[OWASP-ESAPI] Differences between IAuthenticator and the concrete implementation
lists at dawes.za.net
Mon Feb 4 08:29:00 EST 2008
Hi Jeff, list*
I am busy updating the esapi code to use the * interfaces wherever
possible, rather than hardcoding use of particular implementations.
One place that I have encountered differences between what is
implemented (and used) in the concrete class, vs what is defined in the
interface, is the Authenticator class.
Authenticator defines getCurrentRequest() and getCurrentResponse()
methods which are used by the concrete User class. However, these
methods are not defined in IAuthenticator.
Is this by design, or just omission?
I can understand that you don't want to tie ESAPI too closely to web
applications, so maybe it would be inappropriate to add these methods to
the IAuthenticator interface.
Maybe it would be more appropriate to just have a getter and setter for
the "lastHostAddress", and let the particular IAuthenticator
implementation set that when it authenticates the request?
Following this logic, in my opinion, User could/should be a simple data
object that doesn't implement any real functionality itself, but rather
delegates to the current IAuthenticator implementation to do any actual
work. Then implementors of custom IAuthenticators would not need to
implement a User class, but could simply make use of the one provided.
Currently, there is a lot of duplication between User and Authenticator,
which has led to bugs (e.g. an Admin trying to log out a user ends up
logging himself out).
What do you think?
More information about the OWASP-ESAPI