[OWASP-ESAPI] Shameless Blog Plug

Neil Matatall nmatatal at uci.edu
Thu Aug 6 16:02:54 EDT 2009


Actually, I was thinking that we would add an implementation only (make 
it final as well?) instead of some interface.  It sounds like the 
getId().intern() locking is the accepted standard so there isn't a need 
to override the implementation until a new standard comes along, at 
which point the ESAPI codebase should be modified to use the new 
standard. Anyone else?

Neil

Chris Schmidt wrote:
> I am torn on this - mainly because providing such a method on an API 
> interface really leaves the door open for some REALLY bad 
> implementation code if someone brews their own implementation to the 
> API method.
>
> Also, it really doesn't by definition enforce the fact that lock 
> objects need to be final. I thought for a split second about 
> suggesting a method that handled synchronization for you, 
> performSafeOperation() but even that isn't really good in practice, 
> and also has risk for failure since parameters are passed by value, 
> not by reference.
>
> I would love to hear what everyone else thinks on the matter tho. 
> Perhaps I am being too much of a purist in my thinking here.
>
> On Thu, Aug 6, 2009 at 11:47 AM, Dan Cornell <dan at denimgroup.com 
> <mailto:dan at denimgroup.com>> wrote:
>
>     > I have been, and will continue to be talking about ESAPI on my
>     > relatively new blog so it would be awesome to get everyone here over
>     to
>     > read and follow and comment and so forth and start building my blogs
>     > footprint on the interwebz.
>     >
>     > You can check it out at http://yet-another-dev.blogspot.com
>     >
>
>     You made a great point that I've seen come up a couple of times
>     recently
>     in this post:
>     <http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.h
>     tml
>     <http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.h%0Atml>>
>
>     Would it make sense to add an ESAPI method that would return:
>
>     request.getSession().getId().intern()
>
>     Perhaps a method like:
>
>     getSessionSynchronizationObject()
>
>     I'd need to re-review the API docs to see exactly where this might fit
>     best, but that might be a way to promote the "correct" use of session
>     synchronization.
>
>     Of course, if you know that there is a "correct" way to do session
>     synchronization, you probably already know how to do this and wouldn't
>     need a helper method :)
>
>     Thanks,
>
>     Dan
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090806/0fb8adb1/attachment.html 


More information about the OWASP-ESAPI mailing list