[Esapi-user] using SafeRequest

Kevin W. Wall kevin.w.wall at gmail.com
Tue Jul 26 23:32:01 EDT 2011

On Tue, Jul 26, 2011 at 10:48 PM, Normando Macaraeg
<nmacaraeg at jaspersoft.com> wrote:
> Hi,
> Using the ESAPI Book as my guide, it looks like when I find code that
> looks like:
> HttpSession session = request.getSession(); // unsafe session
> I should change the code to this:
> HttpSession session = new SafeRequest( request ).getSession(); // safe
> session
> But the book says this works only if I enable the ESAPIFilter.  How do I
> enable the ESAPIFilter?

You configure it just like any other Java Servlet filter.
In your WEB-INF/web.xml file, you would do something like

    <web-app id="myWebApp">
                    <!-- Note: Not sure it has any parameters. Check the
                         sourc code or ask Jeff Williams. I don't have time
                         right now. However, this is how you specify
                         parameters. You can have more than one init-param
                         section. -->
                  <param-value>Hello, World</param-value>


The exact syntax may be slightly different depending on what
Servlet Spec your JavaEE / servlet container adheres to. Shown
above is for Servlet Spec 2.4.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Esapi-user mailing list