[OWASP-ESAPI] introduction, grails

Jeff Williams jeff.williams at owasp.org
Tue Mar 10 11:49:22 EDT 2009


Hi Bradley,

 

I think if you have an enterprise way to create users and change passwords,
then you can safely ignore these calls.  Overriding with a no-op is
reasonable. Those "administrative" type functions are there to help folks
implement management apps.

 

--Jeff

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Monday, March 09, 2009 9:26 PM
To: Bradley Beddoes; owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] introduction, grails

 

Bradly,

 

Hey there - I hope all is well.

 

If you build your own implementation of the Authenticator interface, which
we rightly expect you to do so, you only need to call

 

ESAPI.setAuthenticator( new MyNonFlatFileAuthenticator()) );

 

In perhaps a J2EE filter that always gets hit before the app, then you are
all set - the rest of you app will use your personal version of the
Authenticator.

 

We want you to not have ESAPI, but to have YOUR ESAPI! =)

 

- Jim

----- Original Message ----- 

From: Bradley Beddoes <mailto:bradleybeddoes at gmail.com>  

To: owasp-esapi at lists.owasp.org 

Sent: Monday, March 09, 2009 11:56 AM

Subject: [OWASP-ESAPI] introduction, grails

 

Hi, 

Firstly congratulation on the work being done with ESAPI, I've spent the
last few days going over lots of various pieces of documentation on your
website. 

 

Anyways after looking around at all the various pieces I had a few
questions:

 

* In some of the interfaces (Authenticator for example) there seems to be a
number of functions that imply a local store of user information
(chagePassword, createUser etc). This doesn't make much sense to me in an
enterprise situation using a central LDAP server or overall SSO system. What
is the advised approach in this situation? I was thinking just implement
these functions as a no-op, potentially throwing AuthenticationException
<http://owasp-esapi-java.googlecode.com/svn/trunk_doc/org/owasp/esapi/errors
/AuthenticationException.html> 

 

* Has anybody done anything with integrating between ESAPI and Grails
(grails.org)? If so I'd be very happy to hear about your experiences, I'm
considering doing something in this space. The safe(er)HTTPFilter and
AccessReferenceMap in-particular seem pretty useful for apps being built
with grails.

 

Thanks for your time guys (and gals? :) ), appreciate it.

 

regards,

Bradley

 

Catch me on Twitter: @bradleybeddoes

 

  _____  

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090310/2619df99/attachment.html 


More information about the OWASP-ESAPI mailing list