[Esapi-user] Exploring ESAPI identity management

Boberski, Michael [USA] boberski_michael at bah.com
Wed Jan 20 08:58:23 EST 2010

Thanks for taking the time, as always.

Yeah, I'm a little confused as to whether or not ESAPI lends itself towards either. Those sound like examples of potentially reusable reference implementations, similar to LDAP in that sense.

The book specifically mentions identity management, is where I got that from. I'm not really seeing how ESAPI helps with user account provisioning though; based on the descriptions I think what's really meant is SSO, but trying to approach this using the terminology you're using. I was/am wondering if I'm not understanding a nuance or two here from what I've read of your writing on this.

So, was trying to use a concrete example of a conglomeration of applications as you put it, to figure out how might ESAPI be helpful, putting it all together, whatever the combination of the use of ESAPI's user, authentication, and access controls might ultimately be called. IdM is technically separate than SSO, access control is certainly separate than either, but many products mix and match functions from each of the three, so trying to see what ESAPI's mix of functionality is/is intended as.

Hopefully this clarifies? If not, I'll try again.

Mike B.

From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
Sent: Wednesday, January 20, 2010 1:06 AM
To: Boberski, Michael [USA]; ESAPI-Users
Subject: RE: [Esapi-user] Exploring ESAPI identity management

Hi Mike,

I got a bit confused by the writeup, but I think you're working out how to use ESAPI to achieve SSO, right?  That's a bit different than identity management, at least to me.  Anyway, it's a very useful discussion since so many sites are really conglomerations of applications these days.  Rather than create yet another cookie-based SSO approach, I'd really like to see us head towards a SAML, OpenID, or other Identity 2.0 type solution.


From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Boberski, Michael [USA]
Sent: Tuesday, January 19, 2010 11:48 AM
To: ESAPI-Users
Subject: Re: [Esapi-user] Exploring ESAPI identity management

Here is a picture of what I mean (if it doesn't make it, I'll post it and send the link), does it look right:

[cid:322343713 at 20012010-1025]

Mike B.

From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Boberski, Michael [USA]
Sent: Tuesday, January 19, 2010 9:04 AM
To: ESAPI-Users
Subject: [Esapi-user] Exploring ESAPI identity management

I'm working on a first language-independent ESAPI design spec, for authentication. It will be posted for review and comment once there's at least something in each of the sections.

One section/topic that I would like to try to explore a little bit before I put pen to paper is "identity management" as described/defined in the current draft of the ESAPI "Establishing a Security API for Your Enterprise" book.

Let us say that we have a single Java application that is using ESAPI user and authentication controls. In this case, getCurrentUser and whatnot work together to create a new user object after authentication, regenerate the session identifier, and so on.

How might identity management using ESAPI be intended to work when one has an application comprised of multiple servers integrated together, mixing programming languages and solution stacks?

E.g., let us say we have a PHP application running on LAMP solution stack, and a separate C# application running on a Windows solution stack (IIS), and now we want to integrate the two, we want to be able to navigate between the two separate web user interfaces, and log in and out correctly. How might identity management work using ESAPI in this scenario? Assume that the ESAPI for PHP user and authentication interfaces exist and are implemented in a similar fashion as the Java version, and that the ESAPI for .NET user and authentication interfaces do not exist, as IIS/Windows provides basically equivalent functionality. How might the ESAPI for PHP user and authentication reference implementation need to be modified? Would the ESAPI for .NET need user and authentication implementations in this instance, e.g. to retrieve session information produced by the PHP application?

Thanks in advance, and remember I publish what I work on when it comes to ESAPI, so your help == helping the project and the user community. The end goal is to come up with an explanation that says with ESAPI and some custom coding, one doesn't need to go buy a commercial SSO web portal type product.

Thanks in advance,


Mike B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100120/583e7913/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 32703 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100120/583e7913/attachment.jpg 

More information about the Esapi-user mailing list