-specific error to display on a user form, and hook this up to other ESAPI controls?

E.g.,

if( !validator.isValidXX() ) {
    ESAPI.effect().rejectUserInput(); //maybe, generate an HTTP 500, cause a form error, ?
}

This would be towards the end of standardizing how e.g. user input validation failures (ESAPI isWhatever failures and failures causing exceptions to be thrown more generally) should be handled. I think by adding an interface to ESAPI might help proactively answer (and promote the wrapping and standardization of security-relevant behaviors inside of ESAPI) what is one of the first questions dev teams ask me on how to use ESAPI.

If I'm missing something obvious, please be kind, and explain what the/a preferred approach using ESAPI is, to wrap and standardize such things for an application, generally/according to best practices.

Best,

Mike B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100426/75f68d5d/attachment.html 


More information about the Esapi-user mailing list