This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ESAPI Specification
This document is currently under development - Please use the Discussion page for threaded conversation
- 1 Proposed Migration Roadmap
- 2 Core API Specification
- 2.1 AccessController
- 2.2 AccessReferenceMap<Key>
- 2.2.1 StereoTypes
- 2.2.2 Methods
- 2.3 Authenticator
- 2.4 Codec
- 2.5 Encoder
- 2.6 Encryptor
- 2.6.1 Methods
- 2.6.1.1 PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException
- 2.6.1.2 CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException
- 2.6.1.3 MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException
- 2.6.1.4 String seal(String data, Long timestamp) throws EncryptionException
- 2.6.1.5 String sign(String data) throws EncryptionException
- 2.6.1.6 String unseal(String sealedData) throws EncryptionException
- 2.6.1.7 void verifySeal(String sealedData) throws DataIntegrityException
- 2.6.1.8 void verifySignature(String signature, String data) throws InvalidSignatureException
- 2.6.1 Methods
- 2.7 Executor
- 2.8 ExecutorResult
- 2.9 ExecutorTarget
- 2.10 IntrusionDetector
- 2.11 LogFactory
- 2.12 Logger
- 2.13 Randomizer
- 2.13.1 Methods
- 2.13.1.1 Boolean getRandomBoolean()
- 2.13.1.2 Byte[] getRandomBytes(Integer len)
- 2.13.1.3 String getRandomFilename(String extension)
- 2.13.1.4 String getRandomUUID()
- 2.13.1.5 Integer getRandomInteger(Integer min, Integer max)
- 2.13.1.6 Long getRandomLong(Long min, Long max)
- 2.13.1.7 Float getRandomReal(Float min, Float max)
- 2.13.2 = String getRandomString(Integer len, char[] charSet=)
- 2.13.1 Methods
- 2.14 Resource
- 2.15 ServiceLocator
- 2.16 User
- 2.16.1 Methods
- 2.16.1.1 <Type> Type getAccountID()
- 2.16.1.2 String getAccountName()
- 2.16.1.3 Long getExpirationTime()
- 2.16.1.4 Integer getFailedLoginCount()
- 2.16.1.5 Long getLastFailedLoginTime()
- 2.16.1.6 String getLastHostAddress()
- 2.16.1.7 Long getLastLoginTime()
- 2.16.1.8 Long getLastPasswordChangeTime()
- 2.16.1.9 String getLocale()
- 2.16.1.10 Set<String> getRoles()
- 2.16.1.11 String getScreenName()
- 2.16.1.12 Boolean isAnonymous()
- 2.16.1.13 Boolean isEnabled()
- 2.16.1.14 Boolean isExpired()
- 2.16.1.15 Boolean isInRole(String role)
- 2.16.1.16 Boolean isLocked()
- 2.16.1.17 Boolean isLoggedIn()
- 2.16.1 Methods
- 2.17 Validator
- 2.18 Exceptions
- 2.18.1 AccessDeniedException
- 2.18.2 AccountDisabledException
- 2.18.3 AccountLockedException
- 2.18.4 AuthenticationException
- 2.18.5 EncodingException
- 2.18.6 EncryptionException
- 2.18.7 EnterpriseSecurityException
- 2.18.8 EnterpriseSecurityRuntimeException
- 2.18.9 ExecutionException
- 2.18.10 IncorrectCredentialsException
- 3 Web API Specification
- 3.1 ClientCookie
- 3.1.1 Methods
- 3.1.1.1 String getName()
- 3.1.1.2 void setName(String name)
- 3.1.1.3 String getValue()
- 3.1.1.4 void setValue(String value)
- 3.1.1.5 Integer getMaxAge()
- 3.1.1.6 void setMaxAge(Integer maxAge)
- 3.1.1.7 String getDomain()
- 3.1.1.8 void setDomain(String domain)
- 3.1.1.9 String getPath()
- 3.1.1.10 void setPath(String path)
- 3.1.1.11 Boolean isHttpOnly()
- 3.1.1.12 void setHttpOnly(Boolean httpOnly)
- 3.1.1.13 Boolean isSecure()
- 3.1.1.14 void setSecure(Boolean secure)
- 3.1.1 Methods
- 3.2 SecureHttpRequest
- 3.2.1 Methods
- 3.2.1.1 void assertSecureChannel()
- 3.2.1.2 void assertSecureRequest()
- 3.2.1.3 ClientCookie getCookie(String name)
- 3.2.1.4 List<FileHandle> getFileUploads()
- 3.2.1.5 <T> T getAttribute(String name)
- 3.2.1.6 String getHeader(String header)
- 3.2.1.7 String getParameter(String name)
- 3.2.1.8 void sendForward(String url)
- 3.2.1.9 void verifyCsrfToken() throws CsrfException
- 3.2.1 Methods
- 3.3 SecureHttpResponse
- 3.4 SecureHttpSession
- 3.5 URLResource
- 3.6 WebUser
- 3.1 ClientCookie
- 4 Mobile API Specification
- 5 Desktop API Specification
Proposed Migration Roadmap
- ESAPI 2.1
- Create new package org.owasp.esapi.core
- Create new set of Interfaces in new package with each extending it's org.owasp.esapi counterpart
- Deprecate methods in org.owasp.esapi Interfaces
- ESAPI 2.5
- Remove deprecated methods that were deprecated at or before ESAPI 2.0
- Introduce new ServiceLocator API
- ESAPI 3.0
- Seperate Core API into it's own artifact/project called ESAPI-Core
- Create new set of artifacts as outlined in ESAPI_Project_Structure
- Introduce Core API Testing Suite
Core API Specification
AccessController
The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the Resource Interface.
Changes from ESAPI 2.0
- Removed deprecated methods
- Added Generic Stereotypes to the Resource and Context parameters)
StereoTypes
Parameter | Description |
---|---|
R | A class that implements the Resource Interface and represents the Resource the user is requesting access to |
Context | Any object that represents the current context of the Authorization request - this is generally a Key-Value map |
Methods
<R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException
Assert that the currently logged in user can access the given Resource with the given Context parameters
Parameters
Parameter | Default Value | Description |
---|---|---|
resource | The resource that the user is attempting to access | |
context | The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource. |
Exceptions
Exception | Description |
---|---|
AccessDeniedException | If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure |
<R extends Resource,Context> boolean isAuthorized(Resource resource, Context context)
Determine if the given resource is accessible by the currently logged in User
Parameters
Parameter | Default Value | Description |
---|---|---|
resource | The resource that the user is attempting to access | |
context | The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource. |
Return
Returns true if the resource is accessible to the currently logged in user and false if it is not.
AccessReferenceMap<Key>
The AccessReferenceMap interface is used to map from a set of internal direct object references to a set of indirect references that are safe to disclose publicly. This can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references as it enables attackers to attempt to manipulate them.
Indirect references are handled as strings, to facilitate their use in HTML. Implementations can generate simple integers or more complicated random character strings as indirect references. Implementations should probably add a constructor that takes a list of direct references.
Note that in addition to defeating all forms of parameter tampering attacks, there is a side benefit of the AccessReferenceMap. Using random strings as indirect object references, as opposed to simple integers makes it impossible for an attacker to guess valid identifiers. So if per-user AccessReferenceMaps are used, then request forgery (CSRF) attacks will also be prevented.
StereoTypes
Parameter | Description |
---|---|
Key | The type of object to use for a key in the AccessReferenceMap |
Methods
<Type> Key addDirectReference(Type direct)
Adds a direct reference to the AccessReferenceMap, then generates and returns an associated indirect reference.
StereoTypes
Parameter | Description |
---|---|
Type | The type for the direct reference |
Parameters
Parameter | Default Value | Description |
---|---|---|
direct | The direct reference |
Return
The key for the added Direct Reference
<Type> Type getDirectReference(Key key)
Get the original direct object reference from an indirect reference. Developers should use this when they get an indirect reference from a request to translate it back into the real direct reference. If an invalid indirect reference is requested, then an AccessControlException is thrown. If a type is implied the requested object will be cast to that type, if the object is not of the requested type, a AccessControlException will be thrown to the caller.
StereoTypes
Parameter | Description |
---|---|
Type | The type for the direct reference |
Parameters
Parameter | Default Value | Description |
---|---|---|
key | The indirect reference |
Return
The direct reference
Exceptions
Exception | Description |
---|---|
AccessDeniedException | If the requested reference does not exist or the implied type is incorrect. |
<Type> Key getIndirectReference(Type directReference)
Get a safe indirect reference to use in place of a potentially sensitive direct object reference.
StereoTypes
Parameter | Description |
---|---|
Type | The type for the direct reference |
Parameters
Parameter | Default Value | Description |
---|---|---|
direct | The direct reference |
Return
The indirect reference
<Type> Key removeDirectReference(Type directReference)
Removes a direct reference and its associated indirect reference from the AccessReferenceMap.
<Type> void update(Set<Type> directReferences)
Updates the access reference map with a new set of direct references, maintaining any existing indirect references associated with items that are in the new list.
Authenticator
Methods
User login() throws AuthenticationException
void logout() throws AuthenticationException
Codec
Methods
String encode(char c)
String decode(String s)
Encoder
Methods
String encode(String s)
String decode(String s)
void addCodec(Codec c)
Set<Codec> getCodecs()
void setCodecs(Set<Codec> codecs)
Encryptor
Methods
PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException
CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException
MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException
String seal(String data, Long timestamp) throws EncryptionException
String sign(String data) throws EncryptionException
String unseal(String sealedData) throws EncryptionException
void verifySeal(String sealedData) throws DataIntegrityException
void verifySignature(String signature, String data) throws InvalidSignatureException
Executor
Methods
ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException
ExecutorResult
Methods
String getErrorOutput()
String getStandardOutput()
Integer getExitValue()
ExecutorTarget
Methods
native FileHandle getExecutable()
native Handle getWorkingDirectory()
OrderedMap<String,String> getParameters()
IntrusionDetector
Methods
void addEvent(String eventName, String message)
void addException(Throwable exception)
LogFactory
Still thinking this one through
Logger
Still thinking this one through
Randomizer
Methods
Boolean getRandomBoolean()
Byte[] getRandomBytes(Integer len)
String getRandomFilename(String extension)
String getRandomUUID()
Integer getRandomInteger(Integer min, Integer max)
Long getRandomLong(Long min, Long max)
Float getRandomReal(Float min, Float max)
= String getRandomString(Integer len, char[] charSet=)
Resource
Marker Interface for Resources that a user can request access to.
ServiceLocator
User
Methods
<Type> Type getAccountID()
String getAccountName()
Long getExpirationTime()
Integer getFailedLoginCount()
Long getLastFailedLoginTime()
String getLastHostAddress()
Long getLastLoginTime()
Long getLastPasswordChangeTime()
String getLocale()
Set<String> getRoles()
String getScreenName()
Boolean isAnonymous()
Boolean isEnabled()
Boolean isExpired()
Boolean isInRole(String role)
Boolean isLocked()
Boolean isLoggedIn()
Validator
Methods
<Type> Boolean isValid(Type data)
<Type> void assertValid(Type data)
Exceptions
AccessDeniedException
AccountDisabledException
AccountLockedException
AuthenticationException
EncodingException
EncryptionException
EnterpriseSecurityException
EnterpriseSecurityRuntimeException
ExecutionException
IncorrectCredentialsException
Web API Specification
This API describes the components that can be used in the context of a Web Application.