[Esapi-user] Has anyone created a "UserEffect" kind of ESAPIcontrol...

Jeff Williams jeff.williams at aspectsecurity.com
Mon Apr 26 11:14:06 EDT 2010

ESAPI hasn't gone this far yet.  On the one hand, it would be great if
developers had a  standard, consistent, understandable way to report
error messages (and other security-to-human interfaces).   But to date,
we have only gone as far as giving the developer a detailed error
message, an error list manager to collect multiple errors, and some
protection against shooting themselves in the foot in ESAPIResponse. 


Every framework presumably already has a way to report errors to users,
and I'm not sure it's a good idea to try to create another one.  That
said, I think some guidance on hooking ESAPI up to frameworks for this
purpose would be great.  For example, you might put the Validation
message in an HttpServletRequest attribute, and then set up a standard
error page in web.xml that pulls the error message and displays it
nicely.  Something more complex like highlighting form-fields that are
in error is a bit more complex and tied into the framework itself, but
really it's just checking the ValidationErrorList as you're rendering
the page.





From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Boberski,
Michael [USA]
Sent: Monday, April 26, 2010 10:56 AM
To: ESAPI-Users
Subject: [Esapi-user] Has anyone created a "UserEffect" kind of


... that triggers on failures, regardless of IntrusionDetector


E.g., to wrap HTTP 500 error message generation, or e.g. to do a lookup
for some kind of context-specific error to display on a user form, and
hook this up to other ESAPI controls?




if( !validator.isValidXX() ) {

    ESAPI.effect().rejectUserInput(); //maybe, generate an HTTP 500,
cause a form error, ?



This would be towards the end of standardizing how e.g. user input
validation failures (ESAPI isWhatever failures and failures causing
exceptions to be thrown more generally) should be handled. I think by
adding an interface to ESAPI might help proactively answer (and promote
the wrapping and standardization of security-relevant behaviors inside
of ESAPI) what is one of the first questions dev teams ask me on how to
use ESAPI. 


If I'm missing something obvious, please be kind, and explain what the/a
preferred approach using ESAPI is, to wrap and standardize such things
for an application, generally/according to best practices.




Mike B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100426/1cbaddeb/attachment.html 

More information about the Esapi-user mailing list