[Esapi-user] Upgrade Guide for ESAPI 1.4 users

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jul 14 00:36:18 EDT 2011


On Wed, Jul 13, 2011 at 4:45 PM, Rob Spremulli
<rob.spremulli+esapi at gmail.com> wrote:
> Now that 2.0 is finally released, is there any documentation regarding
> an upgrade path from 1.4 to 2.0?  Things like the ESAPI class have
> been modified to remove set methods, and I know there were major
> overhauls to the validators and encoders, which were extended in 1.4.

Rob,
What sort of thing did you have in mind...something that provides a
method-by-method
different (if so, see jdiff, below) or something higher level, such as something
at the class or even package level?

I can speak for the major part that I worked on, which was the symmetric
encryption methods (encrypt / decrypt methods). If you were using the
symmetric encryption from ESAPI 1.4, you need to burn that code to the
ground and use the ESAPI 2.0 Encryptor interface. (I would not recommend
using the deprecated APIs either.)

Details of why the symmetric encryption was redone is described in this doc:
<http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-readme-crypto-changes.html>

> Short of doing a diff of the source code, is there any guide for
> remediation of changes between 1.4 and 2.0?

I'd try jdiff (http://javadiff.sourceforge.net/) before I'd resort to
diffing the source files. Jdiff gives you a HTML report of the API
diffs by looking at differences in the generated Javadoc.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Esapi-user mailing list