[OWASP-ESAPI] introduction, grails

Neil Matatall nmatatal at uci.edu
Tue Mar 10 13:29:17 EDT 2009


Hello All,

You would have to implement some portions.  For example, the CSRF 
protection uses the ESAPI.authenticator().getCurrentUser().  I'm working 
on integrating our ESAPI into our framework and SSO solution and that 
was the first issue that I ran accross.  Are there any other 
implementations out there?  We get the currentUser from the Request, but 
the Authenticator is a static variable in the ESAPI class so I'm not 
sure how this would work (wouldn't there be threading issues?).

Neil

Jeff Williams wrote:
>
> Hi Bradley,
>
>  
>
> I think if you have an enterprise way to create users and change 
> passwords, then you can safely ignore these calls.  Overriding with a 
> no-op is reasonable. Those "administrative" type functions are there 
> to help folks implement management apps.
>
>  
>
> --Jeff
>
>  
>
> *From:* owasp-esapi-bounces at lists.owasp.org 
> [mailto:owasp-esapi-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Monday, March 09, 2009 9:26 PM
> *To:* Bradley Beddoes; owasp-esapi at lists.owasp.org
> *Subject:* Re: [OWASP-ESAPI] introduction, grails
>
>  
>
> Bradly,
>
>  
>
> Hey there - I hope all is well.
>
>  
>
> If you build your own implementation of the Authenticator interface, 
> which we rightly expect you to do so, you only need to call
>
>  
>
> ESAPI.setAuthenticator( new MyNonFlatFileAuthenticator()) );
>
>  
>
> In perhaps a J2EE filter that always gets hit before the app, then you 
> are all set - the rest of you app will use your personal version of 
> the Authenticator.
>
>  
>
> We want you to not have ESAPI, but to have YOUR ESAPI! =)
>
>  
>
> - Jim
>
>     ----- Original Message -----
>
>     *From:* Bradley Beddoes <mailto:bradleybeddoes at gmail.com>
>
>     *To:* owasp-esapi at lists.owasp.org
>     <mailto:owasp-esapi at lists.owasp.org>
>
>     *Sent:* Monday, March 09, 2009 11:56 AM
>
>     *Subject:* [OWASP-ESAPI] introduction, grails
>
>      
>
>     Hi,
>
>     Firstly congratulation on the work being done with ESAPI, I've
>     spent the last few days going over lots of various pieces of
>     documentation on your website. 
>
>      
>
>     Anyways after looking around at all the various pieces I had a few
>     questions:
>
>      
>
>     * In some of the interfaces (Authenticator for example) there
>     seems to be a number of functions that imply a local store of user
>     information (chagePassword, createUser etc). This doesn't make
>     much sense to me in an enterprise situation using a central LDAP
>     server or overall SSO system. What is the advised approach in this
>     situation? I was thinking just implement these functions as a
>     no-op, potentially throwing AuthenticationException
>     <http://owasp-esapi-java.googlecode.com/svn/trunk_doc/org/owasp/esapi/errors/AuthenticationException.html>
>
>      
>
>     * Has anybody done anything with integrating between ESAPI and
>     Grails (grails.org <http://grails.org>)? If so I'd be very happy
>     to hear about your experiences, I'm considering doing something in
>     this space. The safe(er)HTTPFilter and
>     AccessReferenceMap in-particular seem pretty useful for apps being
>     built with grails.
>
>      
>
>     Thanks for your time guys (and gals? :) ), appreciate it.
>
>      
>
>     regards,
>
>     Bradley
>
>      
>
>     Catch me on Twitter: @bradleybeddoes
>
>      
>
>     ------------------------------------------------------------------------
>
>     _______________________________________________
>     OWASP-ESAPI mailing list
>     OWASP-ESAPI at lists.owasp.org
>     https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090310/06e2cfba/attachment.html 


More information about the OWASP-ESAPI mailing list