ESAPI support?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ESAPI support?

pledbrook
Hi guys,

Has anyone considered implementing ESAPI in JSecurity?

  http://www.owasp.org/index.php/ESAPI

I noticed that they refer to it as a set of interfaces and a reference
implementation. Maybe it would be a good fit for JSecurity?

Cheers,

Peter
Reply | Threaded
Open this post in threaded view
|

Re: ESAPI support?

Les Hazlewood-2
I opened an issue for this, but I wonder how this would work.  JSecurity
itself is a set of interfaces and a reference implementation ;)

In any case, the issue I created is to investigate further to see if it
would be worth implementing.

On Fri, Jan 23, 2009 at 6:45 AM, Peter Ledbrook <[hidden email]>wrote:

> Hi guys,
>
> Has anyone considered implementing ESAPI in JSecurity?
>
>  http://www.owasp.org/index.php/ESAPI
>
> I noticed that they refer to it as a set of interfaces and a reference
> implementation. Maybe it would be a good fit for JSecurity?
>
> Cheers,
>
> Peter
>
Reply | Threaded
Open this post in threaded view
|

Re: ESAPI support?

Jeremy Haile
Yeah - I need to investigate further before forming an opinion.  The  
key question is what advantage does implementing ESAPI's interfaces in  
JSecurity offer the project and it's users.  Right now I'm not clear  
on the advantages.

Does anyone else have a better understanding?  Peter?

Jeremy


On Jan 23, 2009, at 12:40 PM, Les Hazlewood wrote:

> I opened an issue for this, but I wonder how this would work.  
> JSecurity
> itself is a set of interfaces and a reference implementation ;)
>
> In any case, the issue I created is to investigate further to see if  
> it
> would be worth implementing.
>
> On Fri, Jan 23, 2009 at 6:45 AM, Peter Ledbrook  
> <[hidden email]>wrote:
>
>> Hi guys,
>>
>> Has anyone considered implementing ESAPI in JSecurity?
>>
>> http://www.owasp.org/index.php/ESAPI
>>
>> I noticed that they refer to it as a set of interfaces and a  
>> reference
>> implementation. Maybe it would be a good fit for JSecurity?
>>
>> Cheers,
>>
>> Peter
>>

Reply | Threaded
Open this post in threaded view
|

Re: ESAPI support?

pledbrook
> Yeah - I need to investigate further before forming an opinion.  The key
> question is what advantage does implementing ESAPI's interfaces in JSecurity
> offer the project and it's users.  Right now I'm not clear on the
> advantages.
>
> Does anyone else have a better understanding?  Peter?

I wasn't sure what was in there, but it seems to be a few things, such
as codecs, input validation, protected command execution (wrapper on
Runtime.exec() kind of thing), intrusion detection (based on
exceptions it seems), and some access control stuff.

I thought from the OWASP site that it might have some more fancy
stuff. If JSecurity has most (if not all) of those things, then it's
not worth the hassle. I'm not sure the interfaces are used widely
enough to warrant implementing them. However, if there are some
features that might make sense, then I think it's worth contemplating
borrowing the implementation or providing our own.

I'm mainly thinking along the lines of input validation, escaping
output, and CSRF things.

Cheers,

Peter
Reply | Threaded
Open this post in threaded view
|

Re: ESAPI support?

Les Hazlewood-2
On Fri, Jan 23, 2009 at 1:31 PM, Peter Ledbrook <[hidden email]>wrote:

> > Yeah - I need to investigate further before forming an opinion.  The key
> > question is what advantage does implementing ESAPI's interfaces in
> JSecurity
> > offer the project and it's users.  Right now I'm not clear on the
> > advantages.
> >
> > Does anyone else have a better understanding?  Peter?
>
> I wasn't sure what was in there, but it seems to be a few things, such
> as codecs, input validation, protected command execution (wrapper on
> Runtime.exec() kind of thing), intrusion detection (based on
> exceptions it seems), and some access control stuff.
>
> I thought from the OWASP site that it might have some more fancy
> stuff. If JSecurity has most (if not all) of those things, then it's
> not worth the hassle. I'm not sure the interfaces are used widely
> enough to warrant implementing them. However, if there are some
> features that might make sense, then I think it's worth contemplating
> borrowing the implementation or providing our own.


I definitely agree with this - fill in any gaps that might be valuable that
we don't have currently, and then if we do feel implementing their API is
desirable (as a separate module), it would be a trivial task.

Something I find interesting about ESAPI and other frameworks is that it
seems as if a JSR around application security (not just VM security) might
be of benefit to the Java community.  I've heard stories about the JSR
process, so I don't know if we'd want to go down that road, but still -
makes me wonder...

- Les