[OWASP-ESAPI] Shameless Blog Plug
nmatatal at uci.edu
Thu Aug 6 16:02:54 EDT 2009
Actually, I was thinking that we would add an implementation only (make
it final as well?) instead of some interface. It sounds like the
getId().intern() locking is the accepted standard so there isn't a need
to override the implementation until a new standard comes along, at
which point the ESAPI codebase should be modified to use the new
standard. Anyone else?
Chris Schmidt wrote:
> I am torn on this - mainly because providing such a method on an API
> interface really leaves the door open for some REALLY bad
> implementation code if someone brews their own implementation to the
> API method.
> Also, it really doesn't by definition enforce the fact that lock
> objects need to be final. I thought for a split second about
> suggesting a method that handled synchronization for you,
> performSafeOperation() but even that isn't really good in practice,
> and also has risk for failure since parameters are passed by value,
> not by reference.
> I would love to hear what everyone else thinks on the matter tho.
> Perhaps I am being too much of a purist in my thinking here.
> On Thu, Aug 6, 2009 at 11:47 AM, Dan Cornell <dan at denimgroup.com
> <mailto:dan at denimgroup.com>> wrote:
> > I have been, and will continue to be talking about ESAPI on my
> > relatively new blog so it would be awesome to get everyone here over
> > read and follow and comment and so forth and start building my blogs
> > footprint on the interwebz.
> > You can check it out at http://yet-another-dev.blogspot.com
> You made a great point that I've seen come up a couple of times
> in this post:
> Would it make sense to add an ESAPI method that would return:
> Perhaps a method like:
> I'd need to re-review the API docs to see exactly where this might fit
> best, but that might be a way to promote the "correct" use of session
> Of course, if you know that there is a "correct" way to do session
> synchronization, you probably already know how to do this and wouldn't
> need a helper method :)
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI