This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

ESAPI Getting Started Guide

From OWASP
Revision as of 14:22, 19 April 2008 by Jeff Williams (talk | contribs) (Step 4: Hello, ESAPI!)

Jump to: navigation, search

Getting Started with OWASP ESAPI

ESAPI is very easy to use. This tutorial shows how to get a simple application working with the reference implementation of ESAPI. Please remember that the reference implementation is a simple example. The Authenticator uses a text-based password file. This is to make it easy to test ESAPI without installing a database or directory. Enterprises will want to create their own implementation of the API that works with their identity management solution.


Step 1: Setting up a resources directory

Create a directory to hold ESAPI resources. This should be a secure location as it will contain a significant amount of security information. For example, you might create a directory called "C:\resources" and use the operating system access control mechanisms to restrict access.


Step 2: Setting ESAPI configuration properties

Download the default ESAPI.properties file. Edit the MasterPassword property and choose a long, difficult-to-guess string as the security of your application depends on it. 

 MasterPassword=xxxxx


Step 3: Configuring user accounts

The simplest way to get started is to create an "admin" account to work with. ESAPI has a command line tool that will create your users.txt file and 

 java -Dorg.owasp.esapi.resources="C:\resources"
 -classpath owasp-esapi-java-1.1.1.jar
 org.owasp.esapi.Authenticator Alice test admin


Step 4: Hello, ESAPI!

You should be able to use any application container. The instructions below are for Tomcat.

  • Do a clean Tomcat 5.5/6.0 install (or use an existing container)
  • Unzip File:Test.zip and put the "test" directory in the webapps folder
  • Run Tomcat/bin/startup.bat (or .sh)

Step 5: Run

Just browse to http://localhost:8080/test/test.jsp and login with the credentials you have chosen.

This JSP performs a lot of "global" checks including authentication, validation, and CSRF. Typically you will want to leave these steps to a framework or a filter (see the ESAPI Filter). This JSP is just to demonstrate some of the features of ESAPI.

Retrieved from "https://wiki.owasp.org/index.php?title=ESAPI_Getting_Started_Guide&oldid=28210"