https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Chris+SchmidtOWASP - User contributions [en]2026-04-28T00:39:19ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=File:ESAPI_Logo.png&diff=163155File:ESAPI Logo.png2013-11-13T20:38:13Z<p>Chris Schmidt: </p>
<hr />
<div></div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Summit_2013/Attendes&diff=160897Projects Summit 2013/Attendes2013-10-16T02:37:44Z<p>Chris Schmidt: </p>
<hr />
<div>This page has the current list of projected attendee.<br />
<br />
If you are going to be at the Projects Summit, please add your name to the list bellow, indicating your availability<br />
<br />
===Legend:===<br />
<br />
* AD = All Day<br />
* MO = Morning<br />
* AF = Afternoon<br />
* EV = Evening<br />
<br />
===Attendees List and availability===<br />
<br />
* '''Andrew van der Stock''': Mon (AD) Tue (AD), Wed (MO)<br />
* '''Andrew Muller''': Mon (AD) Tue (AD), Wed (MO)<br />
* '''Chris Schmidt''': Sun (EV), Mon (AD), Tue (AD), Wed (AD), Thu (AD), Fri (MO)<br />
* '''Chris Smith''': Mon (AD) Tue (AD), Wed (MO)<br />
* '''Dennis Groves''': Sun (MO), Mon (AD) Tue (AD), Wed (MO), <br />
* '''Dinis Cruz''': Sun (AD), Mon (AD) Tue (AD), Wed (MO), Thu (MO) <br />
* '''Fabio Cerullo''':<br />
* '''Johanna Curiel''' : Sun (EV) , Mon (AD), Tue (AD), Wed (AD)<br />
* '''Jonathan Marcil''':<br />
* '''Konstantinos Papapanagiotou''': Sun (AD), Mon (AD) Tue (AD), Wed (AD), Thu (AF) <br />
* '''Larry Conklin''':<br />
* '''Martin Knobloch''':<br />
* '''Simon Bennetts''': Tue (EV), Wed(MO), Thu (MO)<br />
* '''Samantha Groves''': Sun (AD), Mon (AD) Tue (AD), Wed (AD), Thu (AD), Fri (AD) <br />
* '''Seba Deleersnyder''': Wed (AD), Thu (AD)<br />
* '''Kevin W. Wall''': Sun(EV), Mon (AD), Tue (AD), Wed(AD), Thu (MO, AF; 5:00pm flight)<br />
<br />
<br />
<br />
<br />
{{:Projects_Summit_2013/Navigation}}</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Reboot_2012_-_OWASP_ESAPI&diff=133495Projects Reboot 2012 - OWASP ESAPI2012-07-25T18:33:53Z<p>Chris Schmidt: </p>
<hr />
<div>Reboot Type: Type 1<br />
<br />
'''ESAPI:Redesign (October 2012 - Columbus, Oh) -- $3-5K'''<br />
<br />
The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:<br />
<br />
* Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.<br />
* Evaluate the contracts of the API and establish a new API Specification<br />
* Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control<br />
* Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification<br />
<br />
The budget for this effort is as follows:<br />
<br />
* Travel/Lodging for key stakeholders -- $2.5k<br />
** Chris Schmidt (Denver, Co) -- Unconfirmed<br />
** Kevin Wall (Columbus, Oh) -- Unconfirmed<br />
** John Steven (Washington, DC) -- Uncomfirmed<br />
** Jeff Williams (Columbia, MD) -- Uncomfirmed<br />
* Catering (Breakfast/Lunch) -- $500<br />
<br />
----<br />
<br />
'''ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k'''<br />
<br />
The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:<br />
* Best Mobile Component<br />
* Best Cloud Component<br />
* Best Application Component<br />
* Best Overall Component Package<br />
<br />
Desired Outcomes of ESAPI:Rebooted<br />
* Ready-to-use control components for various platforms using the new ESAPI architecture<br />
* Recruitment for additional contributors to the ESAPI repository<br />
* Developer Community and Awareness around the Project<br />
<br />
Anticipated Budget<br />
* Travel and Lodging for core ESAPI Team (currently Kevin Wall, Jeff Williams, and Chris Schmidt) -- $2k<br />
* Marketing Material / Online Advertising Budget -- $2k<br />
* Catering -- $1k<br />
<br />
It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.<br />
<br />
----<br />
<br />
'''ESAPI:Tutorials Video Series -- ~$2k'''<br />
<br />
The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.<br />
<br />
The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer<br />
<br />
----<br />
<br />
'''ESAPI:Documentation Sprint -- ~$2k'''<br />
<br />
A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI. <br />
<br />
The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Reboot_2012_-_OWASP_ESAPI&diff=133494Projects Reboot 2012 - OWASP ESAPI2012-07-25T18:31:54Z<p>Chris Schmidt: </p>
<hr />
<div>Reboot Type: Type 1<br />
<br />
'''ESAPI:Redesign (October 2012 - Columbus, Oh) -- $3-5K'''<br />
<br />
The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:<br />
<br />
* Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.<br />
* Evaluate the contracts of the API and establish a new API Specification<br />
* Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control<br />
* Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification<br />
<br />
The budget for this effort is as follows:<br />
<br />
* Travel/Lodging for key stakeholders -- $2.5k<br />
** Chris Schmidt (Denver, Co) -- Unconfirmed<br />
** Kevin Wall (Columbus, Oh) -- Unconfirmed<br />
** John Steven (Washington, DC) -- Uncomfirmed<br />
** Jeff Williams (Columbia, MD) -- Uncomfirmed<br />
* Catering (Breakfast/Lunch) -- $500<br />
<br />
----<br />
<br />
'''ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k'''<br />
<br />
The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:<br />
* Best Mobile Component<br />
* Best Cloud Component<br />
* Best Application Component<br />
* Best Overall Component Package<br />
<br />
Desired Outcomes of ESAPI:Rebooted<br />
* Ready-to-use control components for various platforms using the new ESAPI architecture<br />
* Recruitment for additional contributors to the ESAPI repository<br />
* Developer Community and Awareness around the Project<br />
<br />
* Travel and Lodging for core ESAPI Team (currently Kevin Wall, Jeff Williams, and Chris Schmidt) -- $2k<br />
* Marketing Material / Online Advertising Budget -- $2k<br />
* Catering -- $1k<br />
<br />
It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.<br />
<br />
----<br />
<br />
'''ESAPI:Tutorials Video Series -- ~$2k'''<br />
<br />
The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.<br />
<br />
The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer<br />
<br />
----<br />
<br />
'''ESAPI:Documentation Sprint -- ~$2k'''<br />
<br />
A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI. <br />
<br />
The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Reboot_2012_-_OWASP_ESAPI&diff=133493Projects Reboot 2012 - OWASP ESAPI2012-07-25T18:31:08Z<p>Chris Schmidt: </p>
<hr />
<div>Reboot Type: Type 1<br />
<br />
'''ESAPI:Redesign (October 2012 - Columbus, Oh) -- $3-5K'''<br />
<br />
The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:<br />
<br />
* Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.<br />
* Evaluate the contracts of the API and establish a new API Specification<br />
* Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control<br />
* Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification<br />
<br />
The budget for this effort is as follows:<br />
<br />
* Travel/Lodging for key stakeholders -- $2.5k<br />
** Attendees<br />
*** Chris Schmidt (Denver, Co) -- Unconfirmed<br />
*** Kevin Wall (Columbus, Oh) -- Unconfirmed<br />
*** John Steven (Washington, DC) -- Uncomfirmed<br />
*** Jeff Williams (Columbia, MD) -- Uncomfirmed<br />
* Catering (Breakfast/Lunch) -- $500<br />
<br />
----<br />
<br />
'''ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k'''<br />
<br />
The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:<br />
* Best Mobile Component<br />
* Best Cloud Component<br />
* Best Application Component<br />
* Best Overall Component Package<br />
<br />
Desired Outcomes of ESAPI:Rebooted<br />
* Ready-to-use control components for various platforms using the new ESAPI architecture<br />
* Recruitment for additional contributors to the ESAPI repository<br />
* Developer Community and Awareness around the Project<br />
<br />
* Travel and Lodging for core ESAPI Team (currently Kevin Wall, Jeff Williams, and Chris Schmidt) -- $2k<br />
* Marketing Material / Online Advertising Budget -- $2k<br />
* Catering -- $1k<br />
<br />
It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.<br />
<br />
----<br />
<br />
'''ESAPI:Tutorials Video Series -- ~$2k'''<br />
<br />
The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.<br />
<br />
The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer<br />
<br />
----<br />
<br />
'''ESAPI:Documentation Sprint -- ~$2k'''<br />
<br />
A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI. <br />
<br />
The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Reboot_2012_-_OWASP_ESAPI&diff=133492Projects Reboot 2012 - OWASP ESAPI2012-07-25T18:29:34Z<p>Chris Schmidt: </p>
<hr />
<div>Reboot Type: Type 1<br />
<br />
* ESAPI:Redesign (October 2012 - Columbus, Oh) -- $3-5K<br />
<br />
The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:<br />
<br />
** Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.<br />
** Evaluate the contracts of the API and establish a new API Specification<br />
** Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control<br />
** Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification<br />
<br />
The budget for this effort is as follows:<br />
<br />
** Travel/Lodging for key stakeholders -- $2.5k<br />
*** Attendees<br />
**** Chris Schmidt (Denver, Co) -- Unconfirmed<br />
**** Kevin Wall (Columbus, Oh) -- Unconfirmed<br />
**** John Steven (Washington, DC) -- Uncomfirmed<br />
**** Jeff Williams (Columbia, MD) -- Uncomfirmed<br />
** Catering (Breakfast/Lunch) -- $500<br />
<br />
----<br />
<br />
* ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k<br />
<br />
The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:<br />
** Best Mobile Component<br />
** Best Cloud Component<br />
** Best Application Component<br />
** Best Overall Component Package<br />
<br />
** Desired Outcomes of ESAPI:Rebooted<br />
*** Ready-to-use control components for various platforms using the new ESAPI architecture<br />
*** Recruitment for additional contributors to the ESAPI repository<br />
*** Developer Community and Awareness around the Project<br />
<br />
** Travel and Lodging for core ESAPI Team (currently Kevin Wall, Jeff Williams, and Chris Schmidt) -- $2k<br />
** Marketing Material / Online Advertising Budget -- $2k<br />
** Catering -- $1k<br />
<br />
It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.<br />
<br />
----<br />
<br />
* ESAPI:Tutorials Video Series -- ~$2k <br />
<br />
The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.<br />
<br />
The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer<br />
<br />
----<br />
<br />
* ESAPI:Documentation Sprint -- ~$2k<br />
<br />
A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI. <br />
<br />
The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Reboot_2012&diff=133491Projects Reboot 20122012-07-25T18:25:09Z<p>Chris Schmidt: </p>
<hr />
<div><br />
<br />
'''Welcome the the OWASP Project Reboot Page:<br />
'''<br />
<br />
''What is the OWASP Project ReBoot initiative?''<br />
<br />
OWASP needs to refresh, revitalize & update its projects. We need to make the software development community more aware of our efforts and demonstrate the foundations library of solutions & guidance designed to help with the secure application development lifecycle.<br />
<br />
The proposal for this initiative is here:<br />
<br />
'''[https://docs.google.com/a/owasp.org/file/d/0B5Z9zE0hx0LNSUZvOWVKd1JRWnlVaGJMcjB3SEN3Zw/edit Project Re-Boot Proposal]'''<br />
<br />
'''Project Lead''': Eoin Keary <br><br />
'''Proposal Approval Team''': Jim Manico, Rahim Jina, Tom Brennan,...<br><br />
[[Reboot_Review_Criteria]] (For review team)<br />
<br />
<br />
Board Approval can be seen here:<br />
[https://www.owasp.org/index.php/May_14,2012]<br />
<br />
To that end we have a budget to fund various project related activities. We hope putting some financial support behind projects will re-energise our community and hopefully deliver some great high quality material which can be used to support software developers and testers for years to come:<br><br><br />
<br />
'''Current Submissions''' <br><br />
'''[[OWASP Application Security Guide For CISOs]]''' - Selected for Reboot<br><br />
'''[[OWASP Development Guide]]''' - Selected for Reboot<br> <br />
'''[[OWASP Zed Attack Proxy Reboot2012|Zed Attack Proxy]]''' - Selected for Reboot<br><br />
'''[[OWASP WebGoat Reboot2012|OWASP WebGoat]]''' <br><br />
'''[[OWASP AppSensor]]'''<br><br />
'''[[OWASP Mobile Project]]''' - Selected for Reboot<br><br />
'''[[OWASP_Portuguese_Project_Proposal | OWASP Portuguese Language Project]]'''<br><br />
'''[[OWASP_Application_Testing_guide_v4]]'''<br><br />
'''[[OWASP_ESAPI_Reboot2012 | OWASP ESAPI]]'''<br><br />
<br><br />
<br />
<br />
'''Key Dates:'''<br><br />
'''Submission closing date''': July 30th 2012 <br><br />
'''First round of proposal selection''': 15 June 2012<br><br />
'''Second round of proposal selection''': 10 Aug 2012<br><br />
<br />
----<br />
<br />
'''First Round Decisions'''<br><br />
The following table shows to votes submitted by reviewers. 1 is first preference, 2 is second preference and so on..<br />
'''Any Outstanding / additional proposals shall be voted on during the second round of proposal selection (10/8/2012).'''<br />
<br />
<table border="1" width="50%"><br />
<tr><!-- Row 1 --><br />
<td>Proposal</td><!-- Col 1 --><br />
<td>Tom</td><!-- Col 2 --><br />
<td>Jim</td><!-- Col 3 --><br />
<td>Rahim</td><!-- Col 4 --><br />
<td>Eoin</td><!-- Col 5 --><br />
</tr><br />
<tr><!-- Row 2 --><br />
<td>OWASP Development Guide</td><!-- Col 1 --><br />
<td>1</td><!-- Col 2 --><br />
<td>1</td><!-- Col 3 --><br />
<td>1</td><!-- Col 4 --><br />
<td>2</td><!-- Col 5 --><br />
</tr><br />
<tr><!-- Row 3 --><br />
<td>OWASP CISO Guide</td><!-- Col 1 --><br />
<td>2</td><!-- Col 2 --><br />
<td>6</td><!-- Col 3 --><br />
<td>2</td><!-- Col 4 --><br />
<td>1</td><!-- Col 5 --><br />
</tr><br />
<tr><!-- Row 4 --><br />
<td>OWASP Mobile Project</td><!-- Col 1 --><br />
<td>3</td><!-- Col 2 --><br />
<td>3</td><!-- Col 3 --><br />
<td>4</td><!-- Col 4 --><br />
<td>4</td><!-- Col 5 --><br />
</tr><br />
<tr><!-- Row 5 --><br />
<td>OWASP WebGoat PHP</td><!-- Col 1 --><br />
<td>4</td><!-- Col 2 --><br />
<td>5</td><!-- Col 3 --><br />
<td>6</td><!-- Col 4 --><br />
<td>6</td><!-- Col 5 --><br />
</tr><br />
<tr><!-- Row 6 --><br />
<td>OWASP Zed Attack Proxy</td><!-- Col 1 --><br />
<td>5</td><!-- Col 2 --><br />
<td>2</td><!-- Col 3 --><br />
<td>3</td><!-- Col 4 --><br />
<td>3</td><!-- Col 5 --><br />
</tr><br />
<tr><!-- Row 7 --><br />
<td>OWASP AppSensor</td><!-- Col 1 --><br />
<td>6</td><!-- Col 2 --><br />
<td>4</td><!-- Col 3 --><br />
<td>5</td><!-- Col 4 --><br />
<td>5</td><!-- Col 5 --><br />
</tr><br />
</table><br />
<br />
'''Projects selected via first round of review''': <br><br />
#'''OWASP Development Guide''': Funding Amount: $5000 initial funding<br />
#'''OWASP CISO Guide''': Funding Amount: $5000 initial funding<br />
#'''OWASP Zed Attack Proxy''': Funding Amount: $5000 initial funding<br />
#'''OWASP Mobile Project''': Funding Amount: $5000 initial funding<br />
<br />
----<br />
<br />
<br />
<br />
'''Activity types''':<br><br />
<br />
'''Type 1''': Update, rewrite & complete guides or tools.<br><br />
This "type" is aimed at both existing and new tools or guides which require development effort to update, augment, rewrite, develop in order to achieve a high quality release quality product.<br><br><br />
<br />
Examples:<br><br />
#"Mini" Project based summits: Expenses associated with getting global workshops, with the aim of releasing a new version of a project.<br><br />
#Paying contributors for their time and effort.<br><br />
#Paying for user guides etc to be professionally developed (technical writing etc).<br><br><br />
<br />
'''Type 2''': Market, Training, Awareness, increase adoption.<br><br />
Existing, healthy robust tools and guides can utilise Type 2 activities to help with creating awareness and increasing adoption of that project.<br><br />
<br />
Examples:<br><br />
#Assisting with expenses associated with marketing a project.<br><br />
#Costs facilitating OWASP project focused training and awareness events<br><br />
<br />
<br />
'''How are we going to fund this??'''<br><br />
We are requesting all OWASP chapters which are in a healthy financial position to pledge 25% of their chapters funds to pay for this initiative.<br><br />
[https://www.surveymonkey.com/s/OWASP-REBOOT Pledge some chapter funds here]<br />
<br />
Donate $1.00 to help save a current or future software application [http://www.firstgiving.com/fundraiser/projectreboot/owasp-project-reboot Click Here]<br />
<br />
The Foundation shall also support this initiative with additional funding.<br><br />
The goal is to accumulate a budget of $100K which shall be appointed to projects undergoing this reboot.<br><br />
<br />
[https://docs.google.com/a/owasp.org/spreadsheet/pub?hl=en_US&hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&output=html - Chapter Funds]<br />
<br />
'''Can I apply for this Reboot?'''<br><br />
You certainly can, assuming you are an OWASP member.<br><br />
If you feel your project is ready or has potential you can apply for the reboot programme.<br><br />
<br />
<br />
'''How does funding work?'''<br><br><br />
'''Type 1''': Funding can be applied for as required if travel/mini summit etc is to be expensed as part of the reboot. Development activities; payment to contributors shall be at 50% and 100% milestones.<br><br />
Milestones are agreed prior to project reboot initiation.<br><br />
Once the 50% milestone is reached the work done to date shall be reviewed by a member of the [https://www.owasp.org/index.php/Category:Global_Projects_Committee - GPC] and also another nominated OWASP reviewer (generally an OWASP leader).<br><br />
<br />
'''Type 2''': Funding is supplied as required. Items to be funded are agreed prior to reboot initiation.<br><br />
Invoices for the required services are sent directly to the foundation for payment.<br />
<br />
<br />
'''How do I apply?'''<br />
Send in a proposal with the following information:<br />
<br />
# Project name and description. Including reboot project lead and any team members.<br />
# Re boot type (Type 1 or Type 2)<br />
# Goals of the reboot<br />
# Timeline for the 50% milestone and the 100% milestone. Suggested milestone reviewers (Generally OWASP Leaders or other industry experts)<br />
# Budget required and how you shall spend it.<br />
<br />
Want to support this initiative or learn more? Contact [mailto:eoin.keary@owasp.org Eoin Keary]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Reboot_2012_-_OWASP_ESAPI&diff=133490Projects Reboot 2012 - OWASP ESAPI2012-07-25T18:24:11Z<p>Chris Schmidt: </p>
<hr />
<div>* ESAPI:Redesign (October 2012 - Columbus, Oh) -- $3-5K<br />
<br />
The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:<br />
<br />
** Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.<br />
** Evaluate the contracts of the API and establish a new API Specification<br />
** Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control<br />
** Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification<br />
<br />
The budget for this effort is as follows:<br />
<br />
** Travel/Lodging for key stakeholders -- $2.5k<br />
*** Attendees<br />
**** Chris Schmidt (Denver, Co) -- Unconfirmed<br />
**** Kevin Wall (Columbus, Oh) -- Unconfirmed<br />
**** John Steven (Washington, DC) -- Uncomfirmed<br />
**** Jeff Williams (Columbia, MD) -- Uncomfirmed<br />
** Catering (Breakfast/Lunch) -- $500<br />
<br />
----<br />
<br />
* ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k<br />
<br />
The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:<br />
** Best Mobile Component<br />
** Best Cloud Component<br />
** Best Application Component<br />
** Best Overall Component Package<br />
<br />
** Desired Outcomes of ESAPI:Rebooted<br />
*** Ready-to-use control components for various platforms using the new ESAPI architecture<br />
*** Recruitment for additional contributors to the ESAPI repository<br />
*** Developer Community and Awareness around the Project<br />
<br />
** Travel and Lodging for core ESAPI Team (currently Kevin Wall, Jeff Williams, and Chris Schmidt) -- $2k<br />
** Marketing Material / Online Advertising Budget -- $2k<br />
** Catering -- $1k<br />
<br />
It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.<br />
<br />
----<br />
<br />
* ESAPI:Tutorials Video Series -- ~$2k <br />
<br />
The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.<br />
<br />
The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer<br />
<br />
----<br />
<br />
* ESAPI:Documentation Sprint -- ~$2k<br />
<br />
A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI. <br />
<br />
The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Projects_Reboot_2012_-_OWASP_ESAPI&diff=133489Projects Reboot 2012 - OWASP ESAPI2012-07-25T18:22:05Z<p>Chris Schmidt: Created page with "* ESAPI:Redesign (October 2012 - Columbus, Oh) The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to crea..."</p>
<hr />
<div>* ESAPI:Redesign (October 2012 - Columbus, Oh)<br />
<br />
The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:<br />
<br />
** Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.<br />
** Evaluate the contracts of the API and establish a new API Specification<br />
** Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control<br />
** Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification<br />
<br />
The budget for this effort is as follows:<br />
<br />
** Travel/Lodging for key stakeholders -- $2.5k<br />
*** Attendees<br />
**** Chris Schmidt (Denver, Co) -- Unconfirmed<br />
**** Kevin Wall (Columbus, Oh) -- Unconfirmed<br />
**** John Steven (Washington, DC) -- Uncomfirmed<br />
**** Jeff Williams (Columbia, MD) -- Uncomfirmed<br />
** Catering (Breakfast/Lunch) -- $500<br />
<br />
----<br />
<br />
* ESAPI:Rebooted Hackathon (December 2012 - Denver, Co)<br />
<br />
The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:<br />
** Best Mobile Component<br />
** Best Cloud Component<br />
** Best Application Component<br />
** Best Overall Component Package<br />
<br />
** Desired Outcomes of ESAPI:Rebooted<br />
*** Ready-to-use control components for various platforms using the new ESAPI architecture<br />
*** Recruitment for additional contributors to the ESAPI repository<br />
*** Developer Community and Awareness around the Project<br />
<br />
** Travel and Lodging for core ESAPI Team (currently Kevin Wall, Jeff Williams, and Chris Schmidt) -- $2k<br />
** Marketing Material / Online Advertising Budget -- $2k<br />
** Catering -- $1k<br />
<br />
It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.<br />
<br />
----<br />
<br />
* ESAPI:Tutorials Video Series <br />
<br />
The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.<br />
<br />
The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer<br />
<br />
----<br />
<br />
* ESAPI:Documentation Sprint<br />
<br />
A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI. <br />
<br />
The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=GSoC2012_Ideas&diff=125596GSoC2012 Ideas2012-03-05T22:07:17Z<p>Chris Schmidt: </p>
<hr />
<div>==Guidelines==<br />
===Information for Students===<br />
The ideas below were contributed by OWASP project leaders and users. They are sometimes vague or incomplete. If you wish to submit a proposal based on these ideas, you may wish to contact the corresponding project leaders and find out more about the particular suggestion you're looking at.<br />
Being accepted as a Google Summer of Code student is quite competitive. Accepted students typically have thoroughly researched the technologies of their proposed project and have been in frequent contact with potential mentors. Simply copying and pasting an idea here will not work. On the other hand, creating a completely new idea without first consulting potential mentors is unlikely to work out.<br />
<br />
===Adding a Proposal===<br />
<br />
'''Project:'''<br />
<br />
'''Brief explanation:'''<br />
<br />
'''Expected results:'''<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
'''Mentor:'''<br />
<br />
'''Ideas'''<br />
How to find ideas? Obvious sources of projects are the OWASP project wiki, bugs database, and project mailing lists.<br />
<br />
=== Generic Sample Proposal===<br />
<br />
'''Accepted for GSoC 2011'''<br />
<br />
'''Brief explanation:'''<br />
<br />
KDE has developed a number of very interesting and powerful technologies, libraries and components but there is no easy way to show them to other people.<br />
<br />
'''Expected results:'''<br />
<br />
Something like Qt Demo but with KDE technologies.<br />
<br />
'''Knowledge prerequisite:'''<br />
<br />
C++ is the main language of KDE, therefore the demo should be in C++. The more you know about C++, Qt, KDE and scripting (for Kross and KDE bindings demos), the better.<br />
This idea encompasses so much different stuff the student is not expected to know everything before he starts coding (but will certainly know a lot when he's done!).<br />
<br />
'''Skill level:''' medium<br />
<br />
'''Mentor:''' Pau Garcia i Quiles as general mentor and someone to ask for directions. Specific help for each technology will probably require help from its developers.<br />
<br />
==OWASP Project Requests==<br />
<br />
=== ZAP Proxy ===<br />
<br />
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.<br />
<br />
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.<br />
<br />
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.<br />
<br />
'''Website:''' https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project<br />
<br />
'''Mailing List:''' http://groups.google.com/group/zaproxy-develop<br />
<br />
====Project 001 - Compare crawling sessions for authentication issues ====<br />
<br />
'''Brief explanation:''' Develop a ZAP session crawler to be able to compare two crawling sessions of two logged in users and see what URLs or Actions could be performed from the other session.<br />
<br />
'''Expected results:'''<br />
<br />
ZAP will be able to recognise when requests are associated with different sessions.<br />
<br />
ZAP should allow the user to view the crawled URLs for each session independantly, and show which URLs are unique to each session.<br />
<br />
It should also be able to check if any of the 'unique' pages can in fact be accessed by the other session.<br />
<br />
'''Knowledge Prerequisite:''' <br />
<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of crawlers and/or aplication security would be useful, but not essential.<br />
<br />
'''Mentors:''' Simon Bennetts - OWASP ZAP Project Leader | Skyler Onken - OWASP ZAP Developer<br />
<br />
====Project 002 - Dynamically Configurable actions ====<br />
<br />
'''Brief explanation:''' <br />
<br />
ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.<br />
<br />
It also supports a scripting interface, which is very powerful but at the moment difficult to use.<br />
<br />
This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.<br />
<br />
The challenge will be to make it as usable as possible while still providing a wide range of functionality.<br />
<br />
'''Expected results:'''<br />
<br />
This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.<br />
<br />
So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.<br />
<br />
Then they would define the actions, which could include:<br />
* Changing the request (adding, removing or replacing strings)<br />
* Raising alerts<br />
* Breaking (to replace existing break points)<br />
* Running custom scripts (which could do pretty much anything)<br />
They would then be able to switch the actions on and off from the full list of defined actions using checkboxes<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader | Skyler Onken - OWASP ZAP Developer<br />
<br />
====Project 003 - Extend Web API to cover all of the ZAP functionality ====<br />
<br />
'''Brief explanation:''' <br />
<br />
ZAP provides a REST based API which can be used to control core aspects of the functionality provided by ZAP.<br />
<br />
This project would extend that API to cover all/most of the ZAP functionality.<br />
<br />
'''Expected results:''' Comprehensive Web API that will cover all of the ZAP Proxy functionality.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader | Skyler Onken - OWASP ZAP Developer<br />
<br />
====Project 004 - Closer integration with OWASP AJAX ====<br />
<br />
'''Brief explanation:'''<br />
<br />
ZAP provides a basic spider that can be used to explore an application, however it is very limited, especially when used with AJAX based applications.<br />
<br />
The OWASP AJAX crawling tool (https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool) is specifically designed to crawl AJAX applications and can already use ZAP as a proxy.<br />
<br />
This project would develop a ZAP plugin which integrates ZAP with the OWASP AJAX crawling Tool.<br />
<br />
'''Expected results:'''<br />
<br />
A new ZAP plugin would be produced which allows ZAP to crawl AJAX applications using the OWASP AJAX crawling tool.<br />
<br />
The plugin would allow the 2 tools to be tightly integrated, while still allowing them to work completely independently.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Both ZAP and the AJAX tool are written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of crawlers and/or aplication security would be useful, but not essential.<br />
<br />
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader | Skyler Onken - OWASP AJAX Tool Project Leader<br />
<br />
=== ESAPI Swingset Interactive ===<br />
<br />
The ESAPI Swingset Interactive is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities.<br />
<br />
'''Website:''' https://www.owasp.org/index.php/Projects/OWASP_ESAPI_Swingset_Interactive_Project<br />
<br />
'''Mailing List:''' http://lists.owasp.org/pipermail/owasp-esapi-swingset/<br />
<br />
====Project 001 - Implement a solid Authenticator class ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Provide Swingset Interactive with a simple but fully functional implementation of the ESAPI Authenticator Interface.<br />
<br />
'''Expected results:'''<br />
<br />
Swingset Interactive comes with a rudimentary implementation of the ESAPI Authenticator Interface, a FileBasedAuthenticator. This implementation needs to be fixed or replaced in order to allow users of the Swingset Interactive application all of the ESAPI Authenticator methods, including registration, login, a "remember me" feature and a persistence beyond server restart.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
A basic knowledge of Java, Java Servlets is necessary, as is knowledge of HTML.<br />
<br />
'''Mentor:''' Fabio Cerullo - OWASP ESAPI Swingset Interactive Project Leader<br />
<br />
====Project 002 - Upgrade to ESAPI 2.0.x ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Adapt Swingset Interactive to work with ESAPI 2.0.x. libraries.<br />
<br />
'''Expected results:'''<br />
<br />
Make the current Swingset Interactive application compatible with ESAPI 2.0.x. Swingset Interactive currently comes with ESAPI 1.4.Various changes and improvements were made with ESAPI 2.0.x and it is generally recommended not to use 1.4 any more for Java EE Projects.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
A basic knowledge of Java, Java Servlets is necessary, as is knowledge of HTML.<br />
<br />
'''Mentor:''' Fabio Cerullo - OWASP ESAPI Swingset Interactive Project Leader<br />
<br />
====Project 003 - Improve the Swingset look and feel ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Various minor bug fixes and improvements.<br />
<br />
'''Expected results:'''<br />
<br />
Fix and solve a number of documented bug fixes and improvement suggestions for the Swingset Interactive and bring in your own improvement suggestions.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
A basic knowledge of Java, Java Servlets is necessary, as is knowledge of HTML.<br />
<br />
'''Mentor:''' Fabio Cerullo - OWASP ESAPI Swingset Interactive Project Leader<br />
<br />
====Project 004 - Platform-independent Swingset Interactive ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Adapt Swingset Interactive to work with any OS.<br />
<br />
'''Expected results:'''<br />
<br />
Swingset Interactive currently runs only under Windows. Modify the Eclipse project and installation scripts to be easily installed on any OS that runs Eclipse. <br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Good knowledge of Java, Apache Tomcat and a broad knowledge of various Operating Systems are required.<br />
<br />
'''Mentor:''' Fabio Cerullo - OWASP ESAPI Swingset Interactive Project Leader<br />
<br />
====Project 005 - Mavenize the Swingset ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Create a new Swingset Interactive Maven Archetype.<br />
<br />
'''Expected results:'''<br />
<br />
Offer the Swingset Interactive as a Maven Archetype.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Good knowledge of Java, and Maven are required.<br />
<br />
'''Mentor:''' Fabio Cerullo - OWASP ESAPI Swingset Interactive Project Leader<br />
<br />
====Project 006 - New Lessons ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Develop new coding lessons to learn the ESAPI Libraries.<br />
<br />
'''Expected results:'''<br />
<br />
A new set of interactive coding lessons for students to use.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Good knowledge of Java, ESAPI, HTML and the Eclipse framework are required.<br />
<br />
'''Mentor:''' Fabio Cerullo - OWASP ESAPI Swingset Interactive Project Leader<br />
<br />
=== AntiSamy ===<br />
<br />
The AntiSamy project provides a Java library for developers to accept innocent HTML markup without exposing themselves to possible cross-site scripting (XSS) vulnerabilities.<br />
<br />
'''Website:''' https://www.owasp.org/index.php/AntiSamy<br />
<br />
'''Mailing List:''' https://lists.owasp.org/mailman/listinfo/owasp-antisamy<br />
<br />
====Project 001 - Add a Functional Testing Suite ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Create a set of positive test cases designed to generate assurance that AntiSamy correctly processes inert HTML.<br />
<br />
'''Expected results:'''<br />
<br />
As of today, AntiSamy has a large set of test cases that prove that AntiSamy is resistant to a number of known attacks. There are also test cases that make sure it doesn't crash when given bad data. There are very few test cases that ensure that it properly handles good HTML. A set of test cases that confirm how expected good data is processed by AntiSamy generates a lot of assurance that it is functional as well as secure.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Comfort with Java, Maven, SVN and JUnit are required.<br />
<br />
'''Mentor:''' Arshan Dabirsiaghi - OWASP AntiSamy Project Leader<br />
<br />
<br />
====Project 002 - Various Bug Fixes ====<br />
<br />
'''Brief explanation:'''<br />
<br />
There are around 30 open defects from the issue tracker.<br />
<br />
'''Expected results:'''<br />
<br />
A set of patches that address defects or implement features from the accepted issues in the issue tracker.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Comfort with Java, Maven, SVN and JUnit are required.<br />
<br />
'''Mentor:''' Arshan Dabirsiaghi - OWASP AntiSamy Project Leader<br />
<br />
<br />
=== AppSensor ===<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities. <br />
<br />
'''Website:''' https://www.owasp.org/index.php/OWASP_AppSensor_Project<br />
<br />
'''Mailing List:''' https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project<br />
<br />
==== Project 001 - SOAP web service server implementation ====<br />
<br />
'''Brief explanation:'''<br />
<br />
AppSensor is implementing a new service based architecture for the next version. This project would involve implementing a SOAP based web service (based on the WS-I Basic Profile standard) as a front-end to the AppSensor processing engine. <br />
<br />
'''Expected results:'''<br />
<br />
A new SOAP based web service would be produced which provides a front-end to the existing processing core built into AppSensor.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
AppSensor is written in Java, so a good knowledge of this language is recommended. Additionally, some knowledge of SOAP-based web services (particularly the WS-I Basic Profile standard) would be useful, but not essential. Finally, basic knowledge of application security would be very helpful.<br />
<br />
'''Mentor:''' John Melton - OWASP AppSensor Development Leader <br />
<br />
==== Project 002 - REST web service server implementation ====<br />
<br />
'''Brief explanation:'''<br />
<br />
AppSensor is implementing a new service based architecture for the next version. This project would involve implementing a REST based web service as a front-end to the AppSensor processing engine. <br />
<br />
'''Expected results:'''<br />
<br />
A new REST based web service would be produced which provides a front-end to the existing processing core built into AppSensor.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
AppSensor is written in Java, so a good knowledge of this language is recommended. Additionally, some knowledge of REST-based web services would be useful, but not essential. Finally, basic knowledge of application security would be very helpful.<br />
<br />
'''Mentor:''' John Melton - OWASP AppSensor Development Leader <br />
<br />
==== Project 003 - SOAP/REST web service client implementation ====<br />
<br />
'''Brief explanation:'''<br />
<br />
AppSensor is implementing a new service based architecture for the next version. This project would involve implementing SOAP and REST based web service clients in various languages to communicate to a back-end server that represents the AppSensor core engine. <br />
<br />
'''Expected results:'''<br />
<br />
New SOAP and REST based web service clients would be produced which communicate to a back-end server that represents the AppSensor core engine.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
AppSensor is written in Java, and the initial client will be for Java, so a good knowledge of this language is recommended. Proficiency in one or more of the following languages would also be beneficial: C#, PHP, Python, Ruby. Additionally, some knowledge of REST and SOAP based web services would be useful, but not essential. Finally, basic knowledge of application security would be very helpful.<br />
<br />
'''Mentor:''' John Melton - OWASP AppSensor Development Leader <br />
<br />
==== Project 004 - Detection Point Implementation Expansion ====<br />
<br />
'''Brief explanation:'''<br />
<br />
AppSensor has documentation outlining around 50 different detection points. We currently have an existing implementation that supports a small handful (5-7) of those. Implementing additional detection points would increase the value of the project. <br />
<br />
'''Expected results:'''<br />
<br />
Implementations of existing detection points would be produced. This could be done in any number of languages.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
AppSensor is written in Java, and the initial client will be for Java, so a good knowledge of this language is recommended. Proficiency in one or more of the following languages would also be beneficial: C#, PHP, Python, Ruby. Finally, basic knowledge of application security would be very helpful.<br />
<br />
'''Mentor:''' John Melton - OWASP AppSensor Development Leader <br />
<br />
==== Project 005 - Implement new configuration file format ====<br />
<br />
'''Brief explanation:'''<br />
<br />
AppSensor currently uses a properties file format for configuration. A new XML file format is planned. Moving to an XML format would simplify the configuration and make it easier to extend.<br />
<br />
'''Expected results:'''<br />
<br />
A new implementation of the configuration file would be created. An XML file format would be created, along with the code to process that file format, as well as an XSD to validate the file.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
AppSensor is written in Java, so a good knowledge of this language is recommended. Additionally, a basic understanding of XML and XSD would be useful, though not required.<br />
<br />
'''Mentor:''' John Melton - OWASP AppSensor Development Leader <br />
<br />
==== Project 006 - Trend Monitoring ====<br />
<br />
'''Brief explanation:'''<br />
<br />
Several of the detection point concepts for AppSensor revolve around the idea of trend monitoring within an application. There is a trivial implementation currently that provides very little utility. An enhanced trend monitoring capability would allow for the implementation of more detection points and expand the capabilities of AppSensor.<br />
<br />
'''Expected results:'''<br />
<br />
A new implementation of the trend monitoring module would be implemented.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
AppSensor is written in Java, so a good knowledge of this language is recommended. Additionally, basic knowledge of application security would be very helpful.<br />
<br />
'''Mentor:''' John Melton - OWASP AppSensor Development Leader <br />
<br />
==== Project 007 - Reporting ====<br />
<br />
'''Brief explanation:'''<br />
<br />
AppSensor currently has very weak reporting capabilities. Enhanced reporting would provide users with better insight into the health of the applications being protected by AppSensor<br />
<br />
'''Expected results:'''<br />
<br />
New APIs for reporting would be implemented as SOAP and/or REST based web services. Additionally, a reference implementation of a reporting client UI would be developed.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
AppSensor is written in Java, and the initial client will be for Java, so a good knowledge of this language is recommended. Some knowledge of REST and SOAP based web services would also be useful, but not essential. Additionally, some experience in a modern UI development framework would be beneficial, presumably an RIA style framework. Finally, basic knowledge of application security would be very helpful.<br />
<br />
'''Mentor:''' John Melton - OWASP AppSensor Development Leader<br />
<br />
=== ESAPI ===<br />
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.<br />
<br />
'''Website''' http://www.esapi.org<br />
<br />
'''Mailing List:''' https://lists.owasp.org/mailman/listinfo/esapi-dev<br />
<br />
==== Project 001 - Port ESAPI 2.0.x to ESAPI-PHP ====<br />
<br />
'''Brief Explanation:'''<br />
<br />
The ESAPI-PHP Project has become outdated and needs to be brought up-to-date with the latest ESAPI 2.0 specification. <br />
<br />
'''Expected Results:'''<br />
<br />
PHP-Library with ESAPI 2.x functionality.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
ESAPI 2.0.x is written in Java, so an understanding of the Java programming language is required as well as proficiency in PHP. Additionally, a basic understanding of application security would be desireable.<br />
<br />
'''Mentor:''' Chris Schmidt - ESAPI Project Leader<br />
<br />
==== Project 002 - Resolve Bugs for ESAPI 2.1.0 Roadmap ====<br />
<br />
'''Brief Explanation:'''<br />
<br />
There are several outstanding issues in the ESAPI Bugtracker (http://code.google.com/p/owasp-esapi-java/issues/list) that need to be addressed for the 2.1.0 release.<br />
<br />
'''Expected Results:'''<br />
<br />
Patches and unit tests to resolve the outstanding ESAPI issues.<br />
<br />
'''Knowledge Prerequisistes:'''<br />
<br />
Comfortable working in Java, writing unit tests using JUnit and creating patch files using svn.<br />
<br />
'''Mentor:''' Chris Schmidt - ESAPI Project Leader / Kevin Wall - ESAPI Java Development Leader<br />
<br />
==== Project 003 - Develop Struts2 Components ====<br />
<br />
'''Brief Explanation:'''<br />
<br />
Struts2 is one of the most widely used Java MVC frameworks, users of ESAPI are regularly looking for pluggable components that they can drop into their application to utilize ESAPI within the context of their application framework. The goal of this task is to create a set of pluggable components that integrate ESAPI into Struts2 to utilize ESAPI Encoders, Validation, and Intrusion Detection with the least amount of manual work and configuration.<br />
<br />
'''Expected Results:'''<br />
<br />
A standalone project that uses ESAPI Components in a Struts2 add-on.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
A solid understanding of Java and Apache Struts, comfort developing unit tests in JUnit and functional tests using Selenium as well as maintaining a Maven build.<br />
<br />
'''Mentor:''' Chris Schmidt - ESAPI Project Leader<br />
<br />
==== Project 004 - JSR-303 Bean Validation Provider ====<br />
<br />
'''Brief Explanation'''<br />
<br />
JSR-303 is a huge step forward in the way that validation is performed. There are currently 2 implementations of the JSR-303 specification - Hibernate-Validator and Apache BVal. Both of these libraries have demonstrated a lack of security driven validation and focused on using Constraints for business validation purposes. There are also key steps missing in the implementations, most notably - canonicalization of data prior to validation. The goal of this task will be to create a proof of concept implementation of the JSR-303 specification that passes all tests in the Java Compatibility Kit and utilizes the ESAPI Validators to implement constraints.<br />
<br />
'''Expected Results:'''<br />
<br />
A proof of concept implementation of the JSR-303 specification as a standalone JAR<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java, especially utilizing advanced JDK5+ features such as Annotations and writing custom annotation processors.<br />
<br />
'''Mentor:''' Chris Schmidt - ESAPI Project Leader<br />
<br />
==== Project 005 - Mobile Service Provider ====<br />
<br />
'''Brief Explanation:'''<br />
<br />
The mobile platform continues to grow exponentially and there has been very little movement of exposing security functionality to mobile applications. Creation of a mobile service platform that exposes security controls to mobile applications would make great strides towards providing mobile application developers with the means to write more secure code on mobile clients.<br />
<br />
'''Expected Results:'''<br />
<br />
A WebService container (Jersey or SOAP) that exposes key controls (output encoding, input validation, secure logging, security policy, access control, authentication) to clients using a simple interface.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Familiarity with Java and Apache-WS or Jersey. An understanding of the mobile platform would also be extremely useful.<br />
<br />
'''Mentor:''' Chris Schmidt - ESAPI Project Leader</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=User:Chris_Schmidt&diff=123264User:Chris Schmidt2012-01-26T03:17:06Z<p>Chris Schmidt: </p>
<hr />
<div>Chris is currently the Project Leader for the OWASP ESAPI Projects and also serves on the OWASP Global Projects Committee. He has been involved with OWASP for 4 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization.<br />
<br />
During the day, Chris is an Application Security Engineer and Senior Software Engineer for Aspect Security where he has been since fall 2010. Prior to joining the team at Aspect Security he spent 5 years as 'Black Ops Beef' for ServiceMagic Inc with the official title of Software Engineer. Before getting involved in software professionally, Chris worked in hardware as a Senior Field Service Engineer providing hardware and software support for PC’s, Servers, Midrange Systems and Peripherals for 9 years.<br />
<br />
In addition to his professional career he is also a musician with several ongoing projects and enjoys cold beer and long walks in the park.<br />
<br />
Links:<br/><br />
* Blog: [http://yet-another-dev.blogspot.com Yet Another Developer's Blog]<br />
* Twitter: [https://twitter.com/carne Carne]<br />
* LinkedIn: [http://www.linkedin.com/in/chrisschmidt Chris Schmidt]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Training/Defense_Against_The_Dark_Arts_-_ESAPI&diff=123263OWASP AppSec DC 2012/Training/Defense Against The Dark Arts - ESAPI2012-01-26T03:13:13Z<p>Chris Schmidt: </p>
<hr />
<div>__NOTOC__<br />
{{:OWASP AppSec DC 2012 Header}}<br />
==Description==<br />
'''Course Length: 2 Day'''<br />
<br />
It has been said that software engineering is 10% engineering and 90% art. Given the same set of technical specifications, two engineers will have drastically different methods of addressing those specifications. This is the beauty of innovation and forward thinking, and while it is this type of creative problem solving that has kept the technical industry lurching forward in large strides – it is also the boon of application security. Enter the Enterprise Security API – a central repository for engineers to solve security concerns in application code. I have said many times that it should not be the responsibility of the engineers cranking out code every day to design security controls. It is difficult to remain on the bleeding edge of Application Security and Software Engineering at the same time and even more difficult to bring these two disciplines together into a cohesive, reusable component that addresses the threats specific to an organization.<br />
<br />
This course will illustrate the importance of having an Enterprise Security API and how to effectively design, build and deploy a solution that addresses the Threat Model of the single application or enterprise application portfolio.<br />
<br />
Topics Include (but are not necessarily limited to)<br />
* ESAPI Architecture<br />
* Security Controls Overview<br />
* OWASP Reference Implementations<br />
* Designing Custom Controls<br />
* Integrating with existing Applications<br />
* Starting Fresh<br />
* Enterprise Security Configuration<br />
* Error Handling, Logging and Intrusion Detection/Prevention<br />
* Authentication and Authorization<br />
* Validation and Encoding<br />
<br />
==Student Requirements==<br />
Laptop Required: <br/><br />
Students Need to Bring:<br/><br />
1) Laptop with wireless network adapter<br/><br />
2) VMWare Player<br/><br />
<br />
==Objectives==<br />
Audience: Technical<br />
Skill Level: Intermediate<br />
<br />
1) What ESAPI is and what it isn't<br>2) How do I integrate ESAPI into an existing application?<br>3) How do I solve <problem> using ESAPI?<br><br>Additionally, each student will walk away with a set of fully reusable ESAPI components that they will be able to use in real world applications and a certificate of completion.<br />
==Instructor==<br />
[https://www.owasp.org/index.php/User:Chris_Schmidt Chris Schmidt]<br />
[[Category:AppSec_DC_2012_Training]]<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Training/Defense_Against_The_Dark_Arts_-_ESAPI&diff=123256OWASP AppSec DC 2012/Training/Defense Against The Dark Arts - ESAPI2012-01-26T03:04:09Z<p>Chris Schmidt: </p>
<hr />
<div>__NOTOC__<br />
{{:OWASP AppSec DC 2012 Header}}<br />
==Description==<br />
'''Course Length: 2 Day'''<br />
<br />
This course will focus on using the OWASP ESAPI for Java to solve real-world security issues. In the course students will learn how to leverage the ESAPI library to design and implement reusable security controls in an enterprise environment. This is a laptops out event and students will walk away with a toolkit of reusable components that they can use in real situation to solve security issues in Java applications.<br />
==Student Requirements==<br />
Laptop Required: <br />
Students Need to Bring:<br />
1) Laptop with wireless network adapter<br />
2) VMWare Player<br />
<br />
==Objectives==<br />
Audience: Technical<br />
Skill Level: Intermediate<br />
<br />
1) What ESAPI is and what it isn't<br>2) How do I integrate ESAPI into an existing application?<br>3) How do I solve <problem> using ESAPI?<br><br>Additionally, each student will walk away with a set of fully reusable ESAPI components that they will be able to use in real world applications and a certificate of completion.<br />
==Instructor==<br />
Chris Schmidt<br />
[[Category:AppSec_DC_2012_Training]]<br />
{{:OWASP AppSec DC 2012 Footer}}</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=GPC_Project_Details/OWASP_Enterprise_Security_API&diff=118907GPC Project Details/OWASP Enterprise Security API2011-10-12T04:24:59Z<p>Chris Schmidt: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude><br />
| project_name = OWASP Enterprise Security API<br />
| project_description = ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:<br />
<br />
* '''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls. <br />
<br />
* '''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.<br />
<br />
* '''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.<br />
| project_license = [http://en.wikipedia.org/wiki/BSD_license BSD license]<br />
| leader_name =Chris Schmidt<br />
| leader_email = chris.schmidt@owasp.org<br />
| leader_username = Chris_Schmidt<br />
| past_leaders_special_contributions = Jeff Williams, Dave Wichers<br />
| maintainer_name = <br />
| maintainer_email = <br />
| maintainer_username =<br />
| contributor_name1 = Kevin Wall<br />
| contributor_email1 = <br />
| contributor_username1 = <br />
| contributor_name2 = Jim Manico<br />
| contributor_email2 = <br />
| contributor_username2 = <br />
| contributor_name3 = Jeff Williams<br />
| contributor_email3 = <br />
| contributor_username3 = <br />
| contributor_name4 = Dave Wichers<br />
| contributor_email4 = <br />
| contributor_username4 = <br />
| contributor_name5 = John Steven<br />
| contributor_email5 = <br />
| contributor_username5 = <br />
| contributor_name6 = <br />
| contributor_email6 = <br />
| contributor_username6 = <br />
| contributor_name7 = <br />
| contributor_email7 = <br />
| contributor_username7 = <br />
| contributor_name8 = <br />
| contributor_email8 = <br />
| contributor_username8 = <br />
| contributor_name9 = <br />
| contributor_email9 = <br />
| contributor_username9 = <br />
| contributor_name10 = <br />
| contributor_email10 = <br />
| contributor_username10 = <br />
| pamphlet_link = http://www.owasp.org/images/8/81/Esapi-datasheet.pdf<br />
| presentation_link = http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt<br />
| mailing_list_name = esapi-user<br />
| links_url1 = http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads<br />
| links_name1 = General ESAPI information<br />
| links_url2 = http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API/Sub-Projects<br />
| links_name2 = ESAPI/Sub-Projects<br />
| project_road_map = <br />
| project_health_status = <br />
| current_release_name = <br />
| current_release_date = <br />
| current_release_download_link = <br />
| current_release_rating = <br />
| current_release_leader_name = <br />
| current_release_leader_email = <br />
| current_release_leader_username =<br />
| current_release_details = <br />
| last_reviewed_release_name = <br />
| last_reviewed_release_date = <br />
| last_reviewed_release_download_link = <br />
| last_reviewed_release_rating = <br />
| last_reviewed_release_leader_name = <br />
| last_reviewed_release_leader_email = <br />
| last_reviewed_release_leader_username = <br />
| old_release_name1 = <br />
| old_release_date1 = <br />
| old_release_download_link1 = <br />
| old_release_name2 = <br />
| old_release_date2 = <br />
| old_release_download_link2 = <br />
| old_release_name3 = <br />
| old_release_date3 = <br />
| old_release_download_link3 = <br />
| old_release_name4 = <br />
| old_release_date4 = <br />
| old_release_download_link4 = <br />
| old_release_name5 = <br />
| old_release_date5 = <br />
| old_release_download_link5 = <br />
| last_GPC_update = 4/10/2009<br />
| GPC_Notes = Empty template (ESAPI Global)<br />
| project_home_page = :Category:OWASP_Enterprise_Security_API<br />
| project_details_wiki_page = GPC_Project_Details/OWASP_Enterprise_Security_API<br />
}}</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=OWASP_Connections_Committee_-_Application_7&diff=118022OWASP Connections Committee - Application 72011-09-26T16:15:10Z<p>Chris Schmidt: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Jerry Hoff<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Video Series<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Connection Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"| Jim Manico<br />
| style="width:20%; background:#cccccc" align="center"| Connection Committee Chair<br />
| style="width:57%; background:#cccccc" align="center"| We need Jerrys help!<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"| Ludovic Petit<br />
| style="width:20%; background:#cccccc" align="center"| Chapter leader OWASP France, Connections Committee Member <br />
| style="width:57%; background:#cccccc" align="center"| We need guys like Jerry. His work is both a must and serves the Owasp voice, definitely!<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"| Jack Mannino<br />
| style="width:20%; background:#cccccc" align="center"| Mobile Security Project<br />
| style="width:57%; background:#cccccc" align="center"| Jerry has great ideas on how to promote application security, and the drive to get it done.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"| Chris Schmidt<br />
| style="width:20%; background:#cccccc" align="center"| GPC / ESAPI <br />
| style="width:57%; background:#cccccc" align="center"| Jerry has great vision and ideas on how to make AppSec visible and accessible - he would be a great addition to the GCC<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Summit&diff=116202ESAPI Summit2011-08-24T05:45:51Z<p>Chris Schmidt: </p>
<hr />
<div>== Summit 2011 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The ESAPI Summit will be held on September 21, 2011 at [http://www.appsecusa.org OWASP AppSec USA 2011] in Minneapolis, Minnesota. <br />
<br />
=== Agenda ===<br />
<br />
{| cellspacing="2" cellpadding="2" style="border: 2px solid black;"<br />
|- style="background-color: navy;"<br />
! style="color: white;" | Start <br />
! style="color: white;" | End <br />
! style="color: white;" | Topic <br />
! style="color: white;" | Description <br />
! style="color: white;" | Deliverables<br />
|- style="background-color: lightgray;"<br />
| 0900 <br />
| 0930 <br />
| Mission Briefing <br />
| Brief summary of where we've been, administrative changes, and outlining the goals and purpose of the Summit <br />
| n/a<br />
|-<br />
| 0930 <br />
| 1030 <br />
| The ESAPI Specification 1.0 <br />
| Review the high level API and determine what methods should remain as '''core''' API's and what should be moved upstream to higher level API's (ie ESAPI-Web, ESAPI-Mobile, etc) <br />
| <br />
*[[ESAPI Specification Overview]]<br />
<br />
|- style="background-color: lightblue;"<br />
| 1030 <br />
| 1045 <br />
| colspan="3" | Coffee Break<br />
|- style="background-color: lightgray;"<br />
| 1045 <br />
| 1200 <br />
| The ESAPI Roadmap <br />
| Take a look at the existing Roadmap, create the roadmap for the next several release cycles. <br />
|<br />
*[[ESAPI Roadmap]]<br />
|- style="background-color: lightblue;"<br />
| 1200 <br />
| 1300 <br />
| colspan="3" | Lunch Break and Open Conversation (Provided by OWASP/ESAPI)<br />
|- style="background-color: lightgray;"<br />
| 1300 <br />
| 1400 <br />
| ESAPI Policies <br />
| Formally define how to processes for contributers, community, sponsors, submitting issues, reporting security vulnerabilities<br />
| <br />
*[[ESAPI How To Contribute]] <br />
*[[ESAPI Community Contributions]] <br />
*[[ESAPI Sponsoring]] <br />
*[[ESAPI Submitting Issues]] <br />
*[[ESAPI Vulnerability Reporting]]<br />
|- style="background-color: lightgray;"<br />
| 1400 <br />
| 1500 <br />
| ESTAPI Framework <br />
| How do we test and ensure that implementations meet the specifications defined in the API in a cross-platform and demonstratible manner? <br />
| <br />
*[[ESAPI Testing Framework]]<br />
|- style="background-color: lightblue;"<br />
| 1500<br />
| 1515 <br />
| colspan="3" | Coffee Break<br />
|-<br />
| 1515 <br />
| 1615 <br />
| Documentation <br />
| Identify a Roadmap for ESAPI Documentation. Elect someone to champion this cause and find resources to address the documentation needs. Determine funding levels and budget needed for documentation to happen. <br />
| <br />
*[[ESAPI Documentation Roadmap]] <br />
*[[ESAPI Documentation Sub-Project]] <br />
*[[ESAPI Documentation Sub-Project Budget]]<br />
<br />
|- style="background-color: lightgray;"<br />
| 1615<br />
| 1630 <br />
| Mission De-Briefing <br />
| We have accomplished a lot in the last 3 years as a team. This will be a quick wrap-up by Chris on the 2nd ESAPI Summit Day. <br />
| n/a<br />
|- style="background-color: lightblue;"<br />
| 2100 <br />
| ???? <br />
| ESAPI 2.0GA Release Celebration <br />
| Celebrate the release of ESAPI 2.0GA (and beyond) with beers with the ESAPI Team (Sponsors/Location: TBA) <br />
| n/a<br />
|}<br />
<br />
<noinclude><br />
=== Attending the ESAPI Summit ===<br />
<br />
If you are planning to attend this summit, please [https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHBEQ1YtVlcyWHp1RTZ6cHJHdENDc1E6MQ add your name here] so that we can ensure that we have adequate space and materials for everyone.<br />
<br />
* [[User:Chris Schmidt|Chris Schmidt]] - Meeting Leader<br />
* [[User:jmanico|Jim Manico]] - ESAPI Project Manager<br />
* [[User:John Steven|jOHN Steven]] - Cigital Principal, ESAPI Malcontent<br />
* [[User:Kevin W. Wall|Kevin Wall]] - CenturyLink; ESAPI crypto guy<br />
<br />
<noinclude><br />
<br />
== Summit 2008 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The first OWASP ESAPI Summit was held December 9-11, 2008. It was hosted by Aspect Security in their Columbia, MD office.<br />
<br />
The following were the attendees of the Summit:<br />
<br />
*[[User:Jeff Williams|Jeff Williams]], Aspect Security - [[ESAPI|ESAPI Project Lead]]<br />
*[[User:Wichers|Dave Wichers]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Ron Monzillo, Sun Microsystems - [http://java.sun.com/javaee/security/ Java EE Security Architect] <br />
*[[User:Arshan|Arshan Dabirsiaghi]], Aspect Security - [[:Category:Intrinsic_Security_Working_Group|OWASP Intrisic Security Working Group Chair]]<br />
*[[User:Jerryhoff|Jerry Hoff]], Aspect Security<br />
*[[User:Mikehfauzy|Mike Fauzy]], Aspect Security<br />
*[[User:Kevin.Fealey|Kevin Fealey]], Aspect Security - [[ESAPI Swingset|ESAPI Swingset Lead]]<br />
*[[User:Jmanico|Jim Manico]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Steve Lavenhar, Booz Allen Hamilton<br />
*Lian Jin, Booz Allen Hamilton<br />
*John Steven, Cigital, Technical Director<br />
*Joel Winstead, Cigital<br />
*Alex Smolen, Foundstone - [[.NET ESAPI | ESAPI .NET Lead]]<br />
*Andy Miller, Lockheed Martin<br />
*John Munsch, Lockheed Martin<br />
*Steve Christey, MITRE - [http://cve.mitre.org CVE]/[http://cwe.mitre.org CWE] Project Lead<br />
<br />
The following pages contain our thoughts/results from the summit.<br />
<br />
Summary: TODO<br />
<br />
=== Links ===<br />
<br />
* [[ESAPI Charter]]<br />
* [[ESAPI Roadmap]]<br />
* [[ESAPI Adoption Strategy]]<br />
* [[ESAPI Framework Strategy]]<br />
* [[ESAPI Assurance]]<br />
* [[ESAPI Documentation]]<br />
* [[ESAPI Marketing]]<br />
* [[ESAPI Tooling]]<br />
* [[ESAPI Static Analysis Support]]<br />
* [[ESAPI Performance]]<br />
* [[ESAPI Internationalization]]<br />
* [[ESAPI Installation]]<br />
<br />
=== Design ===<br />
<br />
* [[ESAPI API]]<br />
<br />
=== Features ===<br />
<br />
* [[ESAPI Validation]]<br />
* [[ESAPI Canonicalization]]<br />
* [[ESAPI Encoding]]<br />
* [[ESAPI Authentication]]<br />
* [[ESAPI Session Management]]<br />
* [[ESAPI Access Control]]<br />
* [[ESAPI Encryption]]<br />
* [[ESAPI Randomizer]]<br />
* [[ESAPI Error Handling]]<br />
* [[ESAPI Logging]]<br />
* [[ESAPI Intrusion Detection]]<br />
* [[ESAPI HTTP Protection]]<br />
* [[ESAPI Utilities]]<br />
* [[ESAPI Filters]]<br />
<br />
__NOTOC__<br />
[[Category:OWASP Enterprise Security API]]<br />
</noinclude></div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Summit&diff=116034ESAPI Summit2011-08-20T22:21:06Z<p>Chris Schmidt: </p>
<hr />
<div>== Summit 2011 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The ESAPI Summit will be held on September 21, 2011 at [http://www.appsecusa.org OWASP AppSec USA 2011] in Minneapolis, Minnesota.<br />
<br />
=== Agenda ===<br />
<br />
{| cellpadding="2" cellspacing="2" style="border: 2px solid black;"<br />
|- style="background-color: navy;"<br />
! style="color: white;" | Start<br />
! style="color: white;" | End<br />
! style="color: white;" | Topic<br />
! style="color: white;" | Description<br />
! style="color: white;" | Deliverables<br />
|-style="background-color: lightgray;"<br />
| 0900<br />
| 0930<br />
| Mission Briefing<br />
| Brief summary of where we've been, administrative changes, and outlining the goals and purpose of the Summit<br />
| n/a<br />
|- <br />
| 0930<br />
| 1030<br />
| The ESAPI Specification 1.0<br />
| Review the high level API and determine what methods should remain as '''core''' API's and what should be moved upstream to higher level API's (ie ESAPI-Web, ESAPI-Mobile, etc)<br />
| <br />
* [[ESAPI Specification Overview]]<br />
|- style="background-color: lightblue;"<br />
| 1030<br />
| 1045<br />
| colspan="3" | Coffee Break<br />
|- style="background-color: lightgray;"<br />
| 1045<br />
| 1200<br />
| The ESAPI Specification 1.0<br />
| colspan="2" | Continuation of the API Specification <br />
|- style="background-color: lightblue;"<br />
| 1200<br />
| 1300<br />
| colspan="3" | Lunch Break and Open Conversation (Provided by OWASP/ESAPI)<br />
|- style="background-color: lightgray;"<br />
| 1300<br />
| 1400<br />
| The ESAPI Roadmap<br />
| Take a look at the existing Roadmap, create the roadmap for the next several release cycles.<br />
| <br />
* [[ESAPI Roadmap]]<br />
|- <br />
| 1400<br />
| 1500<br />
| ESAPI Policies<br />
| Formally define how to processes for contributers, community, sponsors, submitting issues, reporting security vulnerabilities<br />
| <br />
* [[ESAPI How To Contribute]] <br />
* [[ESAPI Community Contributions]] <br />
* [[ESAPI Sponsoring]] <br />
* [[ESAPI Submitting Issues]] <br />
* [[ESAPI Vulnerability Reporting]]<br />
|- style="background-color: lightgray;"<br />
| 1500<br />
| 1630<br />
| ESTAPI Framework<br />
| How do we test and ensure that implementations meet the specifications defined in the API in a cross-platform and demonstratible manner?<br />
| <br />
* [[ESAPI Testing Framework]]<br />
|- style="background-color: lightblue;"<br />
| 1630<br />
| 1645 <br />
| colspan="3" | Coffee Break<br />
|- <br />
| 1645<br />
| 1745<br />
| Documentation<br />
| Identify a Roadmap for ESAPI Documentation. Elect someone to champion this cause and find resources to address the documentation needs. Determine funding levels and budget needed for documentation to happen.<br />
|<br />
* [[ESAPI Documentation Roadmap]]<br />
* [[ESAPI Documentation Sub-Project]]<br />
* [[ESAPI Documentation Sub-Project Budget]]<br />
|- style="background-color: lightgray;"<br />
| 1745<br />
| 1800<br />
| Mission De-Briefing<br />
| We have accomplished a lot in the last 3 years as a team. This will be a quick wrap-up by Chris on the 2nd ESAPI Summit Day.<br />
| n/a<br />
|- style="background-color: lightblue;"<br />
| 1800<br />
| ????<br />
| ESAPI 2.0GA Release Celebration<br />
| Celebrate the release of ESAPI 2.0GA (and beyond) with beers with the ESAPI Team (Sponsors: TBA)<br />
| n/a<br />
|}<br />
<br />
=== Attending the ESAPI Summit ===<br />
<br />
If you are planning to attend this summit, please list your name below so that we can ensure that we have adequate space and materials for everyone.<br />
<br />
* [[User:Chris Schmidt|Chris Schmidt]] - Meeting Leader<br />
* [[User:jmanico|Jim Manico]] - ESAPI Project Manager<br />
* [[User:John Steven|jOHN Steven]] - Cigital Principal, ESAPI Malcontent<br />
<br />
== Summit 2008 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The first OWASP ESAPI Summit was held December 9-11, 2008. It was hosted by Aspect Security in their Columbia, MD office.<br />
<br />
The following were the attendees of the Summit:<br />
<br />
*[[User:Jeff Williams|Jeff Williams]], Aspect Security - [[ESAPI|ESAPI Project Lead]]<br />
*[[User:Wichers|Dave Wichers]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Ron Monzillo, Sun Microsystems - [http://java.sun.com/javaee/security/ Java EE Security Architect] <br />
*[[User:Arshan|Arshan Dabirsiaghi]], Aspect Security - [[:Category:Intrinsic_Security_Working_Group|OWASP Intrisic Security Working Group Chair]]<br />
*[[User:Jerryhoff|Jerry Hoff]], Aspect Security<br />
*[[User:Mikehfauzy|Mike Fauzy]], Aspect Security<br />
*[[User:Kevin.Fealey|Kevin Fealey]], Aspect Security - [[ESAPI Swingset|ESAPI Swingset Lead]]<br />
*[[User:Jmanico|Jim Manico]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Steve Lavenhar, Booz Allen Hamilton<br />
*Lian Jin, Booz Allen Hamilton<br />
*John Steven, Cigital, Technical Director<br />
*Joel Winstead, Cigital<br />
*Alex Smolen, Foundstone - [[.NET ESAPI | ESAPI .NET Lead]]<br />
*Andy Miller, Lockheed Martin<br />
*John Munsch, Lockheed Martin<br />
*Steve Christey, MITRE - [http://cve.mitre.org CVE]/[http://cwe.mitre.org CWE] Project Lead<br />
<br />
The following pages contain our thoughts/results from the summit.<br />
<br />
Summary: TODO<br />
<br />
=== Links ===<br />
<br />
* [[ESAPI Charter]]<br />
* [[ESAPI Roadmap]]<br />
* [[ESAPI Adoption Strategy]]<br />
* [[ESAPI Framework Strategy]]<br />
* [[ESAPI Assurance]]<br />
* [[ESAPI Documentation]]<br />
* [[ESAPI Marketing]]<br />
* [[ESAPI Tooling]]<br />
* [[ESAPI Static Analysis Support]]<br />
* [[ESAPI Performance]]<br />
* [[ESAPI Internationalization]]<br />
* [[ESAPI Installation]]<br />
<br />
=== Design ===<br />
<br />
* [[ESAPI API]]<br />
<br />
=== Features ===<br />
<br />
* [[ESAPI Validation]]<br />
* [[ESAPI Canonicalization]]<br />
* [[ESAPI Encoding]]<br />
* [[ESAPI Authentication]]<br />
* [[ESAPI Session Management]]<br />
* [[ESAPI Access Control]]<br />
* [[ESAPI Encryption]]<br />
* [[ESAPI Randomizer]]<br />
* [[ESAPI Error Handling]]<br />
* [[ESAPI Logging]]<br />
* [[ESAPI Intrusion Detection]]<br />
* [[ESAPI HTTP Protection]]<br />
* [[ESAPI Utilities]]<br />
* [[ESAPI Filters]]<br />
<br />
__NOTOC__<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112399ESAPI Specification2011-06-18T03:52:31Z<p>Chris Schmidt: </p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Resource and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
The AccessReferenceMap interface is used to map from a set of internal direct object references to a set of indirect references that are safe to disclose publicly. This can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references as it enables attackers to attempt to manipulate them.<br />
<br />
Indirect references are handled as strings, to facilitate their use in HTML. Implementations can generate simple integers or more complicated random character strings as indirect references. Implementations should probably add a constructor that takes a list of direct references.<br />
<br />
Note that in addition to defeating all forms of parameter tampering attacks, there is a side benefit of the AccessReferenceMap. Using random strings as indirect object references, as opposed to simple integers makes it impossible for an attacker to guess valid identifiers. So if per-user AccessReferenceMaps are used, then request forgery (CSRF) attacks will also be prevented.<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| Key<br />
| The type of object to use for a key in the AccessReferenceMap<br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Key addDirectReference(Type direct) ====<br />
Adds a direct reference to the AccessReferenceMap, then generates and returns an associated indirect reference.<br />
<br />
===== StereoTypes =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| Type<br />
| The type for the direct reference<br />
|}<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| direct<br />
|<br />
| The direct reference<br />
|}<br />
<br />
===== Return =====<br />
The key for the added Direct Reference<br />
<br />
==== <Type> Type getDirectReference(Key key) ====<br />
Get the original direct object reference from an indirect reference. Developers should use this when they get an indirect reference from a request to translate it back into the real direct reference. If an invalid indirect reference is requested, then an AccessControlException is thrown. If a type is implied the requested object will be cast to that type, if the object is not of the requested type, a AccessControlException will be thrown to the caller.<br />
<br />
===== StereoTypes =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| Type<br />
| The type for the direct reference<br />
|}<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| key<br />
| <br />
| The indirect reference<br />
|}<br />
<br />
===== Return =====<br />
The direct reference<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the requested reference does not exist or the implied type is incorrect.<br />
|}<br />
<br />
==== <Type> Key getIndirectReference(Type directReference) ====<br />
Get a safe indirect reference to use in place of a potentially sensitive direct object reference.<br />
<br />
===== StereoTypes =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| Type<br />
| The type for the direct reference<br />
|}<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| direct<br />
|<br />
| The direct reference<br />
|}<br />
<br />
===== Return =====<br />
The indirect reference<br />
<br />
==== <Type> Key removeDirectReference(Type directReference) ====<br />
Removes a direct reference and its associated indirect reference from the AccessReferenceMap.<br />
<br />
==== <Type> void update(Set<Type> directReferences) ====<br />
Updates the access reference map with a new set of direct references, maintaining any existing indirect references associated with items that are in the new list.<br />
<br />
== Authenticator ==<br />
<br />
=== Methods ===<br />
<br />
==== User login() throws AuthenticationException ====<br />
<br />
==== void logout() throws AuthenticationException ====<br />
<br />
== Codec ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(char c) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
== Encoder ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(String s) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
==== void addCodec(Codec c) ====<br />
<br />
==== Set<Codec> getCodecs() ====<br />
<br />
==== void setCodecs(Set<Codec> codecs) ====<br />
<br />
== Encryptor ==<br />
<br />
=== Methods ===<br />
<br />
==== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ====<br />
<br />
==== String seal(String data, Long timestamp) throws EncryptionException ====<br />
<br />
==== String sign(String data) throws EncryptionException ====<br />
<br />
==== String unseal(String sealedData) throws EncryptionException ====<br />
<br />
==== void verifySeal(String sealedData) throws DataIntegrityException ====<br />
<br />
==== void verifySignature(String signature, String data) throws InvalidSignatureException ====<br />
<br />
== Executor ==<br />
<br />
=== Methods ===<br />
<br />
==== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ====<br />
<br />
== ExecutorResult ==<br />
<br />
===Methods ===<br />
<br />
==== String getErrorOutput() ====<br />
<br />
==== String getStandardOutput() ====<br />
<br />
==== Integer getExitValue() ====<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Methods ===<br />
<br />
==== ''native'' FileHandle getExecutable() ====<br />
<br />
==== ''native'' Handle getWorkingDirectory() ====<br />
<br />
==== OrderedMap<String,String> getParameters() ====<br />
<br />
== IntrusionDetector ==<br />
<br />
=== Methods ===<br />
<br />
==== void addEvent(String eventName, String message) ====<br />
<br />
==== void addException(Throwable exception) ====<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Methods ===<br />
<br />
==== Boolean getRandomBoolean() ====<br />
<br />
==== Byte[] getRandomBytes(Integer len) ====<br />
<br />
==== String getRandomFilename(String extension) ====<br />
<br />
==== String getRandomUUID() ====<br />
<br />
==== Integer getRandomInteger(Integer min, Integer max) ====<br />
<br />
==== Long getRandomLong(Long min, Long max) ====<br />
<br />
==== Float getRandomReal(Float min, Float max) ====<br />
<br />
==== String getRandomString(Integer len, char[] charSet=) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Type getAccountID() ====<br />
<br />
==== String getAccountName() ====<br />
<br />
==== Long getExpirationTime() ====<br />
<br />
==== Integer getFailedLoginCount() ====<br />
<br />
==== Long getLastFailedLoginTime() ====<br />
<br />
==== String getLastHostAddress() ====<br />
<br />
==== Long getLastLoginTime() ====<br />
<br />
==== Long getLastPasswordChangeTime() ====<br />
<br />
==== String getLocale() ====<br />
<br />
==== Set<String> getRoles() ====<br />
<br />
==== String getScreenName() ====<br />
<br />
==== Boolean isAnonymous() ====<br />
<br />
==== Boolean isEnabled() ====<br />
<br />
==== Boolean isExpired() ====<br />
<br />
==== Boolean isInRole(String role) ====<br />
<br />
==== Boolean isLocked() ====<br />
<br />
==== Boolean isLoggedIn() ====<br />
<br />
== Validator ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Boolean isValid(Type data) ====<br />
<br />
==== <Type> void assertValid(Type data) ====<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== Methods ===<br />
<br />
==== String getName() ====<br />
<br />
==== void setName(String name) ====<br />
<br />
==== String getValue() ====<br />
<br />
==== void setValue(String value) ====<br />
<br />
==== Integer getMaxAge() ====<br />
<br />
==== void setMaxAge(Integer maxAge) ====<br />
<br />
==== String getDomain() ====<br />
<br />
==== void setDomain(String domain) ====<br />
<br />
==== String getPath() ====<br />
<br />
==== void setPath(String path) ====<br />
<br />
==== Boolean isHttpOnly() ====<br />
<br />
==== void setHttpOnly(Boolean httpOnly) ====<br />
<br />
==== Boolean isSecure() ====<br />
<br />
==== void setSecure(Boolean secure) ====<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== Methods ===<br />
<br />
==== void assertSecureChannel() ====<br />
<br />
==== void assertSecureRequest() ====<br />
<br />
==== ClientCookie getCookie(String name) ====<br />
<br />
==== List<FileHandle> getFileUploads() ====<br />
<br />
==== <T> T getAttribute(String name) ====<br />
<br />
==== String getHeader(String header) ====<br />
<br />
==== String getParameter(String name) ====<br />
<br />
==== void sendForward(String url) ====<br />
<br />
==== void verifyCsrfToken() throws CsrfException ====<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== Methods ===<br />
<br />
==== void addCookie(ClientCookie cookie) ====<br />
<br />
==== void addHeader(String key, String value) ====<br />
<br />
==== void killCookies() ====<br />
<br />
==== void sendRedirect(String url) ====<br />
<br />
==== void setContentType(String contentType) ====<br />
<br />
==== void setNoCacheHeaders() ====<br />
<br />
== SecureHttpSession ==<br />
<br />
=== Methods ===<br />
<br />
==== <T> T getAttribute(String key) ====<br />
<br />
== URLResource ==<br />
<br />
=== Extends ===<br />
* [[#Resource|Resource]]<br />
<br />
=== Methods ===<br />
<br />
<br />
== WebUser ==<br />
<br />
=== Methods ===<br />
<br />
==== String getCsrfToken() ====<br />
<br />
==== void resetCsrfToken() ====<br />
<br />
==== void addSession(SecureHttpSession session) ====<br />
<br />
==== void removeSession(SecureHttpSession session) ====<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =<br />
<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Mapping&diff=112334ESAPI Mapping2011-06-17T06:48:54Z<p>Chris Schmidt: </p>
<hr />
<div><center><br />
{| style="width: 75%; align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"<br />
|- style="background-color: #000; color: #FFF;"<br />
! style="color: #FFF" | Top 10 2010<br />
! style="color: #FFF" colspan="2" | ESAPI Control / ASVS Requirements<br />
|- style="background-color: #FFF"<br />
| rowspan="2" width="34%" style="background-color: #D9D9D9" | [[Top 10 2010-A1|A1-Injection]] <br />
| width="33%" style="background-color: lightgreen" | [[ESAPI Mapping Encoder A1|Encoder]] <br />
| width="33%" style="background-color: lightgreen" | [[ESAPI Mapping Validator A1|Validator]] <br />
|- style="background-color: #FFF"<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V6 V6: Output Encoding/Escaping]<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V5 V5: Input Validation]<br />
|- style="background-color: #FFF"<br />
| rowspan="2" | [[Top 10 2010-A2|A2-Cross Site Scripting (XSS)]] <br />
| style="background-color: lightgreen" | [[ESAPI Mapping Encoder A2|Encoder]] <br />
| style="background-color: lightgreen" | [[ESAPI Mapping Validator A2|Validator]]<br />
|- style="background-color: #FFF"<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V6 V6: Output Encoding/Escaping]<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V5 V5: Input Validation]<br />
|- style="background-color: #FFF"<br />
| rowspan="2" style="background-color: #D9D9D9" | [[Top 10 2010-A3|A3-Broken Authentication and Session Management]] <br />
| style="background: lightgreen" | [[ESAPI Mapping Authenticator A3|Autenticator]]<br />
| style="background: lightgreen" | [[ESAPI Mapping HttpUtilities A3|HttpUtilities]]<br />
|- style="background-color: #FFF"<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V2 V2: Authentication]<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V11 V11: HTTP Security]<br />
|}<br />
<br />
<br />
</center><br />
<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Mapping&diff=112333ESAPI Mapping2011-06-17T06:48:31Z<p>Chris Schmidt: Created page with "<center> {| style="width: 75%; align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;" |- style="background-color: #000; color: #FFF;" ! ..."</p>
<hr />
<div><center><br />
{| style="width: 75%; align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"<br />
|- style="background-color: #000; color: #FFF;"<br />
! style="color: #FFF" | Top 10 2010<br />
! style="color: #FFF" colspan="2" | ESAPI Control / ASVS Requirements<br />
|- style="background-color: #FFF"<br />
| rowspan="2" width="34%" style="background-color: #D9D9D9" | [[Top 10 2010-A1|A1-Injection]] <br />
| width="33%" style="background-color: lightgreen" | [[ESAPI Mapping Encoder A1|Encoder]] <br />
| width="33%" style="background-color: lightgreen" | [[ESAPI Mapping Validator A1|Validator]] <br />
|- style="background-color: #FFF"<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V6 V6: Output Encoding/Escaping]<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V5 V5: Input Validation]<br />
|- style="background-color: #FFF"<br />
| rowspan="2" | [[Top 10 2010-A2|A2-Cross Site Scripting (XSS)]] <br />
| style="background-color: lightgreen" | [[ESAPI Mapping Encoder A2|Encoder]] <br />
| style="background-color: lightgreen" | [[ESAPI Mapping Validator A2|Validator]]<br />
|- style="background-color: #FFF"<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V6 V6: Output Encoding/Escaping]<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V5 V5: Input Validation]<br />
|- style="background-color: #FFF"<br />
| rowspan="2" style="background-color: #D9D9D9" | [[Top 10 2010-A3|A3-Broken Authentication and Session Management]] <br />
| style="background: lightgreen" | [[ESAPI Mapping Authenticator A3|Autenticator]]<br />
| style="background: lightgreen" | [[ESAPI Mapping HttpUtilities A3|HttpUtilities]]<br />
|- style="background-color: #FFF"<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V2 V2: Authentication]<br />
| style="background-color: #FFB200" | [http://code.google.com/p/owasp-asvs/wiki/Verification_V11 V11: HTTP Security]<br />
|}<br />
<br />
<br />
</center></div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Category:OWASP_Enterprise_Security_API&diff=112331Category:OWASP Enterprise Security API2011-06-17T05:47:54Z<p>Chris Schmidt: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. <br />
<br />
Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design: <br />
<br />
*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.<br />
<br />
*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.<br />
<br />
*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.<br />
<br />
This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.<br />
<br />
The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.foundstone.com Foundstone(McAfee)], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute]. <br />
<br />
Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project lead can be reached [mailto:jeff.williams@owasp.org here]. The project maintainer can be reached [mailto:jim.manico@owasp.org here].<br />
<br />
| <br />
[[Image:Esapi-sponsors.PNG]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Let's talk here ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''ESAPI Communities''' <br />
<br />
Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.<br />
<br />
*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)] <br />
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]<br />
<br />
IRC Chat<br />
<br />
If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.<br />
<br />
*Server: irc.freenode.net<br />
*Channel: #esapi<br />
<br />
| <br />
== Got developer cycles? ==<br />
<br />
[[Image:Asvs-waiting.JPG]]'''ESAPI Coding''' <br />
<br />
The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles. <br />
<br />
*[http://owasp-esapi-php.googlecode.com/files/esapi4php-contributing.pdf ESAPI for PHP Developer Onboarding Instructions] <br />
*ESAPI for other languages developer onboarding instructions -- coming soon!<br />
<br />
| <br />
== Related resources ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Cheat Sheet Series''' <br />
<br />
*[[SQL Injection Prevention Cheat Sheet]] <br />
*[[XSS (Cross Site Scripting) Prevention Cheat Sheet]] <br />
*[[Cryptographic Storage Cheat Sheet]]<br />
*[[Authentication Cheat Sheet]]<br />
*[[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet]]<br />
*[[Transport Layer Protection Cheat Sheet]]<br />
<br />
|}<br />
<br />
==== Downloads ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
[[Image:Asvs-step1.jpg]]'''1. About ESAPI''' <br />
<br />
*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word]) <br />
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint]) <br />
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ESAPI''' <br />
<br />
*[http://code.google.com/p/owasp-esapi-java/downloads/list ESAPI for Java Downloads] <br />
*{{#switchtablink:.NET|ESAPI for .NET}}<br> <br />
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br> <br />
*{{#switchtablink:PHP|ESAPI for PHP}}<br> <br />
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br> <br />
*{{#switchtablink:Python|ESAPI for Python}}<br> <br />
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br><br />
<br />
| <br />
[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI''' <br />
<br />
*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)] <br />
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application. <br />
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF]) <br />
*ESAPI for Java interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs]) <br />
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])<br />
<br />
|}<br />
<br />
<br> <br />
<br />
==== Here's what I did with ESAPI ====<br />
<br />
*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]<br />
<br />
*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]<br />
<br />
*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&amp;A requirements. --[mailto:dave.wichers@owasp.org Dave]<br />
<br />
*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]<br />
<br />
*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]<br />
<br />
*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br> <br />
<br />
==== Glossary ====<br />
<br />
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology''' <br />
<br />
*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization. <br />
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact. <br />
*'''codec''' - ESAPI encoder/decoder reference implementations. <br />
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core. <br />
*'''exception''' - ESAPI exception reference implementations. <br />
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. <br />
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces. <br />
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. <br />
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls. <br />
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces. <br />
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record). <br />
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes. <br />
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.<br />
<br />
<br> <br />
<br />
==== Java EE ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}} <br />
<br />
==== .NET ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_.NET_Version | OWASP Project Identification Tab}} <br />
<br />
==== Classic ASP ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Classic_ASP_Version | OWASP Project Identification Tab}} <br />
<br />
==== PHP ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_PHP_Version | OWASP Project Identification Tab}} <br />
<br />
==== ColdFusion/CFML ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_ColdFusion/CFML | OWASP Project Identification Tab}} <br />
<br />
==== Python ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Python_Version | OWASP Project Identification Tab}} <br />
<br />
==== JavaScript ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_JavaScript_Version | OWASP Project Identification Tab}} <br />
<br />
==== Objective C ====<br />
<br />
{{:Projects/OWASP ESAPI Objective - C Project | Project About}}<br />
<br />
==== Force.com ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Force.com_Version | OWASP Project Identification Tab}} <br />
<br />
==== Ruby ====<br />
<br />
{{:Projects/Owasp Esapi Ruby | Project About}} <br />
<br />
==== Swingset ====<br />
<br />
The ESAPI Swingset Project divides itself into sub-projects, i.e., [[Projects/OWASP ESAPI Swingset Interactive Project|Swingset Interactive]] and [[Projects/OWASP ESAPI Swingset Demo Project|Swingset Demo]]. <br />
<br />
==== Project Details ====<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}} <br />
<br />
__NOTOC__ <headertabs /> <br><br />
<br />
{{OWASP Builders}}</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112330ESAPI Specification2011-06-17T05:41:45Z<p>Chris Schmidt: </p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Resource and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
The AccessReferenceMap interface is used to map from a set of internal direct object references to a set of indirect references that are safe to disclose publicly. This can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references as it enables attackers to attempt to manipulate them.<br />
<br />
Indirect references are handled as strings, to facilitate their use in HTML. Implementations can generate simple integers or more complicated random character strings as indirect references. Implementations should probably add a constructor that takes a list of direct references.<br />
<br />
Note that in addition to defeating all forms of parameter tampering attacks, there is a side benefit of the AccessReferenceMap. Using random strings as indirect object references, as opposed to simple integers makes it impossible for an attacker to guess valid identifiers. So if per-user AccessReferenceMaps are used, then request forgery (CSRF) attacks will also be prevented.<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Key addDirectReference(Type direct) ====<br />
<br />
==== <Type> Type getDirectReference(Key key) ====<br />
<br />
==== <Type> Key getIndirectReference(Type directReference) ====<br />
<br />
==== <Type> Key removeDirectReference(Type directReference) ====<br />
<br />
==== <Type> void update(Set<Type> directReferences) ====<br />
<br />
== Authenticator ==<br />
<br />
=== Methods ===<br />
<br />
==== User login() throws AuthenticationException ====<br />
<br />
==== void logout() throws AuthenticationException ====<br />
<br />
== Codec ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(char c) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
== Encoder ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(String s) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
==== void addCodec(Codec c) ====<br />
<br />
==== Set<Codec> getCodecs() ====<br />
<br />
==== void setCodecs(Set<Codec> codecs) ====<br />
<br />
== Encryptor ==<br />
<br />
=== Methods ===<br />
<br />
==== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ====<br />
<br />
==== String seal(String data, Long timestamp) throws EncryptionException ====<br />
<br />
==== String sign(String data) throws EncryptionException ====<br />
<br />
==== String unseal(String sealedData) throws EncryptionException ====<br />
<br />
==== void verifySeal(String sealedData) throws DataIntegrityException ====<br />
<br />
==== void verifySignature(String signature, String data) throws InvalidSignatureException ====<br />
<br />
== Executor ==<br />
<br />
=== Methods ===<br />
<br />
==== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ====<br />
<br />
== ExecutorResult ==<br />
<br />
===Methods ===<br />
<br />
==== String getErrorOutput() ====<br />
<br />
==== String getStandardOutput() ====<br />
<br />
==== Integer getExitValue() ====<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Methods ===<br />
<br />
==== ''native'' FileHandle getExecutable() ====<br />
<br />
==== ''native'' Handle getWorkingDirectory() ====<br />
<br />
==== OrderedMap<String,String> getParameters() ====<br />
<br />
== IntrusionDetector ==<br />
<br />
=== Methods ===<br />
<br />
==== void addEvent(String eventName, String message) ====<br />
<br />
==== void addException(Throwable exception) ====<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Methods ===<br />
<br />
==== Boolean getRandomBoolean() ====<br />
<br />
==== Byte[] getRandomBytes(Integer len) ====<br />
<br />
==== String getRandomFilename(String extension) ====<br />
<br />
==== String getRandomUUID() ====<br />
<br />
==== Integer getRandomInteger(Integer min, Integer max) ====<br />
<br />
==== Long getRandomLong(Long min, Long max) ====<br />
<br />
==== Float getRandomReal(Float min, Float max) ====<br />
<br />
==== String getRandomString(Integer len, char[] charSet=) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Type getAccountID() ====<br />
<br />
==== String getAccountName() ====<br />
<br />
==== Long getExpirationTime() ====<br />
<br />
==== Integer getFailedLoginCount() ====<br />
<br />
==== Long getLastFailedLoginTime() ====<br />
<br />
==== String getLastHostAddress() ====<br />
<br />
==== Long getLastLoginTime() ====<br />
<br />
==== Long getLastPasswordChangeTime() ====<br />
<br />
==== String getLocale() ====<br />
<br />
==== Set<String> getRoles() ====<br />
<br />
==== String getScreenName() ====<br />
<br />
==== Boolean isAnonymous() ====<br />
<br />
==== Boolean isEnabled() ====<br />
<br />
==== Boolean isExpired() ====<br />
<br />
==== Boolean isInRole(String role) ====<br />
<br />
==== Boolean isLocked() ====<br />
<br />
==== Boolean isLoggedIn() ====<br />
<br />
== Validator ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Boolean isValid(Type data) ====<br />
<br />
==== <Type> void assertValid(Type data) ====<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== Methods ===<br />
<br />
==== String getName() ====<br />
<br />
==== void setName(String name) ====<br />
<br />
==== String getValue() ====<br />
<br />
==== void setValue(String value) ====<br />
<br />
==== Integer getMaxAge() ====<br />
<br />
==== void setMaxAge(Integer maxAge) ====<br />
<br />
==== String getDomain() ====<br />
<br />
==== void setDomain(String domain) ====<br />
<br />
==== String getPath() ====<br />
<br />
==== void setPath(String path) ====<br />
<br />
==== Boolean isHttpOnly() ====<br />
<br />
==== void setHttpOnly(Boolean httpOnly) ====<br />
<br />
==== Boolean isSecure() ====<br />
<br />
==== void setSecure(Boolean secure) ====<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== Methods ===<br />
<br />
==== void assertSecureChannel() ====<br />
<br />
==== void assertSecureRequest() ====<br />
<br />
==== ClientCookie getCookie(String name) ====<br />
<br />
==== List<FileHandle> getFileUploads() ====<br />
<br />
==== <T> T getAttribute(String name) ====<br />
<br />
==== String getHeader(String header) ====<br />
<br />
==== String getParameter(String name) ====<br />
<br />
==== void sendForward(String url) ====<br />
<br />
==== void verifyCsrfToken() throws CsrfException ====<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== Methods ===<br />
<br />
==== void addCookie(ClientCookie cookie) ====<br />
<br />
==== void addHeader(String key, String value) ====<br />
<br />
==== void killCookies() ====<br />
<br />
==== void sendRedirect(String url) ====<br />
<br />
==== void setContentType(String contentType) ====<br />
<br />
==== void setNoCacheHeaders() ====<br />
<br />
== SecureHttpSession ==<br />
<br />
=== Methods ===<br />
<br />
==== <T> T getAttribute(String key) ====<br />
<br />
== URLResource ==<br />
<br />
=== Extends ===<br />
* [[#Resource|Resource]]<br />
<br />
=== Methods ===<br />
<br />
<br />
== WebUser ==<br />
<br />
=== Methods ===<br />
<br />
==== String getCsrfToken() ====<br />
<br />
==== void resetCsrfToken() ====<br />
<br />
==== void addSession(SecureHttpSession session) ====<br />
<br />
==== void removeSession(SecureHttpSession session) ====<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =<br />
<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112329ESAPI Specification2011-06-17T05:41:05Z<p>Chris Schmidt: </p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Resource and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
The AccessReferenceMap interface is used to map from a set of internal direct object references to a set of indirect references that are safe to disclose publicly. This can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references as it enables attackers to attempt to manipulate them.<br />
<br />
Indirect references are handled as strings, to facilitate their use in HTML. Implementations can generate simple integers or more complicated random character strings as indirect references. Implementations should probably add a constructor that takes a list of direct references.<br />
<br />
Note that in addition to defeating all forms of parameter tampering attacks, there is a side benefit of the AccessReferenceMap. Using random strings as indirect object references, as opposed to simple integers makes it impossible for an attacker to guess valid identifiers. So if per-user AccessReferenceMaps are used, then request forgery (CSRF) attacks will also be prevented.<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Key addDirectReference(Type direct) ====<br />
<br />
==== <Type> Type getDirectReference(Key key) ====<br />
<br />
==== <Type> Key getIndirectReference(Type directReference) ====<br />
<br />
==== <Type> Key removeDirectReference(Type directReference) ====<br />
<br />
==== <Type> void update(Set<Type> directReferences) ====<br />
<br />
== Authenticator ==<br />
<br />
=== Methods ===<br />
<br />
==== User login() throws AuthenticationException ====<br />
<br />
==== void logout() throws AuthenticationException ====<br />
<br />
== Codec ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(char c) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
== Encoder ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(String s) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
==== void addCodec(Codec c) ====<br />
<br />
==== Set<Codec> getCodecs() ====<br />
<br />
==== void setCodecs(Set<Codec> codecs) ====<br />
<br />
== Encryptor ==<br />
<br />
=== Methods ===<br />
<br />
==== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ====<br />
<br />
==== String seal(String data, Long timestamp) throws EncryptionException ====<br />
<br />
==== String sign(String data) throws EncryptionException ====<br />
<br />
==== String unseal(String sealedData) throws EncryptionException ====<br />
<br />
==== void verifySeal(String sealedData) throws DataIntegrityException ====<br />
<br />
==== void verifySignature(String signature, String data) throws InvalidSignatureException ====<br />
<br />
== Executor ==<br />
<br />
=== Methods ===<br />
<br />
==== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ====<br />
<br />
== ExecutorResult ==<br />
<br />
===Methods ===<br />
<br />
==== String getErrorOutput() ====<br />
<br />
==== String getStandardOutput() ====<br />
<br />
==== Integer getExitValue() ====<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Methods ===<br />
<br />
==== ''native'' FileHandle getExecutable() ====<br />
<br />
==== ''native'' Handle getWorkingDirectory() ====<br />
<br />
==== OrderedMap<String,String> getParameters() ====<br />
<br />
== IntrusionDetector ==<br />
<br />
=== Methods ===<br />
<br />
==== void addEvent(String eventName, String message) ====<br />
<br />
==== void addException(Throwable exception) ====<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Methods ===<br />
<br />
==== Boolean getRandomBoolean() ====<br />
<br />
==== Byte[] getRandomBytes(Integer len) ====<br />
<br />
==== String getRandomFilename(String extension) ====<br />
<br />
==== String getRandomUUID() ====<br />
<br />
==== Integer getRandomInteger(Integer min, Integer max) ====<br />
<br />
==== Long getRandomLong(Long min, Long max) ====<br />
<br />
==== Float getRandomReal(Float min, Float max) ====<br />
<br />
==== String getRandomString(Integer len, char[] charSet=) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Type getAccountID() ====<br />
<br />
==== String getAccountName() ====<br />
<br />
==== Long getExpirationTime() ====<br />
<br />
==== Integer getFailedLoginCount() ====<br />
<br />
==== Long getLastFailedLoginTime() ====<br />
<br />
==== String getLastHostAddress() ====<br />
<br />
==== Long getLastLoginTime() ====<br />
<br />
==== Long getLastPasswordChangeTime() ====<br />
<br />
==== String getLocale() ====<br />
<br />
==== Set<String> getRoles() ====<br />
<br />
==== String getScreenName() ====<br />
<br />
==== Boolean isAnonymous() ====<br />
<br />
==== Boolean isEnabled() ====<br />
<br />
==== Boolean isExpired() ====<br />
<br />
==== Boolean isInRole(String role) ====<br />
<br />
==== Boolean isLocked() ====<br />
<br />
==== Boolean isLoggedIn() ====<br />
<br />
== Validator ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Boolean isValid(Type data) ====<br />
<br />
==== <Type> void assertValid(Type data) ====<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== Methods ===<br />
<br />
==== String getName() ====<br />
<br />
==== void setName(String name) ====<br />
<br />
==== String getValue() ====<br />
<br />
==== void setValue(String value) ====<br />
<br />
==== Integer getMaxAge() ====<br />
<br />
==== void setMaxAge(Integer maxAge) ====<br />
<br />
==== String getDomain() ====<br />
<br />
==== void setDomain(String domain) ====<br />
<br />
==== String getPath() ====<br />
<br />
==== void setPath(String path) ====<br />
<br />
==== Boolean isHttpOnly() ====<br />
<br />
==== void setHttpOnly(Boolean httpOnly) ====<br />
<br />
==== Boolean isSecure() ====<br />
<br />
==== void setSecure(Boolean secure) ====<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== Methods ===<br />
<br />
==== void assertSecureChannel() ====<br />
<br />
==== void assertSecureRequest() ====<br />
<br />
==== ClientCookie getCookie(String name) ====<br />
<br />
==== List<FileHandle> getFileUploads() ====<br />
<br />
==== <T> T getAttribute(String name) ====<br />
<br />
==== String getHeader(String header) ====<br />
<br />
==== String getParameter(String name) ====<br />
<br />
==== void sendForward(String url) ====<br />
<br />
==== void verifyCsrfToken() throws CsrfException ====<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== Methods ===<br />
<br />
==== void addCookie(ClientCookie cookie) ====<br />
<br />
==== void addHeader(String key, String value) ====<br />
<br />
==== void killCookies() ====<br />
<br />
==== void sendRedirect(String url) ====<br />
<br />
==== void setContentType(String contentType) ====<br />
<br />
==== void setNoCacheHeaders() ====<br />
<br />
== SecureHttpSession ==<br />
<br />
=== Methods ===<br />
<br />
==== <T> T getAttribute(String key) ====<br />
<br />
== URLResource ==<br />
<br />
=== Extends ===<br />
* [[#Resource|Resource]]<br />
<br />
=== Methods ===<br />
<br />
<br />
== WebUser ==<br />
<br />
=== Methods ===<br />
<br />
==== String getCsrfToken() ====<br />
<br />
==== void resetCsrfToken() ====<br />
<br />
==== void addSession(SecureHttpSession session) ====<br />
<br />
==== void removeSession(SecureHttpSession session) ====<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =<br />
<br />
[[Category:ESAPI]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112328ESAPI Specification2011-06-17T05:40:42Z<p>Chris Schmidt: </p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Resource and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
The AccessReferenceMap interface is used to map from a set of internal direct object references to a set of indirect references that are safe to disclose publicly. This can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references as it enables attackers to attempt to manipulate them.<br />
<br />
Indirect references are handled as strings, to facilitate their use in HTML. Implementations can generate simple integers or more complicated random character strings as indirect references. Implementations should probably add a constructor that takes a list of direct references.<br />
<br />
Note that in addition to defeating all forms of parameter tampering attacks, there is a side benefit of the AccessReferenceMap. Using random strings as indirect object references, as opposed to simple integers makes it impossible for an attacker to guess valid identifiers. So if per-user AccessReferenceMaps are used, then request forgery (CSRF) attacks will also be prevented.<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Key addDirectReference(Type direct) ====<br />
<br />
==== <Type> Type getDirectReference(Key key) ====<br />
<br />
==== <Type> Key getIndirectReference(Type directReference) ====<br />
<br />
==== <Type> Key removeDirectReference(Type directReference) ====<br />
<br />
==== <Type> void update(Set<Type> directReferences) ====<br />
<br />
== Authenticator ==<br />
<br />
=== Methods ===<br />
<br />
==== User login() throws AuthenticationException ====<br />
<br />
==== void logout() throws AuthenticationException ====<br />
<br />
== Codec ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(char c) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
== Encoder ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(String s) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
==== void addCodec(Codec c) ====<br />
<br />
==== Set<Codec> getCodecs() ====<br />
<br />
==== void setCodecs(Set<Codec> codecs) ====<br />
<br />
== Encryptor ==<br />
<br />
=== Methods ===<br />
<br />
==== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ====<br />
<br />
==== String seal(String data, Long timestamp) throws EncryptionException ====<br />
<br />
==== String sign(String data) throws EncryptionException ====<br />
<br />
==== String unseal(String sealedData) throws EncryptionException ====<br />
<br />
==== void verifySeal(String sealedData) throws DataIntegrityException ====<br />
<br />
==== void verifySignature(String signature, String data) throws InvalidSignatureException ====<br />
<br />
== Executor ==<br />
<br />
=== Methods ===<br />
<br />
==== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ====<br />
<br />
== ExecutorResult ==<br />
<br />
===Methods ===<br />
<br />
==== String getErrorOutput() ====<br />
<br />
==== String getStandardOutput() ====<br />
<br />
==== Integer getExitValue() ====<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Methods ===<br />
<br />
==== ''native'' FileHandle getExecutable() ====<br />
<br />
==== ''native'' Handle getWorkingDirectory() ====<br />
<br />
==== OrderedMap<String,String> getParameters() ====<br />
<br />
== IntrusionDetector ==<br />
<br />
=== Methods ===<br />
<br />
==== void addEvent(String eventName, String message) ====<br />
<br />
==== void addException(Throwable exception) ====<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Methods ===<br />
<br />
==== Boolean getRandomBoolean() ====<br />
<br />
==== Byte[] getRandomBytes(Integer len) ====<br />
<br />
==== String getRandomFilename(String extension) ====<br />
<br />
==== String getRandomUUID() ====<br />
<br />
==== Integer getRandomInteger(Integer min, Integer max) ====<br />
<br />
==== Long getRandomLong(Long min, Long max) ====<br />
<br />
==== Float getRandomReal(Float min, Float max) ====<br />
<br />
==== String getRandomString(Integer len, char[] charSet=) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Type getAccountID() ====<br />
<br />
==== String getAccountName() ====<br />
<br />
==== Long getExpirationTime() ====<br />
<br />
==== Integer getFailedLoginCount() ====<br />
<br />
==== Long getLastFailedLoginTime() ====<br />
<br />
==== String getLastHostAddress() ====<br />
<br />
==== Long getLastLoginTime() ====<br />
<br />
==== Long getLastPasswordChangeTime() ====<br />
<br />
==== String getLocale() ====<br />
<br />
==== Set<String> getRoles() ====<br />
<br />
==== String getScreenName() ====<br />
<br />
==== Boolean isAnonymous() ====<br />
<br />
==== Boolean isEnabled() ====<br />
<br />
==== Boolean isExpired() ====<br />
<br />
==== Boolean isInRole(String role) ====<br />
<br />
==== Boolean isLocked() ====<br />
<br />
==== Boolean isLoggedIn() ====<br />
<br />
== Validator ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Boolean isValid(Type data) ====<br />
<br />
==== <Type> void assertValid(Type data) ====<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== Methods ===<br />
<br />
==== String getName() ====<br />
<br />
==== void setName(String name) ====<br />
<br />
==== String getValue() ====<br />
<br />
==== void setValue(String value) ====<br />
<br />
==== Integer getMaxAge() ====<br />
<br />
==== void setMaxAge(Integer maxAge) ====<br />
<br />
==== String getDomain() ====<br />
<br />
==== void setDomain(String domain) ====<br />
<br />
==== String getPath() ====<br />
<br />
==== void setPath(String path) ====<br />
<br />
==== Boolean isHttpOnly() ====<br />
<br />
==== void setHttpOnly(Boolean httpOnly) ====<br />
<br />
==== Boolean isSecure() ====<br />
<br />
==== void setSecure(Boolean secure) ====<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== Methods ===<br />
<br />
==== void assertSecureChannel() ====<br />
<br />
==== void assertSecureRequest() ====<br />
<br />
==== ClientCookie getCookie(String name) ====<br />
<br />
==== List<FileHandle> getFileUploads() ====<br />
<br />
==== <T> T getAttribute(String name) ====<br />
<br />
==== String getHeader(String header) ====<br />
<br />
==== String getParameter(String name) ====<br />
<br />
==== void sendForward(String url) ====<br />
<br />
==== void verifyCsrfToken() throws CsrfException ====<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== Methods ===<br />
<br />
==== void addCookie(ClientCookie cookie) ====<br />
<br />
==== void addHeader(String key, String value) ====<br />
<br />
==== void killCookies() ====<br />
<br />
==== void sendRedirect(String url) ====<br />
<br />
==== void setContentType(String contentType) ====<br />
<br />
==== void setNoCacheHeaders() ====<br />
<br />
== SecureHttpSession ==<br />
<br />
=== Methods ===<br />
<br />
==== <T> T getAttribute(String key) ====<br />
<br />
== URLResource ==<br />
<br />
=== Extends ===<br />
* [[#Resource|Resource]]<br />
<br />
=== Methods ===<br />
<br />
<br />
== WebUser ==<br />
<br />
=== Methods ===<br />
<br />
==== String getCsrfToken() ====<br />
<br />
==== void resetCsrfToken() ====<br />
<br />
==== void addSession(SecureHttpSession session) ====<br />
<br />
==== void removeSession(SecureHttpSession session) ====<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Talk:ESAPI_Specification&diff=112327Talk:ESAPI Specification2011-06-17T05:36:14Z<p>Chris Schmidt: </p>
<hr />
<div>I tried to keep the specification as compatible as I can with the existing APIs, however there are definately places where existing users are going to have to modify their code - specifically where it deals with Encoding and Validation. I believe these changes are absolutely necessary however to establish a good cross-platform specification. I also believe the migration path allows for the smoothest transition for end-users (developers) to make the necessary changes without completely breaking their existing implementations. This is similar to the path that Spring-Security took with it's 2.0 -> 2.5 -> 3.0 path where they did a very similar thing and I used their experience as the basis for the proposed roadmap.<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:23, 16 June 2011 (EDT)<br />
<br />
== Proposed Roadmap ==<br />
<br />
Does this seem like a realistic and smooth approach?<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT)<br />
<br />
== AccessController ==<br />
<br />
Let's start with discussing the proposed changes to the AccessController. <br />
<br />
Summary of proposed changes:<br />
* Drop deprecated methods isAuthorizedForXXX, assertAuthorizedForXXX<br />
* Replace (Object) Parameters with strongly typed StereoTypes<br />
<br />
Thoughts?<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT)<br />
<br />
<br />
I like the resource approach, I am imaginating there will be, lets say, a FileResource inheritated from Resource, so if a FileResource is passed to the method then only assessments against file resources will be done, am I right?<br />
<br />
--[[User:jcmax|Juan C Calderon]] 19:23, 16 June 2011 (CDT)<br />
<br />
That is correct, however you could also have more complex resource types that integrate with a complex context object to create a context-based access control rule as well. This is an API that I have been silently working on (from a design standpoint) for the better part of a year so I am anxious to hear everyone's thoughts. The concept is simple - I want an API that can handle a simple Role-Based Access Control decision, a Data-Access Control Decision, and a Context-Based Access Control decision all with the same signature. I found this solution to be both elegant and simple to implement and use.<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 01:36, 17 June 2011 (EDT)<br />
<br />
== Logged in user, from where? ==<br />
<br />
where is the logged in user information will come from? how is it going to be available for isAuthorized?<br />
<br />
--[[User:jcmax|Juan C Calderon]] 19:16, 16 June 2011 (CDT)<br />
<br />
I personally like the Spring-Security approach - which is similar to the way ESAPI for Java currently does it - in that it uses a threadlocal; however - afaik there is no concept of ThreadLocal variables in PHP or ASP.Net. I think the best way to do this would be to borrow the concept of the SecurityContextHolder from the Spring-Security model and leave the actual implementation of how it is populated up to the implementation. So this would be a new interface called something like AuthenticationHolder or UserContextHolder with a method to getCurrentUser() which would return the currently logged in user. <br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 01:32, 17 June 2011 (EDT)<br />
<br />
== Exceptions ==<br />
<br />
The specification looks very "Java", that is, I am not pretty sure if you can handle structured exceptions in PHP, in Classic ASP is not possible, yet it could be emulated a little. Can we come to a representation that is more language neutral? (this is not a show stopper, just thinking on trying to be the more neutral possible) <br />
<br />
--[[User:jcmax|Juan C Calderon]] 19:21, 16 June 2011 (CDT)<br />
<br />
I added this at the very end because it does feel very Java'ish to me as well. However, that being said - all of the languages have a concept of either an Error or an Exception. PHP has Exceptions and as far as I can tell in ASP.Net you can raise an Error event which accomplishes the same task. Unfortunately in modern OO languages the concept of Error has a completely different meaning than an Exception as we are using them. An error is generally a condition that cannot be recovered from whereas an Exception represents a state that can - hence the use of the Exception word. <br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 01:32, 17 June 2011 (EDT)</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Talk:ESAPI_Specification&diff=112326Talk:ESAPI Specification2011-06-17T05:32:16Z<p>Chris Schmidt: </p>
<hr />
<div>I tried to keep the specification as compatible as I can with the existing APIs, however there are definately places where existing users are going to have to modify their code - specifically where it deals with Encoding and Validation. I believe these changes are absolutely necessary however to establish a good cross-platform specification. I also believe the migration path allows for the smoothest transition for end-users (developers) to make the necessary changes without completely breaking their existing implementations. This is similar to the path that Spring-Security took with it's 2.0 -> 2.5 -> 3.0 path where they did a very similar thing and I used their experience as the basis for the proposed roadmap.<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:23, 16 June 2011 (EDT)<br />
<br />
== Proposed Roadmap ==<br />
<br />
Does this seem like a realistic and smooth approach?<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT)<br />
<br />
== AccessController ==<br />
<br />
Let's start with discussing the proposed changes to the AccessController. <br />
<br />
Summary of proposed changes:<br />
* Drop deprecated methods isAuthorizedForXXX, assertAuthorizedForXXX<br />
* Replace (Object) Parameters with strongly typed StereoTypes<br />
<br />
Thoughts?<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT)<br />
<br />
<br />
I like the resource approach, I am imaginating there will be, lets say, a FileResource inheritated from Resource, so if a FileResource is passed to the method then only assessments against file resources will be done, am I right?<br />
<br />
--[[User:jcmax|Juan C Calderon]] 19:23, 16 June 2011 (CDT)<br />
<br />
== Logged in user, from where? ==<br />
<br />
where is the logged in user information will come from? how is it going to be available for isAuthorized?<br />
<br />
--[[User:jcmax|Juan C Calderon]] 19:16, 16 June 2011 (CDT)<br />
<br />
I personally like the Spring-Security approach - which is similar to the way ESAPI for Java currently does it - in that it uses a threadlocal; however - afaik there is no concept of ThreadLocal variables in PHP or ASP.Net. I think the best way to do this would be to borrow the concept of the SecurityContextHolder from the Spring-Security model and leave the actual implementation of how it is populated up to the implementation. So this would be a new interface called something like AuthenticationHolder or UserContextHolder with a method to getCurrentUser() which would return the currently logged in user. <br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 01:32, 17 June 2011 (EDT)<br />
<br />
== Exceptions ==<br />
<br />
The specification looks very "Java", that is, I am not pretty sure if you can handle structured exceptions in PHP, in Classic ASP is not possible, yet it could be emulated a little. Can we come to a representation that is more language neutral? (this is not a show stopper, just thinking on trying to be the more neutral possible) <br />
<br />
--[[User:jcmax|Juan C Calderon]] 19:21, 16 June 2011 (CDT)<br />
<br />
I added this at the very end because it does feel very Java'ish to me as well. However, that being said - all of the languages have a concept of either an Error or an Exception. PHP has Exceptions and as far as I can tell in ASP.Net you can raise an Error event which accomplishes the same task. Unfortunately in modern OO languages the concept of Error has a completely different meaning than an Exception as we are using them. An error is generally a condition that cannot be recovered from whereas an Exception represents a state that can - hence the use of the Exception word. <br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 01:32, 17 June 2011 (EDT)</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112243ESAPI Specification2011-06-16T07:12:00Z<p>Chris Schmidt: </p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Resource and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Key addDirectReference(Type direct) ====<br />
<br />
==== <Type> Type getDirectReference(Key key) ====<br />
<br />
==== <Type> Key getIndirectReference(Type directReference) ====<br />
<br />
==== <Type> Key removeDirectReference(Type directReference) ====<br />
<br />
==== <Type> void update(Set<Type> directReferences) ====<br />
<br />
== Authenticator ==<br />
<br />
=== Methods ===<br />
<br />
==== User login() throws AuthenticationException ====<br />
<br />
==== void logout() throws AuthenticationException ====<br />
<br />
== Codec ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(char c) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
== Encoder ==<br />
<br />
=== Methods ===<br />
<br />
==== String encode(String s) ====<br />
<br />
==== String decode(String s) ====<br />
<br />
==== void addCodec(Codec c) ====<br />
<br />
==== Set<Codec> getCodecs() ====<br />
<br />
==== void setCodecs(Set<Codec> codecs) ====<br />
<br />
== Encryptor ==<br />
<br />
=== Methods ===<br />
<br />
==== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ====<br />
<br />
==== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ====<br />
<br />
==== String seal(String data, Long timestamp) throws EncryptionException ====<br />
<br />
==== String sign(String data) throws EncryptionException ====<br />
<br />
==== String unseal(String sealedData) throws EncryptionException ====<br />
<br />
==== void verifySeal(String sealedData) throws DataIntegrityException ====<br />
<br />
==== void verifySignature(String signature, String data) throws InvalidSignatureException ====<br />
<br />
== Executor ==<br />
<br />
=== Methods ===<br />
<br />
==== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ====<br />
<br />
== ExecutorResult ==<br />
<br />
===Methods ===<br />
<br />
==== String getErrorOutput() ====<br />
<br />
==== String getStandardOutput() ====<br />
<br />
==== Integer getExitValue() ====<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Methods ===<br />
<br />
==== ''native'' FileHandle getExecutable() ====<br />
<br />
==== ''native'' Handle getWorkingDirectory() ====<br />
<br />
==== OrderedMap<String,String> getParameters() ====<br />
<br />
== IntrusionDetector ==<br />
<br />
=== Methods ===<br />
<br />
==== void addEvent(String eventName, String message) ====<br />
<br />
==== void addException(Throwable exception) ====<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Methods ===<br />
<br />
==== Boolean getRandomBoolean() ====<br />
<br />
==== Byte[] getRandomBytes(Integer len) ====<br />
<br />
==== String getRandomFilename(String extension) ====<br />
<br />
==== String getRandomUUID() ====<br />
<br />
==== Integer getRandomInteger(Integer min, Integer max) ====<br />
<br />
==== Long getRandomLong(Long min, Long max) ====<br />
<br />
==== Float getRandomReal(Float min, Float max) ====<br />
<br />
==== String getRandomString(Integer len, char[] charSet=) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Type getAccountID() ====<br />
<br />
==== String getAccountName() ====<br />
<br />
==== Long getExpirationTime() ====<br />
<br />
==== Integer getFailedLoginCount() ====<br />
<br />
==== Long getLastFailedLoginTime() ====<br />
<br />
==== String getLastHostAddress() ====<br />
<br />
==== Long getLastLoginTime() ====<br />
<br />
==== Long getLastPasswordChangeTime() ====<br />
<br />
==== String getLocale() ====<br />
<br />
==== Set<String> getRoles() ====<br />
<br />
==== String getScreenName() ====<br />
<br />
==== Boolean isAnonymous() ====<br />
<br />
==== Boolean isEnabled() ====<br />
<br />
==== Boolean isExpired() ====<br />
<br />
==== Boolean isInRole(String role) ====<br />
<br />
==== Boolean isLocked() ====<br />
<br />
==== Boolean isLoggedIn() ====<br />
<br />
== Validator ==<br />
<br />
=== Methods ===<br />
<br />
==== <Type> Boolean isValid(Type data) ====<br />
<br />
==== <Type> void assertValid(Type data) ====<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== Methods ===<br />
<br />
==== String getName() ====<br />
<br />
==== void setName(String name) ====<br />
<br />
==== String getValue() ====<br />
<br />
==== void setValue(String value) ====<br />
<br />
==== Integer getMaxAge() ====<br />
<br />
==== void setMaxAge(Integer maxAge) ====<br />
<br />
==== String getDomain() ====<br />
<br />
==== void setDomain(String domain) ====<br />
<br />
==== String getPath() ====<br />
<br />
==== void setPath(String path) ====<br />
<br />
==== Boolean isHttpOnly() ====<br />
<br />
==== void setHttpOnly(Boolean httpOnly) ====<br />
<br />
==== Boolean isSecure() ====<br />
<br />
==== void setSecure(Boolean secure) ====<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== Methods ===<br />
<br />
==== void assertSecureChannel() ====<br />
<br />
==== void assertSecureRequest() ====<br />
<br />
==== ClientCookie getCookie(String name) ====<br />
<br />
==== List<FileHandle> getFileUploads() ====<br />
<br />
==== <T> T getAttribute(String name) ====<br />
<br />
==== String getHeader(String header) ====<br />
<br />
==== String getParameter(String name) ====<br />
<br />
==== void sendForward(String url) ====<br />
<br />
==== void verifyCsrfToken() throws CsrfException ====<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== Methods ===<br />
<br />
==== void addCookie(ClientCookie cookie) ====<br />
<br />
==== void addHeader(String key, String value) ====<br />
<br />
==== void killCookies() ====<br />
<br />
==== void sendRedirect(String url) ====<br />
<br />
==== void setContentType(String contentType) ====<br />
<br />
==== void setNoCacheHeaders() ====<br />
<br />
== SecureHttpSession ==<br />
<br />
=== Methods ===<br />
<br />
==== <T> T getAttribute(String key) ====<br />
<br />
== URLResource ==<br />
<br />
=== Extends ===<br />
* [[#Resource|Resource]]<br />
<br />
=== Methods ===<br />
<br />
<br />
== WebUser ==<br />
<br />
=== Methods ===<br />
<br />
==== String getCsrfToken() ====<br />
<br />
==== void resetCsrfToken() ====<br />
<br />
==== void addSession(SecureHttpSession session) ====<br />
<br />
==== void removeSession(SecureHttpSession session) ====<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112242ESAPI Specification2011-06-16T07:02:03Z<p>Chris Schmidt: </p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Resource and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== String getName() ===<br />
<br />
=== void setName(String name) ===<br />
<br />
=== String getValue() ===<br />
<br />
=== void setValue(String value) ===<br />
<br />
=== Integer getMaxAge() ===<br />
<br />
=== void setMaxAge(Integer maxAge) ===<br />
<br />
=== String getDomain() ===<br />
<br />
=== void setDomain(String domain) ===<br />
<br />
=== String getPath() ===<br />
<br />
=== void setPath(String path) ===<br />
<br />
=== Boolean isHttpOnly() ===<br />
<br />
=== void setHttpOnly(Boolean httpOnly) ===<br />
<br />
=== Boolean isSecure() ===<br />
<br />
=== void setSecure(Boolean secure) ===<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== void assertSecureChannel() ===<br />
<br />
=== void assertSecureRequest() ===<br />
<br />
=== ClientCookie getCookie(String name) ===<br />
<br />
=== List<FileHandle> getFileUploads() ===<br />
<br />
=== <T> T getAttribute(String name) ===<br />
<br />
=== String getHeader(String header) ===<br />
<br />
=== String getParameter(String name) ===<br />
<br />
=== void sendForward(String url) ===<br />
<br />
=== void verifyCsrfToken() throws CsrfException ===<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== void addCookie(ClientCookie cookie) ===<br />
<br />
=== void addHeader(String key, String value) ===<br />
<br />
=== void killCookies() ===<br />
<br />
=== void sendRedirect(String url) ===<br />
<br />
=== void setContentType(String contentType) ===<br />
<br />
=== void setNoCacheHeaders() ===<br />
<br />
== SecureHttpSession ==<br />
<br />
=== <T> T getAttribute(String key) ===<br />
<br />
== WebUser ==<br />
<br />
=== String getCsrfToken() ===<br />
<br />
=== void resetCsrfToken() ===<br />
<br />
=== void addSession(SecureHttpSession session) ===<br />
<br />
=== void removeSession(SecureHttpSession session) ===<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Project_Structure&diff=112240ESAPI Project Structure2011-06-16T06:59:10Z<p>Chris Schmidt: Created page with "<pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre> * '''ESAPI-Core-Specification (TLD):''' All forks should "inhe..."</p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
* '''ESAPI-Core-Specification (TLD):''' All forks should "inherit" from this specification<br />
** '''ESAPI-Core:''' This is a language specific artifact (jar,dll,etc.) that contains the API described by the ESAPI Core Specification as well as the Core-API Unit Testing Suite <br />
*** '''ESAPI-Core-RI:''' This is the "Reference Implementation" of the Core-API. This can be a single artifact or multiple artifacts depending on the preference of the community and project leadership.<br />
*** '''ESAPI-Web-Specification:''' This is the specification for the ESAPI Web API<br />
**** '''ESAPI-Web-API:''' This is the language specific artifact that contains the API described by the ESAPI-Web-Specification as well as a set of Unit Tests <br />
***** '''ESAPI-Web-RI:''' This is the "Reference Implementation" of the Web-API. <br />
*** '''ESAPI-Mobile-Specification:'''<br />
**** '''ESAPI-Mobile-API:'''<br />
***** '''ESAPI-Mobile-RI:'''<br />
*** '''ESAPI-Desktop-Specification:'''<br />
**** '''ESAPI-Desktop-API:'''<br />
***** '''ESAPI-Desktop-RI:'''</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112239ESAPI Specification2011-06-16T06:51:08Z<p>Chris Schmidt: </p>
<hr />
<div><pre>This document is currently under development - Please use the Discussion page for threaded conversation</pre><br />
<br />
= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== String getName() ===<br />
<br />
=== void setName(String name) ===<br />
<br />
=== String getValue() ===<br />
<br />
=== void setValue(String value) ===<br />
<br />
=== Integer getMaxAge() ===<br />
<br />
=== void setMaxAge(Integer maxAge) ===<br />
<br />
=== String getDomain() ===<br />
<br />
=== void setDomain(String domain) ===<br />
<br />
=== String getPath() ===<br />
<br />
=== void setPath(String path) ===<br />
<br />
=== Boolean isHttpOnly() ===<br />
<br />
=== void setHttpOnly(Boolean httpOnly) ===<br />
<br />
=== Boolean isSecure() ===<br />
<br />
=== void setSecure(Boolean secure) ===<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== void assertSecureChannel() ===<br />
<br />
=== void assertSecureRequest() ===<br />
<br />
=== ClientCookie getCookie(String name) ===<br />
<br />
=== List<FileHandle> getFileUploads() ===<br />
<br />
=== <T> T getAttribute(String name) ===<br />
<br />
=== String getHeader(String header) ===<br />
<br />
=== String getParameter(String name) ===<br />
<br />
=== void sendForward(String url) ===<br />
<br />
=== void verifyCsrfToken() throws CsrfException ===<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== void addCookie(ClientCookie cookie) ===<br />
<br />
=== void addHeader(String key, String value) ===<br />
<br />
=== void killCookies() ===<br />
<br />
=== void sendRedirect(String url) ===<br />
<br />
=== void setContentType(String contentType) ===<br />
<br />
=== void setNoCacheHeaders() ===<br />
<br />
== SecureHttpSession ==<br />
<br />
=== <T> T getAttribute(String key) ===<br />
<br />
== WebUser ==<br />
<br />
=== String getCsrfToken() ===<br />
<br />
=== void resetCsrfToken() ===<br />
<br />
=== void addSession(SecureHttpSession session) ===<br />
<br />
=== void removeSession(SecureHttpSession session) ===<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112238ESAPI Specification2011-06-16T06:48:19Z<p>Chris Schmidt: </p>
<hr />
<div>= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
This API describes the components that can be used in the context of a Web Application. <br />
<br />
== ClientCookie ==<br />
<br />
=== String getName() ===<br />
<br />
=== void setName(String name) ===<br />
<br />
=== String getValue() ===<br />
<br />
=== void setValue(String value) ===<br />
<br />
=== Integer getMaxAge() ===<br />
<br />
=== void setMaxAge(Integer maxAge) ===<br />
<br />
=== String getDomain() ===<br />
<br />
=== void setDomain(String domain) ===<br />
<br />
=== String getPath() ===<br />
<br />
=== void setPath(String path) ===<br />
<br />
=== Boolean isHttpOnly() ===<br />
<br />
=== void setHttpOnly(Boolean httpOnly) ===<br />
<br />
=== Boolean isSecure() ===<br />
<br />
=== void setSecure(Boolean secure) ===<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== void assertSecureChannel() ===<br />
<br />
=== void assertSecureRequest() ===<br />
<br />
=== ClientCookie getCookie(String name) ===<br />
<br />
=== List<FileHandle> getFileUploads() ===<br />
<br />
=== <T> T getAttribute(String name) ===<br />
<br />
=== String getHeader(String header) ===<br />
<br />
=== String getParameter(String name) ===<br />
<br />
=== void sendForward(String url) ===<br />
<br />
=== void verifyCsrfToken() throws CsrfException ===<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== void addCookie(ClientCookie cookie) ===<br />
<br />
=== void addHeader(String key, String value) ===<br />
<br />
=== void killCookies() ===<br />
<br />
=== void sendRedirect(String url) ===<br />
<br />
=== void setContentType(String contentType) ===<br />
<br />
=== void setNoCacheHeaders() ===<br />
<br />
== SecureHttpSession ==<br />
<br />
=== <T> T getAttribute(String key) ===<br />
<br />
== WebUser ==<br />
<br />
=== String getCsrfToken() ===<br />
<br />
=== void resetCsrfToken() ===<br />
<br />
=== void addSession(SecureHttpSession session) ===<br />
<br />
=== void removeSession(SecureHttpSession session) ===<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112237ESAPI Specification2011-06-16T06:44:12Z<p>Chris Schmidt: </p>
<hr />
<div>= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API Specification =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===<br />
<br />
== Exceptions == <br />
<br />
=== AccessDeniedException ===<br />
<br />
=== AccountDisabledException ===<br />
<br />
=== AccountLockedException ===<br />
<br />
=== AuthenticationException ===<br />
<br />
=== EncodingException ===<br />
<br />
=== EncryptionException ===<br />
<br />
=== EnterpriseSecurityException ===<br />
<br />
=== EnterpriseSecurityRuntimeException ===<br />
<br />
=== ExecutionException ===<br />
<br />
=== IncorrectCredentialsException ===<br />
<br />
= Web API Specification =<br />
<br />
== ClientCookie ==<br />
<br />
== SecureHttpRequest ==<br />
<br />
=== void assertSecureChannel() ===<br />
<br />
=== void assertSecureRequest() ===<br />
<br />
=== ClientCookie getCookie(String name) ===<br />
<br />
=== List<FileHandle> getFileUploads() ===<br />
<br />
=== <T> T getAttribute(String name) ===<br />
<br />
=== String getHeader(String header) ===<br />
<br />
=== String getParameter(String name) ===<br />
<br />
=== void sendForward(String url) ===<br />
<br />
=== void verifyCsrfToken() throws CsrfException ===<br />
<br />
== SecureHttpResponse ==<br />
<br />
=== void addCookie(ClientCookie cookie) ===<br />
<br />
=== void addHeader(String key, String value) ===<br />
<br />
=== void killCookies() ===<br />
<br />
=== void sendRedirect(String url) ===<br />
<br />
=== void setContentType(String contentType) ===<br />
<br />
=== void setNoCacheHeaders() ===<br />
<br />
== SecureHttpSession ==<br />
<br />
=== <T> T getAttribute(String key) ===<br />
<br />
== WebUser ==<br />
<br />
=== String getCsrfToken() ===<br />
<br />
=== void resetCsrfToken() ===<br />
<br />
=== void addSession(SecureHttpSession session) ===<br />
<br />
=== void removeSession(SecureHttpSession session) ===<br />
<br />
= Mobile API Specification =<br />
<br />
= Desktop API Specification =</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Talk:ESAPI_Specification&diff=112235Talk:ESAPI Specification2011-06-16T06:26:45Z<p>Chris Schmidt: </p>
<hr />
<div>I tried to keep the specification as compatible as I can with the existing APIs, however there are definately places where existing users are going to have to modify their code - specifically where it deals with Encoding and Validation. I believe these changes are absolutely necessary however to establish a good cross-platform specification. I also believe the migration path allows for the smoothest transition for end-users (developers) to make the necessary changes without completely breaking their existing implementations. This is similar to the path that Spring-Security took with it's 2.0 -> 2.5 -> 3.0 path where they did a very similar thing and I used their experience as the basis for the proposed roadmap.<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:23, 16 June 2011 (EDT)<br />
<br />
== Proposed Roadmap ==<br />
<br />
Does this seem like a realistic and smooth approach?<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT)<br />
<br />
== AccessController ==<br />
<br />
Let's start with discussing the proposed changes to the AccessController. <br />
<br />
Summary of proposed changes:<br />
* Drop deprecated methods isAuthorizedForXXX, assertAuthorizedForXXX<br />
* Replace (Object) Parameters with strongly typed StereoTypes<br />
<br />
Thoughts?<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT)</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Talk:ESAPI_Specification&diff=112234Talk:ESAPI Specification2011-06-16T06:25:55Z<p>Chris Schmidt: /* AccessController */ new section</p>
<hr />
<div>I tried to keep the specification as compatible as I can with the existing APIs, however there are definately places where existing users are going to have to modify their code - specifically where it deals with Encoding and Validation. I believe these changes are absolutely necessary however to establish a good cross-platform specification. I also believe the migration path allows for the smoothest transition for end-users (developers) to make the necessary changes without completely breaking their existing implementations. This is similar to the path that Spring-Security took with it's 2.0 -> 2.5 -> 3.0 path where they did a very similar thing and I used their experience as the basis for the proposed roadmap.<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:23, 16 June 2011 (EDT)<br />
<br />
== AccessController ==<br />
<br />
Let's start with discussing the proposed changes to the AccessController. <br />
<br />
Summary of proposed changes:<br />
* Drop deprecated methods isAuthorizedForXXX, assertAuthorizedForXXX<br />
* Replace (Object) Parameters with strongly typed StereoTypes</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=Talk:ESAPI_Specification&diff=112233Talk:ESAPI Specification2011-06-16T06:23:59Z<p>Chris Schmidt: Created page with "I tried to keep the specification as compatible as I can with the existing APIs, however there are definately places where existing users are going to have to modify their code -..."</p>
<hr />
<div>I tried to keep the specification as compatible as I can with the existing APIs, however there are definately places where existing users are going to have to modify their code - specifically where it deals with Encoding and Validation. I believe these changes are absolutely necessary however to establish a good cross-platform specification. I also believe the migration path allows for the smoothest transition for end-users (developers) to make the necessary changes without completely breaking their existing implementations. This is similar to the path that Spring-Security took with it's 2.0 -> 2.5 -> 3.0 path where they did a very similar thing and I used their experience as the basis for the proposed roadmap.<br />
<br />
--[[User:Chris Schmidt|Chris Schmidt]] 02:23, 16 June 2011 (EDT)</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112232ESAPI Specification2011-06-16T06:13:13Z<p>Chris Schmidt: </p>
<hr />
<div>= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| [[#AccessDeniedException|AccessDeniedException]]<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===<br />
<br />
= Exceptions = <br />
<br />
== AccessDeniedException extends EnterpriseSecurityException ==<br />
<br />
== AccountDisabledException extends AuthenticationException ==<br />
<br />
== AccountLockedException extends AuthenticationException ==<br />
<br />
== AuthenticationException extends EnterpriseSecurityException ==<br />
<br />
== EncodingException extends EnterpriseSecurityRuntimeException ==<br />
<br />
== EncryptionException extends EnterpriseSecurityException ==<br />
<br />
== EnterpriseSecurityException extends Exception ==<br />
<br />
== EnterpriseSecurityRuntimeException extends RuntimeException ==<br />
<br />
== ExecutionException extends EnterpriseSecurityException ==<br />
<br />
== IncorrectCredentialsException extends AuthenticationException ==</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112231ESAPI Specification2011-06-16T06:11:06Z<p>Chris Schmidt: </p>
<hr />
<div>= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| AccessDeniedException<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===<br />
<br />
= Exceptions = <br />
<br />
== AccessDeniedException extends EnterpriseSecurityException ==<br />
<br />
== AuthenticationException extends EnterpriseSecurityException ==<br />
<br />
== EncodingException extends EnterpriseSecurityRuntimeException ==<br />
<br />
== EncryptionException extends EnterpriseSecurityException ==<br />
<br />
== EnterpriseSecurityException extends Exception ==<br />
<br />
== EnterpriseSecurityRuntimeException extends RuntimeException ==<br />
<br />
== ExecutionException extends EnterpriseSecurityException ==</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112230ESAPI Specification2011-06-16T05:59:32Z<p>Chris Schmidt: </p>
<hr />
<div>= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| AccessDeniedException<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112229ESAPI Specification2011-06-16T05:59:07Z<p>Chris Schmidt: </p>
<hr />
<div>= Proposed Migration Roadmap =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
** <br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| AccessDeniedException<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112227ESAPI Specification2011-06-16T05:58:20Z<p>Chris Schmidt: </p>
<hr />
<div>= Migration Strategy =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
** <br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| AccessDeniedException<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== ''native'' FileHandle getExecutable() ===<br />
<br />
=== ''native'' Handle getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
Marker Interface for Resources that a user can request access to.<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112223ESAPI Specification2011-06-16T05:55:31Z<p>Chris Schmidt: </p>
<hr />
<div>= Migration Strategy =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
** <br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API =<br />
<br />
== AccessController ==<br />
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the [[#Resource|Resource]] Interface.<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== StereoTypes ===<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Description<br />
|-<br />
| R <br />
| A class that implements the [[#Resource|Resource]] Interface and represents the [[#Resource|Resource]] the user is requesting access to <br />
|-<br />
| Context <br />
| Any object that represents the current context of the Authorization request - this is generally a Key-Value map <br />
|}<br />
<br />
=== Methods ===<br />
<br />
==== <R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException ====<br />
Assert that the currently logged in user can access the given [[#Resource|Resource]] with the given Context parameters<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Exceptions =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Exception<br />
! Description<br />
|-<br />
| AccessDeniedException<br />
| If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure<br />
|}<br />
<br />
==== <R extends Resource,Context> boolean isAuthorized(Resource resource, Context context) ====<br />
Determine if the given resource is accessible by the currently logged in [[#User|User]]<br />
<br />
===== Parameters =====<br />
{| style="background-color: #9AD7F5; border: 1px solid black; text-align: left;" cellpadding="1"<br />
! Parameter<br />
! Default Value<br />
! Description<br />
|-<br />
| resource<br />
| <br />
| The resource that the user is attempting to access<br />
|-<br />
| context<br />
| <br />
| The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.<br />
|}<br />
<br />
===== Return =====<br />
Returns true if the resource is accessible to the currently logged in user and false if it is not.<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Resource getExecutable() ===<br />
<br />
=== Resource getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
<br />
=== <Native> FileHandle getHandle() ===<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112221ESAPI Specification2011-06-16T05:29:27Z<p>Chris Schmidt: </p>
<hr />
<div>= Migration Strategy =<br />
* ESAPI 2.1<br />
** Create new package '''org.owasp.esapi.core'''<br />
** Create new set of Interfaces in new package with each extending it's '''org.owasp.esapi''' counterpart<br />
** Deprecate methods in '''org.owasp.esapi''' Interfaces<br />
* ESAPI 2.5<br />
** Remove deprecated methods that were deprecated at or before ESAPI 2.0<br />
** Introduce new ServiceLocator API<br />
** <br />
* ESAPI 3.0<br />
** Seperate Core API into it's own artifact/project called ESAPI-Core<br />
** Create new set of artifacts as outlined in [[ESAPI_Project_Structure]]<br />
** Introduce Core API Testing Suite<br />
<br />
= Core API =<br />
<br />
== AccessController ==<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== <Key,Context> void assertAuthorized(Key key, Context context) ===<br />
<br />
=== <Key,Context> boolean isAuthorized(Key key, Context context) ===<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Resource getExecutable() ===<br />
<br />
=== Resource getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
<br />
=== <Native> FileHandle getHandle() ===<br />
<br />
== ServiceLocator ==<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112220ESAPI Specification2011-06-16T05:22:56Z<p>Chris Schmidt: </p>
<hr />
<div>== AccessController ==<br />
<br />
=== Changes from ESAPI 2.0 ===<br />
* Removed deprecated methods<br />
* Added Generic Stereotypes to the Key and Context parameters)<br />
<br />
=== <Key,Context> void assertAuthorized(Key key, Context context) ===<br />
<br />
=== <Key,Context> boolean isAuthorized(Key key, Context context) ===<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Resource getExecutable() ===<br />
<br />
=== Resource getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== LogFactory ==<br />
Still thinking this one through<br />
<br />
== Logger ==<br />
Still thinking this one through<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
<br />
=== <Native> FileHandle getHandle() ===<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Specification&diff=112219ESAPI Specification2011-06-16T05:20:03Z<p>Chris Schmidt: Created page with "== AccessController == === <Key,Context> void assertAuthorized(Key key, Context context) === === <Key,Context> boolean isAuthorized(Key key, Context context) === == AccessRefe..."</p>
<hr />
<div>== AccessController ==<br />
<br />
=== <Key,Context> void assertAuthorized(Key key, Context context) ===<br />
<br />
=== <Key,Context> boolean isAuthorized(Key key, Context context) ===<br />
<br />
== AccessReferenceMap<Key> ==<br />
<br />
=== <Type> Key addDirectReference(Type direct) ===<br />
<br />
=== <Type> Type getDirectReference(Key key) ===<br />
<br />
=== <Type> Key getIndirectReference(Type directReference) ===<br />
<br />
=== <Type> Key removeDirectReference(Type directReference) ===<br />
<br />
=== <Type> void update(Set<Type> directReferences) ===<br />
<br />
== Authenticator ==<br />
<br />
=== User login() throws AuthenticationException ===<br />
<br />
=== void logout() throws AuthenticationException === <br />
<br />
== Codec ==<br />
<br />
=== String encode(char c) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
== Encoder ==<br />
<br />
=== String encode(String s) ===<br />
<br />
=== String decode(String s) ===<br />
<br />
=== void addCodec(Codec c) ===<br />
<br />
=== Set<Codec> getCodecs() ===<br />
<br />
=== void setCodecs(Set<Codec> codecs) ===<br />
<br />
== Encryptor ==<br />
<br />
=== PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException ===<br />
<br />
=== MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException ===<br />
<br />
=== String seal(String data, Long timestamp) throws EncryptionException ===<br />
<br />
=== String sign(String data) throws EncryptionException ===<br />
<br />
=== String unseal(String sealedData) throws EncryptionException ===<br />
<br />
=== void verifySeal(String sealedData) throws DataIntegrityException ===<br />
<br />
=== void verifySignature(String signature, String data) throws InvalidSignatureException ===<br />
<br />
== Executor ==<br />
<br />
=== ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException ===<br />
<br />
== ExecutorResult ==<br />
<br />
=== String getErrorOutput() ===<br />
<br />
=== String getStandardOutput() ===<br />
<br />
=== Integer getExitValue() ===<br />
<br />
== ExecutorTarget ==<br />
<br />
=== Resource getExecutable() ===<br />
<br />
=== Resource getWorkingDirectory() ===<br />
<br />
=== OrderedMap<String,String> getParameters() ===<br />
<br />
== IntrusionDetector ==<br />
<br />
=== void addEvent(String eventName, String message) ===<br />
<br />
=== void addException(Throwable exception) ===<br />
<br />
== Randomizer ==<br />
<br />
=== Boolean getRandomBoolean() ===<br />
<br />
=== Byte[] getRandomBytes(Integer len) ===<br />
<br />
=== String getRandomFilename(String extension) ===<br />
<br />
=== String getRandomUUID() ===<br />
<br />
=== Integer getRandomInteger(Integer min, Integer max) ===<br />
<br />
=== Long getRandomLong(Long min, Long max) ===<br />
<br />
=== Float getRandomReal(Float min, Float max) ===<br />
<br />
=== String getRandomString(Integer len, char[] charSet) ===<br />
<br />
== Resource ==<br />
<br />
=== <Native> FileHandle getHandle() ===<br />
<br />
== User ==<br />
<br />
=== <Type> Type getAccountID() ===<br />
<br />
=== String getAccountName() ===<br />
<br />
=== Long getExpirationTime() ===<br />
<br />
=== Integer getFailedLoginCount() ===<br />
<br />
=== Long getLastFailedLoginTime() ===<br />
<br />
=== String getLastHostAddress() ===<br />
<br />
=== Long getLastLoginTime() ===<br />
<br />
=== Long getLastPasswordChangeTime() ===<br />
<br />
=== String getLocale() ===<br />
<br />
=== Set<String> getRoles() ===<br />
<br />
=== String getScreenName() ===<br />
<br />
=== Boolean isAnonymous() ===<br />
<br />
=== Boolean isEnabled() ===<br />
<br />
=== Boolean isExpired() ===<br />
<br />
=== Boolean isInRole(String role) ===<br />
<br />
=== Boolean isLocked() ===<br />
<br />
=== Boolean isLoggedIn() ===<br />
<br />
== Validator ==<br />
<br />
=== <Type> Boolean isValid(Type data) ===<br />
<br />
=== <Type> void assertValid(Type data) ===</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Summit&diff=112085ESAPI Summit2011-06-13T18:02:45Z<p>Chris Schmidt: </p>
<hr />
<div>== Summit 2011 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The ESAPI Summit will be held on September 20th at AppSecUSA<br />
<br />
=== Agenda ===<br />
<br />
* 09:00 - 09:30 Mission Briefing<br />
** Review Project Definition and Mission Statement (update if necc.)<br />
* 09:30 - 10:30 Brain Dump<br />
** Get everyones "big-picture" ideas up on the board<br />
** Brief statement about each, this should be a fast-paced Mind-Mapping Exercise aimed to get as many ideas as we can on the board as quickly as possible<br />
* 10:30 - 10:45 Break time<br />
** Good job, get some coffee and some air and get prepared for the real work.<br />
* 10:45 - 12:00 Bug Hunt<br />
** Review the list of existing ESAPI Bugs, assign a champion to them, and prioritize per champion<br />
* 12:00 - 13:00 Lunch - Open Conversation<br />
** Lunch to be provided by OWASP/ESAPI <br />
* 13:00 - 15:00 Where do we go now?<br />
** Now that the bugs are fresh in our heads, let's revisit our master wish-list from earlier and prioritize future enhancements, lay them out into a version roadmap (not a calendar roadmap). Some of these enhancements will likely jump out as high-priority and others as nice-to-haves. It should also be remembered, that a version roadmap is a organic document, it will constantly change and evolve to meet the demands of our users. This is just a first step in getting such a roadmap in place. <br />
* 15:00 - 15:15 Break time<br />
** Get some air, there is sure to be some great debate to reflect on<br />
* 15:15 - 16:00 Formally define the following policies<br />
** Becoming a Committer<br />
** Submitting Contributed Components<br />
** Reporting Security Vulnerabilities<br />
* 16:00 - 18:00 Aligning the ESAPI Projects<br />
** How do we bring all of the implementations into alignment as far as the API is concerned<br />
** How do we ensure that all implements adhere to the contract of the API<br />
** What level of adherement to the specification do we enforce to "sign off" on various implementations<br />
<br />
=== Deliverables ===<br />
<br />
* [[ESAPI Roadmap]]<br />
* [[How to become a committer]]<br />
* [[How to submit contributions]]<br />
* [[How to report security vulnerabilities]]<br />
* [[ESAPI Cross Platform Specification]]<br />
<br />
=== Attending the ESAPI Summit ===<br />
<br />
If you are planning to attend this summit, please list your name below so that we can ensure that we have adequate space and materials for everyone.<br />
<br />
* [[User:Chris Schmidt|Chris Schmidt]] - Meeting Leader<br />
* [[User:jmanico|Jim Manico]] - ESAPI Project Manager<br />
* [[User:John Steven|jOHN Steven]] - Cigital Principal, ESAPI Malcontent<br />
<br />
== Summit 2008 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The first OWASP ESAPI Summit was held December 9-11, 2008. It was hosted by Aspect Security in their Columbia, MD office.<br />
<br />
The following were the attendees of the Summit:<br />
<br />
*[[User:Jeff Williams|Jeff Williams]], Aspect Security - [[ESAPI|ESAPI Project Lead]]<br />
*[[User:Wichers|Dave Wichers]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Ron Monzillo, Sun Microsystems - [http://java.sun.com/javaee/security/ Java EE Security Architect] <br />
*[[User:Arshan|Arshan Dabirsiaghi]], Aspect Security - [[:Category:Intrinsic_Security_Working_Group|OWASP Intrisic Security Working Group Chair]]<br />
*[[User:Jerryhoff|Jerry Hoff]], Aspect Security<br />
*[[User:Mikehfauzy|Mike Fauzy]], Aspect Security<br />
*[[User:Kevin.Fealey|Kevin Fealey]], Aspect Security - [[ESAPI Swingset|ESAPI Swingset Lead]]<br />
*[[User:Jmanico|Jim Manico]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Steve Lavenhar, Booz Allen Hamilton<br />
*Lian Jin, Booz Allen Hamilton<br />
*John Steven, Cigital, Technical Director<br />
*Joel Winstead, Cigital<br />
*Alex Smolen, Foundstone - [[.NET ESAPI | ESAPI .NET Lead]]<br />
*Andy Miller, Lockheed Martin<br />
*John Munsch, Lockheed Martin<br />
*Steve Christey, MITRE - [http://cve.mitre.org CVE]/[http://cwe.mitre.org CWE] Project Lead<br />
<br />
The following pages contain our thoughts/results from the summit.<br />
<br />
Summary: TODO<br />
<br />
=== Links ===<br />
<br />
* [[ESAPI Charter]]<br />
* [[ESAPI Roadmap]]<br />
* [[ESAPI Adoption Strategy]]<br />
* [[ESAPI Framework Strategy]]<br />
* [[ESAPI Assurance]]<br />
* [[ESAPI Documentation]]<br />
* [[ESAPI Marketing]]<br />
* [[ESAPI Tooling]]<br />
* [[ESAPI Static Analysis Support]]<br />
* [[ESAPI Performance]]<br />
* [[ESAPI Internationalization]]<br />
* [[ESAPI Installation]]<br />
<br />
=== Design ===<br />
<br />
* [[ESAPI API]]<br />
<br />
=== Features ===<br />
<br />
* [[ESAPI Validation]]<br />
* [[ESAPI Canonicalization]]<br />
* [[ESAPI Encoding]]<br />
* [[ESAPI Authentication]]<br />
* [[ESAPI Session Management]]<br />
* [[ESAPI Access Control]]<br />
* [[ESAPI Encryption]]<br />
* [[ESAPI Randomizer]]<br />
* [[ESAPI Error Handling]]<br />
* [[ESAPI Logging]]<br />
* [[ESAPI Intrusion Detection]]<br />
* [[ESAPI HTTP Protection]]<br />
* [[ESAPI Utilities]]<br />
* [[ESAPI Filters]]<br />
<br />
__NOTOC__<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=OWASP_Web_Testing_Environment_Project&diff=111880OWASP Web Testing Environment Project2011-06-07T12:24:38Z<p>Chris Schmidt: Redirected page to Category:OWASP Live CD Project</p>
<hr />
<div>#REDIRECT [[:Category:OWASP_Live_CD_Project]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Summit&diff=111560ESAPI Summit2011-06-02T16:34:40Z<p>Chris Schmidt: </p>
<hr />
<div>== Summit 2011 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The ESAPI Summit will be held on <br />
<br />
=== Agenda ===<br />
<br />
* 09:00 - 09:30 Mission Briefing<br />
** Review Project Definition and Mission Statement (update if necc.)<br />
* 09:30 - 10:30 Brain Dump<br />
** Get everyones "big-picture" ideas up on the board<br />
** Brief statement about each, this should be a fast-paced Mind-Mapping Exercise aimed to get as many ideas as we can on the board as quickly as possible<br />
* 10:30 - 10:45 Break time<br />
** Good job, get some coffee and some air and get prepared for the real work.<br />
* 10:45 - 12:00 Bug Hunt<br />
** Review the list of existing ESAPI Bugs, assign a champion to them, and prioritize per champion<br />
* 12:00 - 13:00 Lunch - Open Conversation<br />
** Lunch to be provided by OWASP/ESAPI <br />
* 13:00 - 15:00 Where do we go now?<br />
** Now that the bugs are fresh in our heads, let's revisit our master wish-list from earlier and prioritize future enhancements, lay them out into a version roadmap (not a calendar roadmap). Some of these enhancements will likely jump out as high-priority and others as nice-to-haves. It should also be remembered, that a version roadmap is a organic document, it will constantly change and evolve to meet the demands of our users. This is just a first step in getting such a roadmap in place. <br />
* 15:00 - 15:15 Break time<br />
** Get some air, there is sure to be some great debate to reflect on<br />
* 15:15 - 16:00 Formally define the following policies<br />
** Becoming a Committer<br />
** Submitting Contributed Components<br />
** Reporting Security Vulnerabilities<br />
* 16:00 - 18:00 Aligning the ESAPI Projects<br />
** How do we bring all of the implementations into alignment as far as the API is concerned<br />
** How do we ensure that all implements adhere to the contract of the API<br />
** What level of adherement to the specification do we enforce to "sign off" on various implementations<br />
<br />
=== Deliverables ===<br />
<br />
* [[ESAPI Roadmap]]<br />
* [[How to become a committer]]<br />
* [[How to submit contributions]]<br />
* [[How to report security vulnerabilities]]<br />
* [[ESAPI Cross Platform Specification]]<br />
<br />
=== Attending the ESAPI Summit ===<br />
<br />
If you are planning to attend this summit, please list your name below so that we can ensure that we have adequate space and materials for everyone.<br />
<br />
* [[User:Chris Schmidt|Chris Schmidt]] - Meeting Leader<br />
<br />
== Summit 2008 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The first OWASP ESAPI Summit was held December 9-11, 2008. It was hosted by Aspect Security in their Columbia, MD office.<br />
<br />
The following were the attendees of the Summit:<br />
<br />
*[[User:Jeff Williams|Jeff Williams]], Aspect Security - [[ESAPI|ESAPI Project Lead]]<br />
*[[User:Wichers|Dave Wichers]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Ron Monzillo, Sun Microsystems - [http://java.sun.com/javaee/security/ Java EE Security Architect] <br />
*[[User:Arshan|Arshan Dabirsiaghi]], Aspect Security - [[:Category:Intrinsic_Security_Working_Group|OWASP Intrisic Security Working Group Chair]]<br />
*[[User:Jerryhoff|Jerry Hoff]], Aspect Security<br />
*[[User:Mikehfauzy|Mike Fauzy]], Aspect Security<br />
*[[User:Kevin.Fealey|Kevin Fealey]], Aspect Security - [[ESAPI Swingset|ESAPI Swingset Lead]]<br />
*[[User:Jmanico|Jim Manico]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Steve Lavenhar, Booz Allen Hamilton<br />
*Lian Jin, Booz Allen Hamilton<br />
*John Steven, Cigital, Technical Director<br />
*Joel Winstead, Cigital<br />
*Alex Smolen, Foundstone - [[.NET ESAPI | ESAPI .NET Lead]]<br />
*Andy Miller, Lockheed Martin<br />
*John Munsch, Lockheed Martin<br />
*Steve Christey, MITRE - [http://cve.mitre.org CVE]/[http://cwe.mitre.org CWE] Project Lead<br />
<br />
The following pages contain our thoughts/results from the summit.<br />
<br />
Summary: TODO<br />
<br />
=== Links ===<br />
<br />
* [[ESAPI Charter]]<br />
* [[ESAPI Roadmap]]<br />
* [[ESAPI Adoption Strategy]]<br />
* [[ESAPI Framework Strategy]]<br />
* [[ESAPI Assurance]]<br />
* [[ESAPI Documentation]]<br />
* [[ESAPI Marketing]]<br />
* [[ESAPI Tooling]]<br />
* [[ESAPI Static Analysis Support]]<br />
* [[ESAPI Performance]]<br />
* [[ESAPI Internationalization]]<br />
* [[ESAPI Installation]]<br />
<br />
=== Design ===<br />
<br />
* [[ESAPI API]]<br />
<br />
=== Features ===<br />
<br />
* [[ESAPI Validation]]<br />
* [[ESAPI Canonicalization]]<br />
* [[ESAPI Encoding]]<br />
* [[ESAPI Authentication]]<br />
* [[ESAPI Session Management]]<br />
* [[ESAPI Access Control]]<br />
* [[ESAPI Encryption]]<br />
* [[ESAPI Randomizer]]<br />
* [[ESAPI Error Handling]]<br />
* [[ESAPI Logging]]<br />
* [[ESAPI Intrusion Detection]]<br />
* [[ESAPI HTTP Protection]]<br />
* [[ESAPI Utilities]]<br />
* [[ESAPI Filters]]<br />
<br />
__NOTOC__<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Summit&diff=111557ESAPI Summit2011-06-02T16:32:49Z<p>Chris Schmidt: </p>
<hr />
<div>== Summit 2011 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The ESAPI Summit will be held on <br />
<br />
=== Agenda ===<br />
<br />
* 09:00 - 09:30 Mission Briefing<br />
** Review Project Definition and Mission Statement (update if necc.)<br />
* 09:30 - 10:30 Brain Dump<br />
** Get everyones "big-picture" ideas up on the board<br />
** Brief statement about each, this should be a fast-paced Mind-Mapping Exercise aimed to get as many ideas as we can on the board as quickly as possible<br />
* 10:30 - 10:45 Break time<br />
** Good job, get some coffee and some air and get prepared for the real work.<br />
* 10:45 - 12:00 Bug Hunt<br />
** Review the list of existing ESAPI Bugs, assign a champion to them, and prioritize per champion<br />
* 12:00 - 13:00 Lunch - Open Conversation<br />
** Lunch to be provided by OWASP/ESAPI <br />
* 13:00 - 15:00 Where do we go now?<br />
** Now that the bugs are fresh in our heads, let's revisit our master wish-list from earlier and prioritize future enhancements, lay them out into a version roadmap (not a calendar roadmap). Some of these enhancements will likely jump out as high-priority and others as nice-to-haves. It should also be remembered, that a version roadmap is a organic document, it will constantly change and evolve to meet the demands of our users. This is just a first step in getting such a roadmap in place. <br />
* 15:00 - 15:15 Break time<br />
** Get some air, there is sure to be some great debate to reflect on<br />
* 15:15 - 16:00 Formally define the following policies<br />
** Becoming a Committer<br />
** Submitting Contributed Components<br />
** Reporting Security Vulnerabilities<br />
* 16:00 - 18:00 Aligning the ESAPI Projects<br />
** How do we bring all of the implementations into alignment as far as the API is concerned<br />
** How do we ensure that all implements adhere to the contract of the API<br />
** What level of adherement to the specification do we enforce to "sign off" on various implementations<br />
<br />
=== Deliverables ===<br />
<br />
* [[ESAPI Roadmap]]<br />
* [[How to become a committer]]<br />
* [[How to submit contributions]]<br />
* [[How to report security vulnerabilities]]<br />
* [[ESAPI Cross Platform Specification]]<br />
<br />
=== Attending the ESAPI Summit ===<br />
<br />
If you are planning to attend this summit, please list your name below so that we can ensure that we have adequate space and materials for everyone.<br />
<br />
[[User:Chris Schmidt|Chris Schmidt]] - Meeting Leader<br />
<br />
== Summit 2008 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The first OWASP ESAPI Summit was held December 9-11, 2008. It was hosted by Aspect Security in their Columbia, MD office.<br />
<br />
The following were the attendees of the Summit:<br />
<br />
*[[User:Jeff Williams|Jeff Williams]], Aspect Security - [[ESAPI|ESAPI Project Lead]]<br />
*[[User:Wichers|Dave Wichers]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Ron Monzillo, Sun Microsystems - [http://java.sun.com/javaee/security/ Java EE Security Architect] <br />
*[[User:Arshan|Arshan Dabirsiaghi]], Aspect Security - [[:Category:Intrinsic_Security_Working_Group|OWASP Intrisic Security Working Group Chair]]<br />
*[[User:Jerryhoff|Jerry Hoff]], Aspect Security<br />
*[[User:Mikehfauzy|Mike Fauzy]], Aspect Security<br />
*[[User:Kevin.Fealey|Kevin Fealey]], Aspect Security - [[ESAPI Swingset|ESAPI Swingset Lead]]<br />
*[[User:Jmanico|Jim Manico]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Steve Lavenhar, Booz Allen Hamilton<br />
*Lian Jin, Booz Allen Hamilton<br />
*John Steven, Cigital, Technical Director<br />
*Joel Winstead, Cigital<br />
*Alex Smolen, Foundstone - [[.NET ESAPI | ESAPI .NET Lead]]<br />
*Andy Miller, Lockheed Martin<br />
*John Munsch, Lockheed Martin<br />
*Steve Christey, MITRE - [http://cve.mitre.org CVE]/[http://cwe.mitre.org CWE] Project Lead<br />
<br />
The following pages contain our thoughts/results from the summit.<br />
<br />
Summary: TODO<br />
<br />
=== Links ===<br />
<br />
* [[ESAPI Charter]]<br />
* [[ESAPI Roadmap]]<br />
* [[ESAPI Adoption Strategy]]<br />
* [[ESAPI Framework Strategy]]<br />
* [[ESAPI Assurance]]<br />
* [[ESAPI Documentation]]<br />
* [[ESAPI Marketing]]<br />
* [[ESAPI Tooling]]<br />
* [[ESAPI Static Analysis Support]]<br />
* [[ESAPI Performance]]<br />
* [[ESAPI Internationalization]]<br />
* [[ESAPI Installation]]<br />
<br />
=== Design ===<br />
<br />
* [[ESAPI API]]<br />
<br />
=== Features ===<br />
<br />
* [[ESAPI Validation]]<br />
* [[ESAPI Canonicalization]]<br />
* [[ESAPI Encoding]]<br />
* [[ESAPI Authentication]]<br />
* [[ESAPI Session Management]]<br />
* [[ESAPI Access Control]]<br />
* [[ESAPI Encryption]]<br />
* [[ESAPI Randomizer]]<br />
* [[ESAPI Error Handling]]<br />
* [[ESAPI Logging]]<br />
* [[ESAPI Intrusion Detection]]<br />
* [[ESAPI HTTP Protection]]<br />
* [[ESAPI Utilities]]<br />
* [[ESAPI Filters]]<br />
<br />
__NOTOC__<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Summit&diff=111555ESAPI Summit2011-06-02T16:31:52Z<p>Chris Schmidt: </p>
<hr />
<div>== Summit 2011 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The ESAPI Summit will be held on <br />
<br />
=== Agenda ===<br />
<br />
* 09:00 - 09:30 Mission Briefing<br />
** Review Project Definition and Mission Statement (update if necc.)<br />
* 09:30 - 10:30 Brain Dump<br />
** Get everyones "big-picture" ideas up on the board<br />
** Brief statement about each, this should be a fast-paced Mind-Mapping Exercise aimed to get as many ideas as we can on the board as quickly as possible<br />
* 10:30 - 10:45 Break time<br />
** Good job, get some coffee and some air and get prepared for the real work.<br />
* 10:45 - 12:00 Bug Hunt<br />
** Review the list of existing ESAPI Bugs, assign a champion to them, and prioritize per champion<br />
* 12:00 - 13:00 Lunch - Open Conversation<br />
** Lunch to be provided by OWASP/ESAPI <br />
* 13:00 - 15:00 Where do we go now?<br />
** Now that the bugs are fresh in our heads, let's revisit our master wish-list from earlier and prioritize future enhancements, lay them out into a version roadmap (not a calendar roadmap). Some of these enhancements will likely jump out as high-priority and others as nice-to-haves. It should also be remembered, that a version roadmap is a organic document, it will constantly change and evolve to meet the demands of our users. This is just a first step in getting such a roadmap in place. <br />
* 15:00 - 15:15 Break time<br />
** Get some air, there is sure to be some great debate to reflect on<br />
* 15:15 - 16:00 Formally define the following policies<br />
** Becoming a Committer<br />
** Submitting Contributed Components<br />
** Reporting Security Vulnerabilities<br />
* 16:00 - 18:00 Aligning the ESAPI Projects<br />
** How do we bring all of the implementations into alignment as far as the API is concerned<br />
** How do we ensure that all implements adhere to the contract of the API<br />
** What level of adherement to the specification do we enforce to "sign off" on various implementations<br />
<br />
=== Deliverables ===<br />
<br />
[[ESAPI Roadmap]]<br />
[[How to become a committer]]<br />
[[How to submit contributions]]<br />
[[How to report security vulnerabilities]]<br />
[[ESAPI Cross Platform Specification]]<br />
<br />
=== Attending the ESAPI Summit ===<br />
<br />
If you are planning to attend this summit, please list your name below so that we can ensure that we have adequate space and materials for everyone.<br />
<br />
[[User:Chris Schmidt|Chris Schmidt]] - Meeting Leader<br />
<br />
== Summit 2008 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The first OWASP ESAPI Summit was held December 9-11, 2008. It was hosted by Aspect Security in their Columbia, MD office.<br />
<br />
The following were the attendees of the Summit:<br />
<br />
*[[User:Jeff Williams|Jeff Williams]], Aspect Security - [[ESAPI|ESAPI Project Lead]]<br />
*[[User:Wichers|Dave Wichers]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Ron Monzillo, Sun Microsystems - [http://java.sun.com/javaee/security/ Java EE Security Architect] <br />
*[[User:Arshan|Arshan Dabirsiaghi]], Aspect Security - [[:Category:Intrinsic_Security_Working_Group|OWASP Intrisic Security Working Group Chair]]<br />
*[[User:Jerryhoff|Jerry Hoff]], Aspect Security<br />
*[[User:Mikehfauzy|Mike Fauzy]], Aspect Security<br />
*[[User:Kevin.Fealey|Kevin Fealey]], Aspect Security - [[ESAPI Swingset|ESAPI Swingset Lead]]<br />
*[[User:Jmanico|Jim Manico]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Steve Lavenhar, Booz Allen Hamilton<br />
*Lian Jin, Booz Allen Hamilton<br />
*John Steven, Cigital, Technical Director<br />
*Joel Winstead, Cigital<br />
*Alex Smolen, Foundstone - [[.NET ESAPI | ESAPI .NET Lead]]<br />
*Andy Miller, Lockheed Martin<br />
*John Munsch, Lockheed Martin<br />
*Steve Christey, MITRE - [http://cve.mitre.org CVE]/[http://cwe.mitre.org CWE] Project Lead<br />
<br />
The following pages contain our thoughts/results from the summit.<br />
<br />
Summary: TODO<br />
<br />
=== Links ===<br />
<br />
* [[ESAPI Charter]]<br />
* [[ESAPI Roadmap]]<br />
* [[ESAPI Adoption Strategy]]<br />
* [[ESAPI Framework Strategy]]<br />
* [[ESAPI Assurance]]<br />
* [[ESAPI Documentation]]<br />
* [[ESAPI Marketing]]<br />
* [[ESAPI Tooling]]<br />
* [[ESAPI Static Analysis Support]]<br />
* [[ESAPI Performance]]<br />
* [[ESAPI Internationalization]]<br />
* [[ESAPI Installation]]<br />
<br />
=== Design ===<br />
<br />
* [[ESAPI API]]<br />
<br />
=== Features ===<br />
<br />
* [[ESAPI Validation]]<br />
* [[ESAPI Canonicalization]]<br />
* [[ESAPI Encoding]]<br />
* [[ESAPI Authentication]]<br />
* [[ESAPI Session Management]]<br />
* [[ESAPI Access Control]]<br />
* [[ESAPI Encryption]]<br />
* [[ESAPI Randomizer]]<br />
* [[ESAPI Error Handling]]<br />
* [[ESAPI Logging]]<br />
* [[ESAPI Intrusion Detection]]<br />
* [[ESAPI HTTP Protection]]<br />
* [[ESAPI Utilities]]<br />
* [[ESAPI Filters]]<br />
<br />
__NOTOC__<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidthttps://wiki.owasp.org/index.php?title=ESAPI_Summit&diff=111548ESAPI Summit2011-06-02T16:24:19Z<p>Chris Schmidt: </p>
<hr />
<div>== Summit 2011 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The ESAPI Summit will be held on <br />
<br />
=== Agenda ===<br />
<br />
* 09:00 - 09:30 Mission Briefing<br />
** Review Project Definition and Mission Statement (update if necc.)<br />
* 09:30 - 10:30 Brain Dump<br />
** Get everyones "big-picture" ideas up on the board<br />
** Brief statement about each, this should be a fast-paced Mind-Mapping Exercise aimed to get as many ideas as we can on the board as quickly as possible<br />
* 10:30 - 10:45 Break time<br />
** Good job, get some coffee and some air and get prepared for the real work.<br />
* 10:45 - 12:00 Bug Hunt<br />
** Review the list of existing ESAPI Bugs, assign a champion to them, and prioritize per champion<br />
* 12:00 - 13:00 Lunch - Open Conversation<br />
** Lunch to be provided by OWASP/ESAPI <br />
* 13:00 - 15:00 Where do we go now?<br />
** Now that the bugs are fresh in our heads, let's revisit our master wish-list from earlier and prioritize future enhancements, lay them out into a version roadmap (not a calendar roadmap). Some of these enhancements will likely jump out as high-priority and others as nice-to-haves. It should also be remembered, that a version roadmap is a organic document, it will constantly change and evolve to meet the demands of our users. This is just a first step in getting such a roadmap in place. <br />
* 15:00 - 15:15 Break time<br />
** Get some air, there is sure to be some great debate to reflect on<br />
* 15:15 - 16:00 Formally define the following policies<br />
** Becoming a Committer<br />
** Submitting Contributed Components<br />
** Reporting Security Vulnerabilities<br />
* 16:00 - 18:00 Aligning the ESAPI Projects<br />
** How do we bring all of the implementations into alignment as far as the API is concerned<br />
** How do we ensure that all implements adhere to the contract of the API<br />
** What level of adherement to the specification do we enforce to "sign off" on various implementations<br />
<br />
=== Attending the ESAPI Summit ===<br />
<br />
If you are planning to attend this summit, please list your name below so that we can ensure that we have adequate space and materials for everyone.<br />
<br />
<br />
<br />
== Summit 2008 ==<br />
<br />
=== Summit Overview ===<br />
<br />
The first OWASP ESAPI Summit was held December 9-11, 2008. It was hosted by Aspect Security in their Columbia, MD office.<br />
<br />
The following were the attendees of the Summit:<br />
<br />
*[[User:Jeff Williams|Jeff Williams]], Aspect Security - [[ESAPI|ESAPI Project Lead]]<br />
*[[User:Wichers|Dave Wichers]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Ron Monzillo, Sun Microsystems - [http://java.sun.com/javaee/security/ Java EE Security Architect] <br />
*[[User:Arshan|Arshan Dabirsiaghi]], Aspect Security - [[:Category:Intrinsic_Security_Working_Group|OWASP Intrisic Security Working Group Chair]]<br />
*[[User:Jerryhoff|Jerry Hoff]], Aspect Security<br />
*[[User:Mikehfauzy|Mike Fauzy]], Aspect Security<br />
*[[User:Kevin.Fealey|Kevin Fealey]], Aspect Security - [[ESAPI Swingset|ESAPI Swingset Lead]]<br />
*[[User:Jmanico|Jim Manico]], Aspect Security - [http://code.google.com/p/owasp-esapi-java/ ESAPI Java Committer]<br />
*Steve Lavenhar, Booz Allen Hamilton<br />
*Lian Jin, Booz Allen Hamilton<br />
*John Steven, Cigital, Technical Director<br />
*Joel Winstead, Cigital<br />
*Alex Smolen, Foundstone - [[.NET ESAPI | ESAPI .NET Lead]]<br />
*Andy Miller, Lockheed Martin<br />
*John Munsch, Lockheed Martin<br />
*Steve Christey, MITRE - [http://cve.mitre.org CVE]/[http://cwe.mitre.org CWE] Project Lead<br />
<br />
The following pages contain our thoughts/results from the summit.<br />
<br />
Summary: TODO<br />
<br />
=== Links ===<br />
<br />
* [[ESAPI Charter]]<br />
* [[ESAPI Roadmap]]<br />
* [[ESAPI Adoption Strategy]]<br />
* [[ESAPI Framework Strategy]]<br />
* [[ESAPI Assurance]]<br />
* [[ESAPI Documentation]]<br />
* [[ESAPI Marketing]]<br />
* [[ESAPI Tooling]]<br />
* [[ESAPI Static Analysis Support]]<br />
* [[ESAPI Performance]]<br />
* [[ESAPI Internationalization]]<br />
* [[ESAPI Installation]]<br />
<br />
=== Design ===<br />
<br />
* [[ESAPI API]]<br />
<br />
=== Features ===<br />
<br />
* [[ESAPI Validation]]<br />
* [[ESAPI Canonicalization]]<br />
* [[ESAPI Encoding]]<br />
* [[ESAPI Authentication]]<br />
* [[ESAPI Session Management]]<br />
* [[ESAPI Access Control]]<br />
* [[ESAPI Encryption]]<br />
* [[ESAPI Randomizer]]<br />
* [[ESAPI Error Handling]]<br />
* [[ESAPI Logging]]<br />
* [[ESAPI Intrusion Detection]]<br />
* [[ESAPI HTTP Protection]]<br />
* [[ESAPI Utilities]]<br />
* [[ESAPI Filters]]<br />
<br />
__NOTOC__<br />
[[Category:OWASP Enterprise Security API]]</div>Chris Schmidt