[OWASP-ESAPI] SafeRequests within SafeRequests
stewart_short at hotmail.com
Tue May 26 11:41:35 EDT 2009
Filter mappings being used are...
> From: jeff.williams at owasp.org
> To: lists at dawes.za.net; stewart_short at hotmail.com
> CC: owasp-esapi at lists.owasp.org
> Subject: RE: [OWASP-ESAPI] SafeRequests within SafeRequests
> Date: Tue, 26 May 2009 11:24:18 -0400
> Hi Stewart,
> Thanks for the feedback - totally agree. We updated the main ESAPIFilter to
> handle this before December. However, the SafeHTTPFilter didn't have this
> check. It's been fixed in SVN now. Thanks!
> chain.doFilter(ESAPI.currentRequest(), ESAPI.currentResponse());
> By the way, this shouldn't happen unless you're calling the filter
> repeatedly. I'm curious what is causing this to happen. Do you have the
> dispatcher set up to handle FORWARD?
> > -----Original Message-----
> > From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-
> > bounces at lists.owasp.org] On Behalf Of Rogan Dawes
> > Sent: Tuesday, May 26, 2009 8:24 AM
> > To: Stewart Short
> > Cc: owasp-esapi at lists.owasp.org
> > Subject: Re: [OWASP-ESAPI] SafeRequests within SafeRequests
> > Stewart Short wrote:
> > >
> > >
> > > Our web applications are based on WebLogic 8.1 page flows which is a
> > > technology built on top of struts. I have recently been looking at
> > > integrating OWASP ESAPI (v1.4) and one problem I noticed is that when
> > > processing involves a chain of actions, i.e. resulting in *.do
> > requests,
> > > you end up with SafeRequests within SafeRequests, with one level for
> > > each action in the chain. Therefore, should the doFilter method in
> > > SafeHTTPFilter only create a new SafeRequest if the request passed in
> > is
> > > not an instance of SafeRequest?
> > Yes, I think so.
> > Rogan
> > _______________________________________________
> > OWASP-ESAPI mailing list
> > OWASP-ESAPI at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-esapi
Share your photos with Windows Live Photos – Free.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI