[OWASP-ESAPI] introduction, grails

Jeff Williams jeff.williams at owasp.org
Tue Mar 10 11:49:22 EDT 2009

Hi Bradley,


I think if you have an enterprise way to create users and change passwords,
then you can safely ignore these calls.  Overriding with a no-op is
reasonable. Those "administrative" type functions are there to help folks
implement management apps.




From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Monday, March 09, 2009 9:26 PM
To: Bradley Beddoes; owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] introduction, grails




Hey there - I hope all is well.


If you build your own implementation of the Authenticator interface, which
we rightly expect you to do so, you only need to call


ESAPI.setAuthenticator( new MyNonFlatFileAuthenticator()) );


In perhaps a J2EE filter that always gets hit before the app, then you are
all set - the rest of you app will use your personal version of the


We want you to not have ESAPI, but to have YOUR ESAPI! =)


- Jim

----- Original Message ----- 

From: Bradley Beddoes <mailto:bradleybeddoes at gmail.com>  

To: owasp-esapi at lists.owasp.org 

Sent: Monday, March 09, 2009 11:56 AM

Subject: [OWASP-ESAPI] introduction, grails



Firstly congratulation on the work being done with ESAPI, I've spent the
last few days going over lots of various pieces of documentation on your


Anyways after looking around at all the various pieces I had a few


* In some of the interfaces (Authenticator for example) there seems to be a
number of functions that imply a local store of user information
(chagePassword, createUser etc). This doesn't make much sense to me in an
enterprise situation using a central LDAP server or overall SSO system. What
is the advised approach in this situation? I was thinking just implement
these functions as a no-op, potentially throwing AuthenticationException


* Has anybody done anything with integrating between ESAPI and Grails
(grails.org)? If so I'd be very happy to hear about your experiences, I'm
considering doing something in this space. The safe(er)HTTPFilter and
AccessReferenceMap in-particular seem pretty useful for apps being built
with grails.


Thanks for your time guys (and gals? :) ), appreciate it.





Catch me on Twitter: @bradleybeddoes



OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090310/2619df99/attachment.html 

More information about the OWASP-ESAPI mailing list