[Esapi-user] Database-based Authentication

Brent Shikoski brent.shikoski at gmail.com
Fri Jun 25 22:47:43 EDT 2010


I would encourage you to extend
org.owasp.esapi.reference.AbstractAuthenticator and
org.owasp.esapi.reference.DefaultUser, I've done it in my code with great
success.  I didn't see the need to duplicate functionality that was already
there and probably do a worse job at it.

As far as this code goes:

*HTTPSession session = ESAPI.currentRequest().**getSession(false);*
*DataUser account = DBAuthenticator.INSTANCE.**getUser((String)session.**
To get the first line to work, something does need to set the current
request, take a look at org.owasp.esapi.filters.ESAPIFilter.
The code on the second line in most cases should be more like:
**User user = ESAPI.authenticator().login();*
User user = ESAPI.authenticator().getCurrentUser();*

Of course it depends on exactly what you are trying to accomplish, but you
should reference the interfaces wherever you can instead of the

I hope you find this useful,

On Fri, Jun 25, 2010 at 7:38 PM, Owen Berger <owen.k.berger at gmail.com>wrote:

> Thank very much for the response!
> So to clarify, I need to:
> --- Create the DatabaseAuthenticator class as a singleton,
> public enum DBAuthenticator implements org.owasp.esapi.Authenticator {
>     /* All Authenticator methods and fields here, adapted to the
> application's Database Interactivity needs... */
> }
> --- Implement the User interface with my own Account object,
> public class DataUser implements org.owasp.esapi.User {
>     /* All User methods and fields here, along with my own Application
> specific methods and fields... */
> }
> --- Change the correct line in ESAPI.properties to the FQN of
> DBAuthenticator ,
> And then, in my application,
> HTTPSession session = ESAPI.currentRequest().getSession(false);
> DataUser account =
> DBAuthenticator.INSTANCE.getUser((String)session.getAttribute("username"));
> account.doSomething();
> Would that work? I'm not trying to be lazy, it is just going to take me
> awhile to adapt all of my current code to this stuff, and I want to get the
> big picture beforehand.
> Is there something I am missing about the interdepencies of the classes
> involved?
> Also, is it okay to use the default implementations of any of the ESAPI
> classes, such as calls to ESAPI.validator(), or are all classes and methods
> merely meant to be templates?
> I noticed that the FileBasedAuthenticator extends AbstractAuthenticator,
> should I be extending or implementing Authenticator?
> Am I asking too many questions? :)
> Thank you again,
> Owen Berger
> On Fri, Jun 25, 2010 at 6:14 AM, Chris Schmidt <chrisisbeef at gmail.com>wrote:
>> Hi Owen,
>> First off, this is absolutely the right place to ask these types of
>> questions.
>> Now, to answer, you will need to adapt your own class and use the file
>> based authenticator as a 'template' for doing so. Your adapter will need to
>> implement the Authenticator interface that is within ESAPI. If your
>> authenticator needs to maintain any state you will need to make it a
>> singleton. Once you have written your adapter, all you need to do is modify
>> the ESAPI.properties file and change the authenticator class to the FQN of
>> your adapter.
>> If you have any specific questions while implementing your ESAPI, feel
>> free to ask here and we will help you.
>> Thanks,
>> Chris
>> Sent from my iPwn
>> On Jun 24, 2010, at 11:01 PM, Owen Berger <owen.k.berger at gmail.com>
>> wrote:
>> Hello All,
>> I am a new developer and have a question about adapting a work-in-progress
>> website over to something that either uses the ESAPI library or its
>> principles in most aspects of the security. Are you the right people to ask?
>> If not, please don't read anything after this paragraph and please guide to
>> me to the proper forum.
>> Thank you,
>> Owen Berger
>> My question, if this is the right place, concerns the Authenticator
>> portion of ESAPI, which seems to be interwoven in both session and user
>> management. My specific question is this, and sorry if it took awhile to get
>> here - is there a Database-backed authentication mechanism out there, either
>> by library or example? I wish to use the ESAPI authenticator, but need one
>> that isn't defaulted to the FileBasedAuthenticator.  Has this been done, or
>> do I simply need to adapt the FileBasedAuthenticator to a new class with my
>> own methods that interact with the database, and call something like
>> DBAuthenticator auth = DBAuthenticator.getInstance()? Should the
>> authenticator then call my own account class that implements the ESAPI User
>> Interface? I am concerned that in creating all my own stuff I will be
>> missing something, or is that the whole point, that ESAPI is just the
>> stepping stone? Thank you again if you read this far.
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100625/9bbcb299/attachment.html 

More information about the Esapi-user mailing list