[OWASP-ESAPI] Using Other Authenticators

Alex Smolen me at alexsmolen.com
Wed Mar 11 18:38:18 EDT 2009

So if I understand your suggested change, you are proposing that we change 
several classes to follow the current Java ESAPI logging implementation 
that has a separate JavaLogFactory class.

I think that this approach is overkill. If you look at the ESAPI 
architecture, the ESAPI class itself is sort of a factory 
(http://en.wikipedia.org/wiki/Factory_method_pattern). Its methods return 
an Interface which can be changed to a particular implementation. However, 
right now, you have to change the code in that class to return your own 
preferred implementation. I suggest that you change that ESAPI class to 
accept something from the configuration file to determine what class to 
load for each particular function (Authenticator, Validator, etc). Then, 
you don't need JavaLogFactory or any other factories.

i.e. rather than this

    public static Encryptor encryptor() {
        if (ESAPI.encryptor == null)
            ESAPI.encryptor = new JavaEncryptor();
        return ESAPI.encryptor;

do this

     public static Encryptor encryptor() {
        if (ESAPI.encryptor == null)
            ESAPI.encryptor = 
        return ESAPI.encryptor;

I think creating extra factories is unnecssary. The JavaLogFactory isn't 
necessary for what you're trying to do (support different types of logging 
engines). You have two different factories - one for a LogFactory, and one 
for Loggers. You can simply extend Logger to do whatever you want and get 
rid of the LogFactory class. 


From: "Jim Manico" <jim.manico at owasp.org>
Sent: Wednesday, March 11, 2009 11:39 AM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] Using Other Authenticators 

On the topic of using your own Authentication 
mechanism inside of ESAPI; I'm currently working on a few changes in ESAPI 
will allow you to specify your own implementation at configuration 
For example, I've recently checked a new logger 
into ESAPI - Log4JLogFactory. We already have JavaLogFactory.I built 
a mechanism so that either can be specificed at config time in 
ESAPI.properties like so: 

I'm going to explode the same concept out Authenticator, Validator and all 
the other top-level classes of ESAPI. 
- Jim 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090311/994a1fc0/attachment.html 

More information about the OWASP-ESAPI mailing list