http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/ Java, Security and Technology Wed, 25 Jan 2012 05:18:23 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5907 Owen Sat, 26 Jun 2010 00:25:42 +0000 http://www.jtmelton.com/?p=123#comment-5907 Cool, thank you, working on it now. Will likely take me longer than a day though! Cool, thank you, working on it now. Will likely take me longer than a day though!

]]> http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5834 john Fri, 25 Jun 2010 04:32:02 +0000 http://www.jtmelton.com/?p=123#comment-5834 @Owen, There is currently no database-backed implementation of the authenticator in ESAPI, and that may or may not change. I suspect (though I can't speak for the dev team) that the reason for not including one is that a database driven implementation is going to levy a specific schema requirement on an application. This might be fine for some applications that are likely a)very small and b)using ESAPI from day one, but it's unlikely that's an acceptable requirement outside of those 2 situations. However, having said that, much of the code in the FileBasedAuthenticator does not need to be changed in order to use a database. Simply look for the places where data goes in or out of the datastore, and make your modifications. Much of the code can likely be reused. If it helps, it took me a day or two to do that work, and I believe I remember Jim Manico (ESAPI dev lead) saying a similar conversion to Hibernate took him about 2 days as well. Good luck! @Owen,
There is currently no database-backed implementation of the authenticator in ESAPI, and that may or may not change. I suspect (though I can’t speak for the dev team) that the reason for not including one is that a database driven implementation is going to levy a specific schema requirement on an application. This might be fine for some applications that are likely a)very small and b)using ESAPI from day one, but it’s unlikely that’s an acceptable requirement outside of those 2 situations.
However, having said that, much of the code in the FileBasedAuthenticator does not need to be changed in order to use a database. Simply look for the places where data goes in or out of the datastore, and make your modifications. Much of the code can likely be reused. If it helps, it took me a day or two to do that work, and I believe I remember Jim Manico (ESAPI dev lead) saying a similar conversion to Hibernate took him about 2 days as well. Good luck!

]]> http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5833 Owen Fri, 25 Jun 2010 04:23:24 +0000 http://www.jtmelton.com/?p=123#comment-5833 Mr. Melton, I have been attempting to adapt a website I am working on to use the principles (and of course the library) of ESAPI, but there is no User to Database interaction that I can find. Are there any examples you are aware of for a DatabaseBasedAuthenticator, rather than the FileBasedAuthenticator that they use as the default authenticator? Thank you for any help. Mr. Melton,
I have been attempting to adapt a website I am working on to use the principles (and of course the library) of ESAPI, but there is no User to Database interaction that I can find. Are there any examples you are aware of for a DatabaseBasedAuthenticator, rather than the FileBasedAuthenticator that they use as the default authenticator? Thank you for any help.

]]> http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5097 Tweets that mention The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management : John Melton's Weblog -- Topsy.com Thu, 17 Jun 2010 09:18:17 +0000 http://www.jtmelton.com/?p=123#comment-5097 [...] This post was mentioned on Twitter by Roberto Martinez, Open Foundstone. Open Foundstone said: The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management: This article will describe ho... http://bit.ly/dj41JD [...] [...] This post was mentioned on Twitter by Roberto Martinez, Open Foundstone. Open Foundstone said: The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management: This article will describe ho… http://bit.ly/dj41JD [...]

]]>