You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Peter Ledbrook <pe...@cacoethes.co.uk> on 2009/01/23 12:45:34 UTC
ESAPI support?
Hi guys,
Has anyone considered implementing ESAPI in JSecurity?
http://www.owasp.org/index.php/ESAPI
I noticed that they refer to it as a set of interfaces and a reference
implementation. Maybe it would be a good fit for JSecurity?
Cheers,
Peter
Re: ESAPI support?
Posted by Les Hazlewood <lh...@apache.org>.
On Fri, Jan 23, 2009 at 1:31 PM, Peter Ledbrook <pe...@cacoethes.co.uk>wrote:
> > Yeah - I need to investigate further before forming an opinion. The key
> > question is what advantage does implementing ESAPI's interfaces in
> JSecurity
> > offer the project and it's users. Right now I'm not clear on the
> > advantages.
> >
> > Does anyone else have a better understanding? Peter?
>
> I wasn't sure what was in there, but it seems to be a few things, such
> as codecs, input validation, protected command execution (wrapper on
> Runtime.exec() kind of thing), intrusion detection (based on
> exceptions it seems), and some access control stuff.
>
> I thought from the OWASP site that it might have some more fancy
> stuff. If JSecurity has most (if not all) of those things, then it's
> not worth the hassle. I'm not sure the interfaces are used widely
> enough to warrant implementing them. However, if there are some
> features that might make sense, then I think it's worth contemplating
> borrowing the implementation or providing our own.
I definitely agree with this - fill in any gaps that might be valuable that
we don't have currently, and then if we do feel implementing their API is
desirable (as a separate module), it would be a trivial task.
Something I find interesting about ESAPI and other frameworks is that it
seems as if a JSR around application security (not just VM security) might
be of benefit to the Java community. I've heard stories about the JSR
process, so I don't know if we'd want to go down that road, but still -
makes me wonder...
- Les
Re: ESAPI support?
Posted by Peter Ledbrook <pe...@cacoethes.co.uk>.
> Yeah - I need to investigate further before forming an opinion. The key
> question is what advantage does implementing ESAPI's interfaces in JSecurity
> offer the project and it's users. Right now I'm not clear on the
> advantages.
>
> Does anyone else have a better understanding? Peter?
I wasn't sure what was in there, but it seems to be a few things, such
as codecs, input validation, protected command execution (wrapper on
Runtime.exec() kind of thing), intrusion detection (based on
exceptions it seems), and some access control stuff.
I thought from the OWASP site that it might have some more fancy
stuff. If JSecurity has most (if not all) of those things, then it's
not worth the hassle. I'm not sure the interfaces are used widely
enough to warrant implementing them. However, if there are some
features that might make sense, then I think it's worth contemplating
borrowing the implementation or providing our own.
I'm mainly thinking along the lines of input validation, escaping
output, and CSRF things.
Cheers,
Peter
Re: ESAPI support?
Posted by Jeremy Haile <jh...@fastmail.fm>.
Yeah - I need to investigate further before forming an opinion. The
key question is what advantage does implementing ESAPI's interfaces in
JSecurity offer the project and it's users. Right now I'm not clear
on the advantages.
Does anyone else have a better understanding? Peter?
Jeremy
On Jan 23, 2009, at 12:40 PM, Les Hazlewood wrote:
> I opened an issue for this, but I wonder how this would work.
> JSecurity
> itself is a set of interfaces and a reference implementation ;)
>
> In any case, the issue I created is to investigate further to see if
> it
> would be worth implementing.
>
> On Fri, Jan 23, 2009 at 6:45 AM, Peter Ledbrook
> <pe...@cacoethes.co.uk>wrote:
>
>> Hi guys,
>>
>> Has anyone considered implementing ESAPI in JSecurity?
>>
>> http://www.owasp.org/index.php/ESAPI
>>
>> I noticed that they refer to it as a set of interfaces and a
>> reference
>> implementation. Maybe it would be a good fit for JSecurity?
>>
>> Cheers,
>>
>> Peter
>>
Re: ESAPI support?
Posted by Les Hazlewood <lh...@apache.org>.
I opened an issue for this, but I wonder how this would work. JSecurity
itself is a set of interfaces and a reference implementation ;)
In any case, the issue I created is to investigate further to see if it
would be worth implementing.
On Fri, Jan 23, 2009 at 6:45 AM, Peter Ledbrook <pe...@cacoethes.co.uk>wrote:
> Hi guys,
>
> Has anyone considered implementing ESAPI in JSecurity?
>
> http://www.owasp.org/index.php/ESAPI
>
> I noticed that they refer to it as a set of interfaces and a reference
> implementation. Maybe it would be a good fit for JSecurity?
>
> Cheers,
>
> Peter
>