[Esapi-user] ESAPI authentication problem

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jul 12 00:51:56 UTC 2012


On Wed, Jul 11, 2012 at 12:58 PM, Emmanouil Prekas <grad1107 at di.uoa.gr> wrote:
> Hello
> Does the esapi log in has any problem or i am doing something wrong. I use
> this command user.loginWithPassword(request.getParameter("password*")); to
> log my user after check if everything exist but later when i am checking
> with the command theuser=ESAPI.authenticator().getCurrentUser(); to
> retrieve the logged user sometimes the user is logged and sometimes not.
> Am i doing something wrong? Should i do something else? What i have not
> think and it does not work?
> Thank you very much

You probably need to call

    ESAPI.httpUtilities().setCurrentHTTP(request, response)

so ESAPI can access your current HttpServletRequest & HttpServletResponse
objects, but I can't say for sure. I'm basing that on 1) my foggy recollection,
and 2) what I see in src/main/java/org/owasp/esapi/filter/ESAPIFilter.java.

Of course, it may be more difficult than that too. The other place to check
out how ESAPI does this is in OWASP ESAPI Swingset
(https://www.owasp.org/index.php/ESAPI_Swingset).  I'm swamped
with other things, so perhaps one of the other ESAPI developers can
jump in here and either confirm or correct what I said. Also, I do
remember one other thing... if you implement this as your own
JavaEE servlet filter, you have to call ESAPI.clearCurrent()
before you return from your servlet filter.

Oh, one last thing...the ESAPI "reference" Authenticator is really only a
toy implementation. If you want to use ESAPI with something real
like a corporate LDAP directory or AD or Kerberos, etc. you have
to write your own Authenticator. You can use the reference
FileBasedAuthenticator
as a model.

HTH,
-kevin

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Esapi-user mailing list