OWASP - User contributions [en]

ESAPI Access Control

2008-12-11T15:03:41Z

Monzillo:

== Feature Overview ==

TODO

== Possible Enhancements ==

Currently the access controller simply allows for lookup on an access control matrix. Enhancements will allow for special function(s) to be created for more complex access control rules (for example, a user has access to a file but only Monday - Friday, not on weekends).

So the simple case (lookup in an access control matrix:
* isValid(user, action_string)

Custom Case
* isValid(user, action_string, data)

consider using objects provided by the underlying vm
* for representing resources is policy checks (e.g. Java Permissions) and
* for representing the properties of the invocation context (e.g. the Java AcessControlContext)

ensure that the policy system can support different policies being enforced for different instances of the
same app.

ESAPI Authentication

2008-12-11T14:56:28Z

Monzillo: /* Possible Enhancements */

== Feature Overview ==

TODO

== Possible Enhancements ==

* Wrap Principal don't extend

* Work to make compatible with container based authentication

* Provide a reauthentication API

* consider mechanisms provided by vm to associate authentication state with the invocation (e.g. Java AccessControlContext including Subject)

ESAPI Authentication

2008-12-11T14:52:07Z

Monzillo: /* Possible Enhancements */

== Feature Overview ==

TODO

== Possible Enhancements ==

* Wrap Principal don't extend

* Work to make compatible with container based authentication

* Provide a reauthentication API

* consider mechanisms provided by vm to associate authentication state invocation context (e.g. Java AccessControlContext including Subject)

ESAPI Framework Strategy

2008-12-11T14:47:18Z

Monzillo:

the esapi should

be defined such that it can be used on behalf of applications by frameworks including containers (unless the nature of the functionality is such that it can only work from the application). another way this was said, is such that the api is compatible with ioc.

share the representations of authentication state employed by the underlying framework or runtime environment.

leverage the access control primitives (e.j. Java permissions) employed by the underlying framework or runtime environment

where the api must be embedded in the app, consider separation of the specification of the logical effect of what must be achieved (in the app) from the details of how it will be accomplished, such that different mechanisms can be bound to achieve the effect, such as the case with Java Annotations.

ESAPI Framework Strategy

2008-12-11T14:46:02Z

Monzillo:

the esapi should

be defined such that it can be used on behalf of applications by frameworks including containers (unless the nature of the functionality is such that it can only work from the application). another way this was said, is such that the api is compatible with ioc.

share the representations of authentication state employed by the underlying framework or runtime environment.

leverage the access control primitives (e.j. Java permissions) employed by the underlying framework or runtime environment

where api must be embedded in app, consider separation of the specification of the logical effect of what must be achived (in the app) from the details of how it will be accomplished, such that different mechanisms can be bound to achieve the effect, such as the case with Java Annotations.

ESAPI Framework Strategy

2008-12-11T14:40:13Z

Monzillo: New page: the esapi should be defined such that it can be used on behalf of applications by frameworks including containers (unless the nature of the functionality is such that it can only work fro...