[Esapi-user] using SafeRequest

Kevin W. Wall kevin.w.wall at gmail.com
Tue Jul 26 23:32:01 EDT 2011


On Tue, Jul 26, 2011 at 10:48 PM, Normando Macaraeg
<nmacaraeg at jaspersoft.com> wrote:
> Hi,
>
> Using the ESAPI Book as my guide, it looks like when I find code that
> looks like:
>
> HttpSession session = request.getSession(); // unsafe session
>
> I should change the code to this:
>
> HttpSession session = new SafeRequest( request ).getSession(); // safe
> session
>
> But the book says this works only if I enable the ESAPIFilter.  How do I
> enable the ESAPIFilter?

You configure it just like any other Java Servlet filter.
In your WEB-INF/web.xml file, you would do something like
this:

    <web-app id="myWebApp">
        ...
        <filter>
            <filter-name>ESAPI-Filter</filter-name>
                <filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
                    <!-- Note: Not sure it has any parameters. Check the
                         sourc code or ask Jeff Williams. I don't have time
                         right now. However, this is how you specify
                         parameters. You can have more than one init-param
                         section. -->
                <init-param>
                  <param-name>greetings</param-name>
                  <param-value>Hello, World</param-value>
                </init-param>
              </filter>

              <filter-mapping>
                <filter-name>ESAPI-Filter</filter-name>
                <url-pattern>/images/*</url-pattern>
              </filter-mapping>
        </filter>
        ...
    </web-app>

The exact syntax may be slightly different depending on what
Servlet Spec your JavaEE / servlet container adheres to. Shown
above is for Servlet Spec 2.4.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Esapi-user mailing list