[Esapi-user] Exploring ESAPI identity management

Jeff Williams jeff.williams at aspectsecurity.com
Wed Jan 20 01:05:56 EST 2010

Hi Mike,


I got a bit confused by the writeup, but I think you're working out how
to use ESAPI to achieve SSO, right?  That's a bit different than
identity management, at least to me.  Anyway, it's a very useful
discussion since so many sites are really conglomerations of
applications these days.  Rather than create yet another cookie-based
SSO approach, I'd really like to see us head towards a SAML, OpenID, or
other Identity 2.0 type solution.





From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Boberski,
Michael [USA]
Sent: Tuesday, January 19, 2010 11:48 AM
To: ESAPI-Users
Subject: Re: [Esapi-user] Exploring ESAPI identity management


Here is a picture of what I mean (if it doesn't make it, I'll post it
and send the link), does it look right:





Mike B.




From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Boberski,
Michael [USA]
Sent: Tuesday, January 19, 2010 9:04 AM
To: ESAPI-Users
Subject: [Esapi-user] Exploring ESAPI identity management



I'm working on a first language-independent ESAPI design spec, for
authentication. It will be posted for review and comment once there's at
least something in each of the sections.


One section/topic that I would like to try to explore a little bit
before I put pen to paper is "identity management" as described/defined
in the current draft of the ESAPI "Establishing a Security API for Your
Enterprise" book.


Let us say that we have a single Java application that is using ESAPI
user and authentication controls. In this case, getCurrentUser and
whatnot work together to create a new user object after authentication,
regenerate the session identifier, and so on.


How might identity management using ESAPI be intended to work when one
has an application comprised of multiple servers integrated together,
mixing programming languages and solution stacks?


E.g., let us say we have a PHP application running on LAMP solution
stack, and a separate C# application running on a Windows solution stack
(IIS), and now we want to integrate the two, we want to be able to
navigate between the two separate web user interfaces, and log in and
out correctly. How might identity management work using ESAPI in this
scenario? Assume that the ESAPI for PHP user and authentication
interfaces exist and are implemented in a similar fashion as the Java
version, and that the ESAPI for .NET user and authentication interfaces
do not exist, as IIS/Windows provides basically equivalent
functionality. How might the ESAPI for PHP user and authentication
reference implementation need to be modified? Would the ESAPI for .NET
need user and authentication implementations in this instance, e.g. to
retrieve session information produced by the PHP application?


Thanks in advance, and remember I publish what I work on when it comes
to ESAPI, so your help == helping the project and the user community.
The end goal is to come up with an explanation that says with ESAPI and
some custom coding, one doesn't need to go buy a commercial SSO web
portal type product.


Thanks in advance,




Mike B.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100120/af1120bc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 32703 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100120/af1120bc/attachment-0001.jpe 

More information about the Esapi-user mailing list