[Esapi-user] Help on ESAPI For Controling access to URLs & Functions

Kevin W. Wall kevin.w.wall at gmail.com
Sat Aug 27 14:29:25 EDT 2011

On Sat, Aug 27, 2011 at 1:56 PM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> I took this off list.
> The access control implementation that cones with esapi is a very basic
> file based acl implementation and is meant for demonstration purposes
> only (as is the case for the authenticator as well)

FWIW, my formal recommendation at CenturyLink that got ESAPI 2.0 officially
approved for use came with the caveat that they do NOT use the default
reference implementations of either Authenticator or AccessController for
production. That might give you a general idea of the maturity of those
two reference implementations.

> That being said, what you will want to do is determine what you want
> to use for access control - you can either roll your own or use
> something that already exists such as JAAS or Spring-Security. Once you
> have chosen you access control provider you will want to implement the
> AccessController interface as an adapter that fronts your access control
> component.

Chris, didn't you place something that integrated ESAPI's Authenticator
with Spring-Security authenticators in the 'contrib' section that might
be useful for this, at least as a starting point, for Somen?

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Esapi-user mailing list