[Esapi-user] SecurityWrapper

Kevin W. Wall kevin.w.wall at gmail.com
Mon Nov 2 00:22:33 UTC 2015


On Wed, Oct 28, 2015 at 12:03 PM, Jorge Calderon <jcald1 at gmail.com> wrote:
> Is there a way to use the SecurityWrapper in JAX-WS and JAX-RS services?
>
> What assumptions are made about the data when it does
> canonicalization?  Does it canonicalize the data based on the
> Content-Type header in the request, or does it always assume the data
> is HTML form data?  What validator configuratioin key does it use,
> "SafeString"?
>
> I didn't see a key to validating entire XMLs.

SecurityWrapper, which uses SecurityWrapperRequest and SecurityWrapperReponse
doesn't do much validation and encoding other than request and response
headers. (Okay, SecurityWrapperRequest also does some basic sanity
checks of request parameters, but that's just based on HTTPParameterValue.)

Attempting complete validation and output encoding is going to be
context specific. The SecurityWrapper filter just tries to take care
of the low hanging fruit.

If you want to validate JAX-WS, define XDSs and do the appropriate
XML validation in your code. If you are using JAX-RS with XML, do the
same. If you are using JSON, then do something equilavent and do
JSON "schema" validataion.

Probably not the answer you were hoping for, but SecurityWrapper was not
intended for the purpose you seem to be hinting at.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the Esapi-user mailing list