[Esapi-user] using SafeRequest
Kevin W. Wall
kevin.w.wall at gmail.com
Tue Jul 26 23:32:01 EDT 2011
On Tue, Jul 26, 2011 at 10:48 PM, Normando Macaraeg
<nmacaraeg at jaspersoft.com> wrote:
> Hi,
>
> Using the ESAPI Book as my guide, it looks like when I find code that
> looks like:
>
> HttpSession session = request.getSession(); // unsafe session
>
> I should change the code to this:
>
> HttpSession session = new SafeRequest( request ).getSession(); // safe
> session
>
> But the book says this works only if I enable the ESAPIFilter. How do I
> enable the ESAPIFilter?
You configure it just like any other Java Servlet filter.
In your WEB-INF/web.xml file, you would do something like
this:
<web-app id="myWebApp">
...
<filter>
<filter-name>ESAPI-Filter</filter-name>
<filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
<!-- Note: Not sure it has any parameters. Check the
sourc code or ask Jeff Williams. I don't have time
right now. However, this is how you specify
parameters. You can have more than one init-param
section. -->
<init-param>
<param-name>greetings</param-name>
<param-value>Hello, World</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ESAPI-Filter</filter-name>
<url-pattern>/images/*</url-pattern>
</filter-mapping>
</filter>
...
</web-app>
The exact syntax may be slightly different depending on what
Servlet Spec your JavaEE / servlet container adheres to. Shown
above is for Servlet Spec 2.4.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
More information about the Esapi-user
mailing list