This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:ESAPI Specification"
(→resource and Exceptions) |
|||
| Line 20: | Line 20: | ||
--[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT) | --[[User:Chris Schmidt|Chris Schmidt]] 02:26, 16 June 2011 (EDT) | ||
| + | |||
| + | |||
| + | I like the resource approach, I am imaginating there will be, lets say, a FileResource inheritated from Resource, so if a FileResource is passed to the method then only assessments against file resources will be done, am I right? | ||
| + | |||
| + | --[[User:jcmax|Juan C Calderon]] 19:23, 16 June 2011 (CDT) | ||
== Logged in user, from where? == | == Logged in user, from where? == | ||
Revision as of 00:23, 17 June 2011
I tried to keep the specification as compatible as I can with the existing APIs, however there are definately places where existing users are going to have to modify their code - specifically where it deals with Encoding and Validation. I believe these changes are absolutely necessary however to establish a good cross-platform specification. I also believe the migration path allows for the smoothest transition for end-users (developers) to make the necessary changes without completely breaking their existing implementations. This is similar to the path that Spring-Security took with it's 2.0 -> 2.5 -> 3.0 path where they did a very similar thing and I used their experience as the basis for the proposed roadmap.
--Chris Schmidt 02:23, 16 June 2011 (EDT)
Proposed Roadmap
Does this seem like a realistic and smooth approach?
--Chris Schmidt 02:26, 16 June 2011 (EDT)
AccessController
Let's start with discussing the proposed changes to the AccessController.
Summary of proposed changes:
- Drop deprecated methods isAuthorizedForXXX, assertAuthorizedForXXX
- Replace (Object) Parameters with strongly typed StereoTypes
Thoughts?
--Chris Schmidt 02:26, 16 June 2011 (EDT)
I like the resource approach, I am imaginating there will be, lets say, a FileResource inheritated from Resource, so if a FileResource is passed to the method then only assessments against file resources will be done, am I right?
--Juan C Calderon 19:23, 16 June 2011 (CDT)
Logged in user, from where?
where is the logged in user information will come from? how is it going to be available for isAuthorized?
--Juan C Calderon 19:16, 16 June 2011 (CDT)
Exceptions
The specification looks very "Java", that is, I am not pretty sure if you can handle structured exceptions in PHP, in Classic ASP is not possible, yet it could be emulated a little. Can we come to a representation that is more language neutral? (this is not a show stopper, just thinking on trying to be the more neutral possible)
--Juan C Calderon 19:21, 16 June 2011 (CDT)
