[OWASP-ESAPI] Methods in concrete implementations that do not appear in the interfaces

Rogan Dawes lists at dawes.za.net
Tue Feb 5 12:01:12 EST 2008

Hi folks,

I am in the process of migrating all direct references to the security 
service classes (Authenticator, AccessController, etc) to using an ESAPI 
locator class.

I have encountered a few methods that are used in the concrete 
implementations that are not defined in the interfaces, necessitating 
casting. This is clearly counter to the objective of using a locator 
class, returning an Interface, so I'd like to sort this problem out.

SecurityConfiguration: getResourceDirectory()

SecurityConfiguration: getValidationPattern(pattern)
SecurityConfiguration: getResponseContentType()
SecurityConfiguration: getLogEncodingRequired()

Authenticator: getCurrentRequest()
Authenticator: getCurrentResponse()
Authenticator: logout()
Authenticator: setCurrentHTTP(request, response)

HTTPUtilities: changeSessionIdentifier()

As Jeff suggested in private mail, some of the concrete implementations 
are tied quite closely to each other (e.g. Authenticator and 
SecurityConfiguration / AccessController and SecurityConfiguration both 
use the getResourceDirectory() method to find their particular config 
files). Fair enough.

But what about the others? Do you think that we would be doing a 
disservice to our users by adding the above methods to the relevant 
interface? Is it tying the ESAPI too closely to a particular technology 
(i.e. HTTP)? That argument is kind of nullified by the existence of 
HttpUtilities to start with, in my opinion, amongst other things (e.g. 
IAuthenticator.login(request, response) )

What do you think?


More information about the OWASP-ESAPI mailing list