[Owasp-appsensor-project] Custom AppSensorSecurityConfiguration
Theo van Niekerk
theovn at owasp.org
Wed Aug 24 09:24:52 EDT 2011
Thanks for your reply - I'll try and file a bug/issue.
I store the Master-key (password protected) in a Key-store (also password protected).
My app has an obscure webpage that asks for these 2 passwords to load the Master-key in memory where it is kept
The app won't run - returns 503 on most dynamic pages - unless the key is loaded.
Downside is on a server restart, an operator needs to enter the passwords.
Upside is that one can make the statement that 2 operators each with their own password are required to start the app.
I think that if you are not involved/aware of a server/app restart then you are doing something wrong.
I don't mind sharing/contributing the code - it works for me, but it's not a work of art.
On 24 Aug 2011, at 14:54, John Melton wrote:
> In short, this is currently not possible with AppSensor. Could you file a
> bug at http://code.google.com/p/appsensor/issues/list so that we can track
> this and get the functionality added in to handle it?
> Also, just a quick question - if you can offer specifics, what are you doing
> generally to "encrypt/protect the key"? I know a lot of folks have
> complained that they would like to separate the master key out to another
> file, but it's not encrypted then - just filesystem controls on the actual
> key file. The issue is if you encrypt it, then you have another key to
> manage ... so what are you actually doing?
> On Wed, Aug 24, 2011 at 7:52 AM, Theo van Niekerk <theovn at owasp.org> wrote:
>> I'm using my own SecurityConfiguration class for ESAPI. I have a
>> requirement to protect/encrypt the Master key and the
>> DefaultSecurityConfiguration setup can't do that.
>> I want to use AppSensor, but it requires ESAPI to use the
>> I can adapt my own SecurityConfiguration to include the
>> AppSensorSecurityConfiguration stuff but how to I configure AppSensor to use
>> this config. AppSensor ignores the
>> -Dorg.owasp.esapi.SecurityConfiguration=... setting.
>> What to do?
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
More information about the Owasp-appsensor-project