This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ESAPI Getting Started Guide"
| Line 1: | Line 1: | ||
| − | + | ESAPI is very easy to use. This tutorial shows how to get a simple application working with the reference implementation of ESAPI. Please remember that the reference implementation is a simple example. The Authenticator uses a text-based password file. This is to make it easy to test ESAPI without installing a database or directory. Enterprises will want to create their own implementation of the API that works with their identity management solution. | |
| − | |||
| − | ESAPI is very easy to use. This tutorial shows how to get a simple application working with the reference implementation of ESAPI. | ||
| − | |||
==Step 1: Setting up a resources directory== | ==Step 1: Setting up a resources directory== | ||
| − | + | Create a directory to hold ESAPI resources. This should be a secure location as it will contain a significant amount of security information. For example, you might create a directory called "C:\resources" (Windows) and use the operating system access control mechanisms (NTFS on Windows) to restrict access. | |
| − | Create a directory to hold ESAPI resources. This should be a secure location as it will contain a significant amount of security information. For example, you might create a directory called "C:\resources" and use the operating system access control mechanisms to restrict access. | ||
| − | |||
==Step 2: Setting ESAPI configuration properties== | ==Step 2: Setting ESAPI configuration properties== | ||
| + | Unzip the default [[Image:ESAPI.properties.zip]] file. Edit the MasterPassword property and choose a long, difficult-to-guess string, as the security of your application depends on it. | ||
| − | + | MasterPassword=xxxxx | |
| − | |||
| − | |||
| − | |||
==Step 3: Configuring user accounts== | ==Step 3: Configuring user accounts== | ||
| + | The simplest way to get started is to create an "admin" account to work with. ESAPI has a command line tool that will create your users.txt file, for example: | ||
| − | + | java -Dorg.owasp.esapi.resources="c:\resources" \ | |
| − | + | -classpath owasp-esapi-java-1.1.1.jar \ | |
| − | + | org.owasp.esapi.Authenticator Yourname yourpass admin | |
| − | |||
| − | |||
| − | |||
==Step 4: Hello, ESAPI!== | ==Step 4: Hello, ESAPI!== | ||
| − | |||
You should be able to use any application container. The instructions below are for Tomcat. | You should be able to use any application container. The instructions below are for Tomcat. | ||
| − | + | # Do a clean Tomcat 5.5/6.0 install (or use an existing container). | |
| − | + | # Unzip [[Image:Test.zip]] and put the ''test'' directory in the ''webapps'' folder. | |
| − | + | # Run tomcat/bin/startup.bat (or .sh). | |
| − | * You should enable SSL by uncommenting the SSL | + | * You should enable SSL by uncommenting the SSL Connector in tomcat/conf/server.xml (or /etc/tomcat/server.xml, etc.). Otherwise ESAPI will warn that you're sending a session id over an insecure connection. |
==Step 5: Run== | ==Step 5: Run== | ||
| + | Just browse to https://localhost:8443/test/test.jsp (or http://localhost:8180/test/test.jsp) and log in with the credentials you set up. | ||
| − | + | This JSP performs a lot of "global" checks including authentication, validation, and anti-CSRF. Typically you will want to leave these steps to a framework or a filter (see the [[ESAPI Filter]]). This JSP is just to demonstrate some of the features of ESAPI. | |
| − | |||
| − | This JSP performs a lot of "global" checks including authentication, validation, and CSRF. | ||
| − | |||
[[Category:OWASP Enterprise Security API]] | [[Category:OWASP Enterprise Security API]] | ||
| − | |||
| − | |||
Revision as of 20:16, 8 August 2008
ESAPI is very easy to use. This tutorial shows how to get a simple application working with the reference implementation of ESAPI. Please remember that the reference implementation is a simple example. The Authenticator uses a text-based password file. This is to make it easy to test ESAPI without installing a database or directory. Enterprises will want to create their own implementation of the API that works with their identity management solution.
Step 1: Setting up a resources directory
Create a directory to hold ESAPI resources. This should be a secure location as it will contain a significant amount of security information. For example, you might create a directory called "C:\resources" (Windows) and use the operating system access control mechanisms (NTFS on Windows) to restrict access.
Step 2: Setting ESAPI configuration properties
Unzip the default File:ESAPI.properties.zip file. Edit the MasterPassword property and choose a long, difficult-to-guess string, as the security of your application depends on it.
MasterPassword=xxxxx
Step 3: Configuring user accounts
The simplest way to get started is to create an "admin" account to work with. ESAPI has a command line tool that will create your users.txt file, for example:
java -Dorg.owasp.esapi.resources="c:\resources" \ -classpath owasp-esapi-java-1.1.1.jar \ org.owasp.esapi.Authenticator Yourname yourpass admin
Step 4: Hello, ESAPI!
You should be able to use any application container. The instructions below are for Tomcat.
- Do a clean Tomcat 5.5/6.0 install (or use an existing container).
- Unzip File:Test.zip and put the test directory in the webapps folder.
- Run tomcat/bin/startup.bat (or .sh).
- You should enable SSL by uncommenting the SSL Connector in tomcat/conf/server.xml (or /etc/tomcat/server.xml, etc.). Otherwise ESAPI will warn that you're sending a session id over an insecure connection.
Step 5: Run
Just browse to https://localhost:8443/test/test.jsp (or http://localhost:8180/test/test.jsp) and log in with the credentials you set up.
This JSP performs a lot of "global" checks including authentication, validation, and anti-CSRF. Typically you will want to leave these steps to a framework or a filter (see the ESAPI Filter). This JSP is just to demonstrate some of the features of ESAPI.
