[Esapi-user] Database-based Authentication

Jim Manico jim.manico at owasp.org
Sat Jun 26 03:44:45 EDT 2010


I've implemented my own ESAPI Authenticator using Hibernate in the past. 
I implemented everything from scratch using the reference implementation 
code as a guide.

I basically made a copy of the reference implementation code, renamed it 
"HibernateAuthenticator", and just modified it as appropriate. I chose 
not to implement several functions that I just didn't need at the time - 
so I threw "Not Implemented" RuntimeExceptions as a placeholder.

I also extended the reference user class, placed that custom user class 
in session, and just casted to my class when calling /getCurrentUser./

/JimsUser user = (//JimsUser)//ESAPI.authenticator().getCurrentUser();/

It took a few hours, maybe a day of work, before I had all of the basics 
working well. It should really be a simple process to roll your own 
ESAPI authenticator, Owen.

- Jim

> Owen,
> I would encourage you to extend 
> org.owasp.esapi.reference.AbstractAuthenticator and 
> org.owasp.esapi.reference.DefaultUser, I've done it in my code with 
> great success.  I didn't see the need to duplicate functionality that 
> was already there and probably do a worse job at it.
> As far as this code goes:
> /HTTPSession session = ESAPI.currentRequest().//getSession(false);/
> /DataUser account = 
> DBAuthenticator.INSTANCE.//getUser((String)session.//getAttribute("username"));/
> /account.doSomething();
> /
> To get the first line to work, something does need to set the current 
> request, take a look at org.owasp.esapi.filters.ESAPIFilter.
> The code on the second line in most cases should be more like:
> /
> //User user = ESAPI.authenticator().login();/
> /or
> User user = ESAPI.authenticator().getCurrentUser();/
> Of course it depends on exactly what you are trying to accomplish, but 
> you should reference the interfaces wherever you can instead of the 
> implementations.
> I hope you find this useful,
> Brent
> On Fri, Jun 25, 2010 at 7:38 PM, Owen Berger <owen.k.berger at gmail.com 
> <mailto:owen.k.berger at gmail.com>> wrote:
>     Thank very much for the response!
>     So to clarify, I need to: 
>     --- Create the DatabaseAuthenticator class as a singleton,
>     public enum DBAuthenticator implements org.owasp.esapi.Authenticator {
>         INSTANCE;
>         /* All Authenticator methods and fields here, adapted to the
>     application's Database Interactivity needs... */
>     }
>     --- Implement the User interface with my own Account object,
>     public class DataUser implements org.owasp.esapi.User {
>         /* All User methods and fields here, along with my own
>     Application specific methods and fields... */
>     }
>     --- Change the correct line in ESAPI.properties to the FQN of
>     DBAuthenticator ,
>     And then, in my application, 
>     HTTPSession session = ESAPI.currentRequest().getSession(false);
>     DataUser account =
>     DBAuthenticator.INSTANCE.getUser((String)session.getAttribute("username"));
>     account.doSomething();
>     Would that work? I'm not trying to be lazy, it is just going to
>     take me awhile to adapt all of my current code to this stuff, and
>     I want to get the big picture beforehand.
>     Is there something I am missing about the interdepencies of the
>     classes involved? 
>     Also, is it okay to use the default implementations of any of the
>     ESAPI classes, such as calls to ESAPI.validator(), or are all
>     classes and methods merely meant to be templates?
>     I noticed that the FileBasedAuthenticator extends
>     AbstractAuthenticator, should I be extending or implementing
>     Authenticator?
>     Am I asking too many questions? :)
>     Thank you again,
>     Owen Berger
>     On Fri, Jun 25, 2010 at 6:14 AM, Chris Schmidt
>     <chrisisbeef at gmail.com <mailto:chrisisbeef at gmail.com>> wrote:
>         Hi Owen,
>         First off, this is absolutely the right place to ask these
>         types of questions.
>         Now, to answer, you will need to adapt your own class and use
>         the file based authenticator as a 'template' for doing so.
>         Your adapter will need to implement the Authenticator
>         interface that is within ESAPI. If your authenticator needs to
>         maintain any state you will need to make it a singleton. Once
>         you have written your adapter, all you need to do is modify
>         the ESAPI.properties file and change the authenticator class
>         to the FQN of your adapter. 
>         If you have any specific questions while implementing your
>         ESAPI, feel free to ask here and we will help you.
>         Thanks,
>         Chris
>         Sent from my iPwn
>         On Jun 24, 2010, at 11:01 PM, Owen Berger
>         <owen.k.berger at gmail.com <mailto:owen.k.berger at gmail.com>> wrote:
>>         Hello All,
>>         I am a new developer and have a question about adapting a
>>         work-in-progress website over to something that either uses
>>         the ESAPI library or its principles in most aspects of the
>>         security. Are you the right people to ask? If not, please
>>         don't read anything after this paragraph and please guide to
>>         me to the proper forum.
>>         Thank you,
>>         Owen Berger
>>         My question, if this is the right place, concerns the
>>         Authenticator portion of ESAPI, which seems to be interwoven
>>         in both session and user management. My specific question is
>>         this, and sorry if it took awhile to get here - is there a
>>         Database-backed authentication mechanism out there, either by
>>         library or example? I wish to use the ESAPI authenticator,
>>         but need one that isn't defaulted to the
>>         FileBasedAuthenticator.  Has this been done, or do I simply
>>         need to adapt the FileBasedAuthenticator to a new class with
>>         my own methods that interact with the database, and call
>>         something like DBAuthenticator auth =
>>         DBAuthenticator.getInstance()? Should the authenticator then
>>         call my own account class that implements the ESAPI User
>>         Interface? I am concerned that in creating all my own stuff I
>>         will be missing something, or is that the whole point, that
>>         ESAPI is just the stepping stone? Thank you again if you read
>>         this far.
>>         _______________________________________________
>>         Esapi-user mailing list
>>         Esapi-user at lists.owasp.org <mailto:Esapi-user at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/esapi-user
>     _______________________________________________
>     Esapi-user mailing list
>     Esapi-user at lists.owasp.org <mailto:Esapi-user at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/esapi-user
> ------------------------------------------------------------------------
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100625/fb64a81c/attachment.html 

More information about the Esapi-user mailing list