[Esapi-user] Exploring ESAPI identity management

Boberski, Michael [USA] boberski_michael at bah.com
Tue Jan 19 11:47:49 EST 2010

Here is a picture of what I mean (if it doesn't make it, I'll post it and send the link), does it look right:

[cid:211444416 at 19012010-1002]

Mike B.

From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Boberski, Michael [USA]
Sent: Tuesday, January 19, 2010 9:04 AM
To: ESAPI-Users
Subject: [Esapi-user] Exploring ESAPI identity management


I'm working on a first language-independent ESAPI design spec, for authentication. It will be posted for review and comment once there's at least something in each of the sections.

One section/topic that I would like to try to explore a little bit before I put pen to paper is "identity management" as described/defined in the current draft of the ESAPI "Establishing a Security API for Your Enterprise" book.

Let us say that we have a single Java application that is using ESAPI user and authentication controls. In this case, getCurrentUser and whatnot work together to create a new user object after authentication, regenerate the session identifier, and so on.

How might identity management using ESAPI be intended to work when one has an application comprised of multiple servers integrated together, mixing programming languages and solution stacks?

E.g., let us say we have a PHP application running on LAMP solution stack, and a separate C# application running on a Windows solution stack (IIS), and now we want to integrate the two, we want to be able to navigate between the two separate web user interfaces, and log in and out correctly. How might identity management work using ESAPI in this scenario? Assume that the ESAPI for PHP user and authentication interfaces exist and are implemented in a similar fashion as the Java version, and that the ESAPI for .NET user and authentication interfaces do not exist, as IIS/Windows provides basically equivalent functionality. How might the ESAPI for PHP user and authentication reference implementation need to be modified? Would the ESAPI for .NET need user and authentication implementations in this instance, e.g. to retrieve session information produced by the PHP application?

Thanks in advance, and remember I publish what I work on when it comes to ESAPI, so your help == helping the project and the user community. The end goal is to come up with an explanation that says with ESAPI and some custom coding, one doesn't need to go buy a commercial SSO web portal type product.

Thanks in advance,


Mike B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100119/404de39c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook.jpg
Type: image/jpeg
Size: 32703 bytes
Desc: Outlook.jpg
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100119/404de39c/attachment.jpg 

More information about the Esapi-user mailing list