[Esapi-user] Has anyone created a "UserEffect" kind of ESAPI control...

Jim Manico jim.manico at owasp.org
Mon Apr 26 11:15:13 EDT 2010


Mike,

I use the ValidationGroup class to ensure that each validation attempt  
for each field still fires even if the first one fails. Then I check  
if that list is empty and act accordingly. I pass error messages from  
the controller to the UI via a request attribute - so that the header  
tile of my app will list the error messages. I also access the error  
list at my body tile so I can highlight certain fields that are in  
error.

This is the "full lifecycle" of validation and I think ESAPI covers it  
well.

Most validation errors are just honest user mistakes - missing a  
required field or adding a bad character that breaks a regex.

But for validation errors that are extrodinary - I just use the  
IntrusionDetector.

Forgive me if I'm missing something sir. :) Can you explain to me just  
one more time were this proposal fits into the validation lifecycle?

Jim Manico

On Apr 26, 2010, at 7:56 AM, "Boberski, Michael [USA]" <boberski_michael at bah.com 
 > wrote:

> … that triggers on failures, regardless of IntrusionDetector use/con 
> figuration?
>
>
>
> E.g., to wrap HTTP 500 error message generation, or e.g. to do a  
> lookup for some kind of context-specific error to display on a user  
> form, and hook this up to other ESAPI controls?
>
>
>
> E.g.,
>
>
>
> if( !validator.isValidXX() ) {
>
>     ESAPI.effect().rejectUserInput(); //maybe, generate an HTTP 500,  
> cause a form error, ?
>
> }
>
>
>
> This would be towards the end of standardizing how e.g. user input  
> validation failures (ESAPI isWhatever failures and failures causing  
> exceptions to be thrown more generally) should be handled. I think  
> by adding an interface to ESAPI might help proactively answer (and  
> promote the wrapping and standardization of security-relevant  
> behaviors inside of ESAPI) what is one of the first questions dev  
> teams ask me on how to use ESAPI.
>
>
>
> If I’m missing something obvious, please be kind, and explain what t 
> he/a preferred approach using ESAPI is, to wrap and standardize such 
>  things for an application, generally/according to best practices.
>
>
>
> Best,
>
>
>
> Mike B.
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100426/3b03ddc9/attachment.html 


More information about the Esapi-user mailing list