[OWASP-ESAPI] Differences between IAuthenticator and the concrete implementation

Rogan Dawes lists at dawes.za.net
Mon Feb 4 08:29:00 EST 2008

Hi Jeff, list*

I am busy updating the esapi code to use the * interfaces wherever 
possible, rather than hardcoding use of particular implementations.

One place that I have encountered differences between what is 
implemented (and used) in the concrete class, vs what is defined in the 
interface, is the Authenticator class.

Authenticator defines getCurrentRequest() and getCurrentResponse() 
methods which are used by the concrete User class. However, these 
methods are not defined in IAuthenticator.

Is this by design, or just omission?

I can understand that you don't want to tie ESAPI too closely to web 
applications, so maybe it would be inappropriate to add these methods to 
the IAuthenticator interface.

Maybe it would be more appropriate to just have a getter and setter for 
the "lastHostAddress", and let the particular IAuthenticator 
implementation set that when it authenticates the request?

Following this logic, in my opinion, User could/should be a simple data 
object that doesn't implement any real functionality itself, but rather 
delegates to the current IAuthenticator implementation to do any actual 
work. Then implementors of custom IAuthenticators would not need to 
implement a User class, but could simply make use of the one provided.

Currently, there is a lot of duplication between User and Authenticator, 
which has led to bugs (e.g. an Admin trying to log out a user ends up 
logging himself out).

What do you think?


More information about the OWASP-ESAPI mailing list