This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ESAPI Getting Started Guide"

From OWASP
Jump to: navigation, search
(Step 2: Setting ESAPI configuration properties)
(Step 5: Run)
Line 27: Line 27:
  
 
* You should enable SSL by uncommenting the SSL Connector in tomcat/conf/server.xml (or /etc/tomcat/server.xml, etc.). Otherwise ESAPI will warn that you're sending a session id over an insecure connection.
 
* You should enable SSL by uncommenting the SSL Connector in tomcat/conf/server.xml (or /etc/tomcat/server.xml, etc.). Otherwise ESAPI will warn that you're sending a session id over an insecure connection.
 
==Step 5: Run==
 
Just browse to https://localhost:8443/test/test.jsp (or http://localhost:8080/test/test.jsp) and log in with the credentials you set up.
 
 
This JSP performs a lot of "global" checks including authentication, validation, and anti-CSRF. Typically you will want to leave these steps to a framework or a filter (see the [[ESAPI Filter]]). This JSP is just to demonstrate some of the features of ESAPI.
 
 
[[Category:OWASP Enterprise Security API]]
 

Revision as of 09:50, 26 October 2008

ESAPI is very easy to use. This tutorial shows how to get a simple application working with the reference implementation of ESAPI. Please remember that the reference implementation is a simple example. The Authenticator uses a text-based password file. This is to make it easy to test ESAPI without installing a database or directory. Enterprises will want to create their own implementation of the API that works with their identity management solution.

Step 1: Setting up a resources directory

Create a directory to hold ESAPI resources. This should be a secure location as it will contain a significant amount of security information. For example, you might create a directory called "C:\resources" (Windows) and use the operating system access control mechanisms (NTFS on Windows) to restrict access.

Step 2: Setting ESAPI configuration properties

If it isn't there already, copy the default ESAPI.Properties file into your resources directory. Edit the MasterPassword property and choose a long, difficult-to-guess string, as the security of your application depends on it.

MasterPassword=xxxxx

Also copy the antisamy.xml file into your resources directory, which defines the antisamy policy that you'll use in ESAPI.

Step 3: Configuring user accounts

The simplest way to get started is to create an "admin" account to work with. ESAPI has a command line tool that will create your users.txt file. Type the below, for example (all one line):

java -Dorg.owasp.esapi.resources="c:\resources"
-classpath owasp-esapi-java-1.1.1.jar
org.owasp.esapi.Authenticator yourname yourpass admin

Step 4: Hello, ESAPI!

You should be able to use any application container. The instructions below are for Tomcat.

  1. Do a clean Tomcat 5.5/6.0 install (or use an existing container).
  2. Unzip File:Test.zip and put the test directory in the webapps folder.
  3. Run tomcat/bin/startup.bat (or .sh).
  • You should enable SSL by uncommenting the SSL Connector in tomcat/conf/server.xml (or /etc/tomcat/server.xml, etc.). Otherwise ESAPI will warn that you're sending a session id over an insecure connection.