[Esapi-user] Couple of questions about AbstractAuthenticator / getting started with ESAPI

Daniel Studds daniel.studds at gmail.com
Tue Aug 14 00:50:28 UTC 2012

Hi all

I'm just trying to get started with ESAPI. I'm using 2.0m. I'm working on
an AJAX app and don't know much about security, so rather than try to roll
something quick and dirty, I thought I'd try to use this. I've set up a
WebFilter to make sure users are logged in for all requests. The login
request is a POST. Subsequent requests are a mixture of GET (static files
eg Javascript & CSS) and POST (all my AJAX calls are POST). I hit upon a
few issues while setting this up:

AbstractAuthenticator has references to DefaultUser throughout - should
these be pointing to the User interface?
AbstractAuthenticator.login() validates that all requests are POST
requests, even if the user is already logged in and the retrieved from the
session: is this the intended behaviour?

I've more-or-less just duplicated the FileBasedAuthenticator, and I
replaced the AbstractAuthenticator with my own implementation updated with
the changes above as a quick-and-dirty hack to get it working. My plan from
here is to migrate away from the FileBaseAuthenticator to my own
authenticator backed by the DB as I have time...

Does anyone have any hints/tips about the two questions above, or anything


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120814/098c7ec4/attachment.html>

More information about the Esapi-user mailing list