[Esapi-user] ESAPI authentication problem

Fabio Cerullo fcerullo at gmail.com
Thu Jul 12 14:21:08 UTC 2012


Just to second Kevin here I would recommend you to download ESAPI Swingset Interactive which has several use cases of ESAPI.

Here is the link:

https://www.owasp.org/index.php/ESAPI_Swingset

Any questions, please let me know.

Fabio

On 11 Jul 2012, at 21:51, Kevin W. Wall wrote:

> On Wed, Jul 11, 2012 at 12:58 PM, Emmanouil Prekas <grad1107 at di.uoa.gr> wrote:
>> Hello
>> Does the esapi log in has any problem or i am doing something wrong. I use
>> this command user.loginWithPassword(request.getParameter("password*")); to
>> log my user after check if everything exist but later when i am checking
>> with the command theuser=ESAPI.authenticator().getCurrentUser(); to
>> retrieve the logged user sometimes the user is logged and sometimes not.
>> Am i doing something wrong? Should i do something else? What i have not
>> think and it does not work?
>> Thank you very much
> 
> You probably need to call
> 
>    ESAPI.httpUtilities().setCurrentHTTP(request, response)
> 
> so ESAPI can access your current HttpServletRequest & HttpServletResponse
> objects, but I can't say for sure. I'm basing that on 1) my foggy recollection,
> and 2) what I see in src/main/java/org/owasp/esapi/filter/ESAPIFilter.java.
> 
> Of course, it may be more difficult than that too. The other place to check
> out how ESAPI does this is in OWASP ESAPI Swingset
> (https://www.owasp.org/index.php/ESAPI_Swingset).  I'm swamped
> with other things, so perhaps one of the other ESAPI developers can
> jump in here and either confirm or correct what I said. Also, I do
> remember one other thing... if you implement this as your own
> JavaEE servlet filter, you have to call ESAPI.clearCurrent()
> before you return from your servlet filter.
> 
> Oh, one last thing...the ESAPI "reference" Authenticator is really only a
> toy implementation. If you want to use ESAPI with something real
> like a corporate LDAP directory or AD or Kerberos, etc. you have
> to write your own Authenticator. You can use the reference
> FileBasedAuthenticator
> as a model.
> 
> HTH,
> -kevin
> 
> -kevin
> -- 
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents."        -- Nathaniel Borenstein
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120712/a088cb47/attachment.html>


More information about the Esapi-user mailing list