[Esapi-user] Has anyone created a "UserEffect" kind of ESAPI control...

Boberski, Michael [USA] boberski_michael at bah.com
Mon Apr 26 13:03:13 EDT 2010

Jeff and Jim, thanks.

I think based on your responses, there might be a fourth (maybe more?) “design pattern” related to validation lifecycle as you call it, to be extracted and added here: http://code.google.com/p/owasp-esapi-java/wiki/esapi4java_v2_Design_patterns

I’ll think about it further…

Thanks both,


Mike B.

From: Jim Manico [mailto:jim.manico at owasp.org]
Sent: Monday, April 26, 2010 11:15 AM
To: Boberski, Michael [USA]
Cc: ESAPI-Users; ESAPI-Developers
Subject: Re: [Esapi-user] Has anyone created a "UserEffect" kind of ESAPI control...


I use the ValidationGroup class to ensure that each validation attempt for each field still fires even if the first one fails. Then I check if that list is empty and act accordingly. I pass error messages from the controller to the UI via a request attribute - so that the header tile of my app will list the error messages. I also access the error list at my body tile so I can highlight certain fields that are in error.

This is the "full lifecycle" of validation and I think ESAPI covers it well.

Most validation errors are just honest user mistakes - missing a required field or adding a bad character that breaks a regex.

But for validation errors that are extrodinary - I just use the IntrusionDetector.

Forgive me if I'm missing something sir. :) Can you explain to me just one more time were this proposal fits into the validation lifecycle?

Jim Manico

On Apr 26, 2010, at 7:56 AM, "Boberski, Michael [USA]" <boberski_michael at bah.com<mailto:boberski_michael at bah.com>> wrote:
… that triggers on failures, regardless of IntrusionDetector use/configuration?

E.g., to wrap HTTP 500 error message generation, or e.g. to do a lookup for some kind of context-specific error to display on a user form, and hook this up to other ESAPI controls?


if( !validator.isValidXX() ) {
    ESAPI.effect().rejectUserInput(); //maybe, generate an HTTP 500, cause a form error, ?

This would be towards the end of standardizing how e.g. user input validation failures (ESAPI isWhatever failures and failures causing exceptions to be thrown more generally) should be handled. I think by adding an interface to ESAPI might help proactively answer (and promote the wrapping and standardization of security-relevant behaviors inside of ESAPI) what is one of the first questions dev teams ask me on how to use ESAPI.

If I’m missing something obvious, please be kind, and explain what the/a preferred approach using ESAPI is, to wrap and standardize such things for an application, generally/according to best practices.


Mike B.
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100426/df77f1de/attachment.html 

More information about the Esapi-user mailing list