[OWASP-ESAPI] Methods in concrete implementations that do not appear in the interfaces
lists at dawes.za.net
Tue Feb 5 12:01:12 EST 2008
I am in the process of migrating all direct references to the security
service classes (Authenticator, AccessController, etc) to using an ESAPI
I have encountered a few methods that are used in the concrete
implementations that are not defined in the interfaces, necessitating
casting. This is clearly counter to the objective of using a locator
class, returning an Interface, so I'd like to sort this problem out.
Authenticator: setCurrentHTTP(request, response)
As Jeff suggested in private mail, some of the concrete implementations
are tied quite closely to each other (e.g. Authenticator and
SecurityConfiguration / AccessController and SecurityConfiguration both
use the getResourceDirectory() method to find their particular config
files). Fair enough.
But what about the others? Do you think that we would be doing a
disservice to our users by adding the above methods to the relevant
interface? Is it tying the ESAPI too closely to a particular technology
(i.e. HTTP)? That argument is kind of nullified by the existence of
HttpUtilities to start with, in my opinion, amongst other things (e.g.
IAuthenticator.login(request, response) )
What do you think?
More information about the OWASP-ESAPI