[Esapi-user] Database-based Authentication

Chris Schmidt chrisisbeef at gmail.com
Fri Jun 25 09:14:29 EDT 2010

Hi Owen,

First off, this is absolutely the right place to ask these types of  

Now, to answer, you will need to adapt your own class and use the file  
based authenticator as a 'template' for doing so. Your adapter will  
need to implement the Authenticator interface that is within ESAPI. If  
your authenticator needs to maintain any state you will need to make  
it a singleton. Once you have written your adapter, all you need to do  
is modify the ESAPI.properties file and change the authenticator class  
to the FQN of your adapter.

If you have any specific questions while implementing your ESAPI, feel  
free to ask here and we will help you.


Sent from my iPwn

On Jun 24, 2010, at 11:01 PM, Owen Berger <owen.k.berger at gmail.com>  

> Hello All,
> I am a new developer and have a question about adapting a work-in- 
> progress website over to something that either uses the ESAPI  
> library or its principles in most aspects of the security. Are you  
> the right people to ask? If not, please don't read anything after  
> this paragraph and please guide to me to the proper forum.
> Thank you,
> Owen Berger
> My question, if this is the right place, concerns the Authenticator  
> portion of ESAPI, which seems to be interwoven in both session and  
> user management. My specific question is this, and sorry if it took  
> awhile to get here - is there a Database-backed authentication  
> mechanism out there, either by library or example? I wish to use the  
> ESAPI authenticator, but need one that isn't defaulted to the  
> FileBasedAuthenticator.  Has this been done, or do I simply need to  
> adapt the FileBasedAuthenticator to a new class with my own methods  
> that interact with the database, and call something like  
> DBAuthenticator auth = DBAuthenticator.getInstance()? Should the  
> authenticator then call my own account class that implements the  
> ESAPI User Interface? I am concerned that in creating all my own  
> stuff I will be missing something, or is that the whole point, that  
> ESAPI is just the stepping stone? Thank you again if you read this  
> far.
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100625/64871ca4/attachment.html 

More information about the Esapi-user mailing list