[Esapi-user] help

Kevin W. Wall kevin.w.wall at gmail.com
Thu Aug 16 06:12:03 UTC 2012


I'm confused...if you allow POSTs for everything else, you surely want to
allow a POST for Login.jsp. If you use GET for Login.jsp, then passwords
will end up in your server logs.

-kevin
Sent from my Droid; please excuse typos.
On Aug 16, 2012 2:00 AM, "Nithya2 B" <nithya2.b at tcs.com> wrote:

> Hi,
>
> I'm using ESAPI for some security related issues in one of my app..
>
> I just have  a query on that..
>
> We wanted to deny all http GET methods and allow only POST methods except
> the Login.jsp..
> pls let me know the configuration..
>
> the following configuration is blocking the login screen from appearing as
> it is GET requests..
>
> <url-rules>
>   <restrict-extension deny=".jpg" />
>   <restrict-method deny="GET" path=".*\/MyApp/.action$" />
>   <restrict-method allow="(POST|TRACE)" />
>
>  <enforce-https path="/.*">
>   <path-exception>/MyApp/</path-exception>
>   <path-exception>/MyApp/Login.jsp</path-exception>
>    <path-exception type="regex">/MyApp/images/.*</path-exception>
>   <path-exception type="regex">/MyApp/css/.*</path-exception>
>   <path-exception type="regex">/MyApp/js/.*</path-exception>
>   <path-exception type="regex">/help/.*</path-exception>
>   </enforce-https>
>   </url-rules>
>
> Thanks
> Nithya B
> Tata Consultancy Services
> Mailto: nithya2.b at tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty.        IT Services
>                        Business Solutions
>                        Outsourcing
> ____________________________________________
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120816/a50d89c4/attachment.html>


More information about the Esapi-user mailing list