[Esapi-user] Feedback on ESAPI 1.4.2

Mungo Carstairs mungo_carstairs at standardlife.com
Tue Jan 26 10:22:07 EST 2010

Good to see this ported so quickly, much appreciated.
We are still on WebSphere 5.1 / Servlet 2.3 / JSP 1.2 so I had to remove a 
few unsupported methods (as per Esapi 1.4).
Also had to add an unimplemented method to ExecutorTest.Conf to get it to 
Can files named test* in folder src/main/resources be removed (are they 
for test only)?
Not sure about Validator.Redirect=^\\/test.*$. Should I change this to 
match Validator.HTTPURL?
I found the hint about setting "-Dorg.owasp.esapi.resources" in AllTests, 
but also had to set variable "basedir=." as not set by my environment.
Some tests that expect "C:\\Windows" fail on our desktops (XP) which have 
"C:\\WINNT" instead.
Otherwise just failures in EncoderTest.testDoubleEncodingCanonicalization. 
I see that these match the test results in the distribution.
I mark accessController(), authenticator(), intrusionDetector() and 
ESAPIFilter as deprecated, as they don't coexist with our existing 
Isn't this better abstracted out of the application layer into the 
container (e.g. using JAAS)?

Regards and honour,


Mungo Carstairs
Senior Systems Developer
Business Solutions
Standard Life Employee Services Limited

Tel:    +44 (0)131 246 2785

This e-mail is confidential and, if you are not the intended recipient, 
please return it to us and do not retain or disclose it. We filter and 
monitor e-mails in order to protect our system and the integrity, 
confidentiality and availability of e-mails. We cannot guarantee that 
e-mails are risk free and are not responsible for any related damage or 
unauthorised alteration of e-mails by third parties after sending.

For more information on Standard Life group, visit our website 

Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) 
and Standard Life Employee Services Limited (SC271355) are all registered 
in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. 
*Authorised and regulated by the Financial Services Authority. 0131 225 
2552. Calls may be recorded/monitored. Standard Life group includes 
Standard Life plc and its subsidiaries.

Please consider the environment. Think - before you print.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100126/af5eec7f/attachment.html 

More information about the Esapi-user mailing list