[Esapi-user] Database-based Authentication

Owen Berger owen.k.berger at gmail.com
Fri Jun 25 20:38:49 EDT 2010

Thank very much for the response!

So to clarify, I need to:

--- Create the DatabaseAuthenticator class as a singleton,

public enum DBAuthenticator implements org.owasp.esapi.Authenticator {

    /* All Authenticator methods and fields here, adapted to the
application's Database Interactivity needs... */

--- Implement the User interface with my own Account object,

public class DataUser implements org.owasp.esapi.User {
    /* All User methods and fields here, along with my own Application
specific methods and fields... */

--- Change the correct line in ESAPI.properties to the FQN of
DBAuthenticator ,

And then, in my application,

HTTPSession session = ESAPI.currentRequest().getSession(false);
DataUser account =

Would that work? I'm not trying to be lazy, it is just going to take me
awhile to adapt all of my current code to this stuff, and I want to get the
big picture beforehand.
Is there something I am missing about the interdepencies of the classes
Also, is it okay to use the default implementations of any of the ESAPI
classes, such as calls to ESAPI.validator(), or are all classes and methods
merely meant to be templates?
I noticed that the FileBasedAuthenticator extends AbstractAuthenticator,
should I be extending or implementing Authenticator?
Am I asking too many questions? :)

Thank you again,

Owen Berger

On Fri, Jun 25, 2010 at 6:14 AM, Chris Schmidt <chrisisbeef at gmail.com>wrote:

> Hi Owen,
> First off, this is absolutely the right place to ask these types of
> questions.
> Now, to answer, you will need to adapt your own class and use the file
> based authenticator as a 'template' for doing so. Your adapter will need to
> implement the Authenticator interface that is within ESAPI. If your
> authenticator needs to maintain any state you will need to make it a
> singleton. Once you have written your adapter, all you need to do is modify
> the ESAPI.properties file and change the authenticator class to the FQN of
> your adapter.
> If you have any specific questions while implementing your ESAPI, feel free
> to ask here and we will help you.
> Thanks,
> Chris
> Sent from my iPwn
> On Jun 24, 2010, at 11:01 PM, Owen Berger <owen.k.berger at gmail.com> wrote:
> Hello All,
> I am a new developer and have a question about adapting a work-in-progress
> website over to something that either uses the ESAPI library or its
> principles in most aspects of the security. Are you the right people to ask?
> If not, please don't read anything after this paragraph and please guide to
> me to the proper forum.
> Thank you,
> Owen Berger
> My question, if this is the right place, concerns the Authenticator portion
> of ESAPI, which seems to be interwoven in both session and user management.
> My specific question is this, and sorry if it took awhile to get here - is
> there a Database-backed authentication mechanism out there, either by
> library or example? I wish to use the ESAPI authenticator, but need one that
> isn't defaulted to the FileBasedAuthenticator.  Has this been done, or do I
> simply need to adapt the FileBasedAuthenticator to a new class with my own
> methods that interact with the database, and call something like
> DBAuthenticator auth = DBAuthenticator.getInstance()? Should the
> authenticator then call my own account class that implements the ESAPI User
> Interface? I am concerned that in creating all my own stuff I will be
> missing something, or is that the whole point, that ESAPI is just the
> stepping stone? Thank you again if you read this far.
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100625/4104da63/attachment.html 

More information about the Esapi-user mailing list