[OWASP-ESAPI] Question about Provider/Implementation architecture

Jim Manico jim.manico at owasp.org
Wed Aug 12 17:25:23 EDT 2009


Right now, each "piece" of ESAPI can have a different provider, like so.

ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Encryptor=org.owasp.esapi.reference.JavaEncryptor
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator

Mike Boberski from the OWASP ASVS project had a very interesting idea that seems reasonable to me. 

Mike is proposing that we have a provider for the whole - like JCE does.

Quoting Mike:

"In my mind, an organization should be able to easily swap in and out their whole ESAPI. Coding to and managing different sets of pieces will be messy for a large application that is for example made up of several separate server applications of various types that have been integrated together. That's actually the scenario I'm facing with the PHP."

What do you think, Gentlemen? Do you like this idea, and if so, what should it look like?

- Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090812/475ec99d/attachment.html 


More information about the OWASP-ESAPI mailing list