ESAPI Specification

From OWASP
Revision as of 01:51, 16 June 2011 by Chris Schmidt (Talk | contribs)

Jump to: navigation, search
This document is currently under development - Please use the Discussion page for threaded conversation

Contents

Proposed Migration Roadmap

  • ESAPI 2.1
    • Create new package org.owasp.esapi.core
    • Create new set of Interfaces in new package with each extending it's org.owasp.esapi counterpart
    • Deprecate methods in org.owasp.esapi Interfaces
  • ESAPI 2.5
    • Remove deprecated methods that were deprecated at or before ESAPI 2.0
    • Introduce new ServiceLocator API
  • ESAPI 3.0
    • Seperate Core API into it's own artifact/project called ESAPI-Core
    • Create new set of artifacts as outlined in ESAPI_Project_Structure
    • Introduce Core API Testing Suite

Core API Specification

AccessController

The AccessController is responsible for determining if the currently logged in user has access to a given resource. The resource can be anything that implements the Resource Interface.

Changes from ESAPI 2.0

  • Removed deprecated methods
  • Added Generic Stereotypes to the Key and Context parameters)

StereoTypes

Parameter Description
R A class that implements the Resource Interface and represents the Resource the user is requesting access to
Context Any object that represents the current context of the Authorization request - this is generally a Key-Value map

Methods

<R extends Resource,Context> void assertAuthorized(Resource resource, Context context) throws AccessDeniedException

Assert that the currently logged in user can access the given Resource with the given Context parameters

Parameters
Parameter Default Value Description
resource The resource that the user is attempting to access
context The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.
Exceptions
Exception Description
AccessDeniedException If the assertion evaluates to false, an AccessControlException will be thrown with contextual information as to the reason for the failure

<R extends Resource,Context> boolean isAuthorized(Resource resource, Context context)

Determine if the given resource is accessible by the currently logged in User

Parameters
Parameter Default Value Description
resource The resource that the user is attempting to access
context The context of the request. This could be any type of object - for instance if requesting access to data, the context may be the resource identifier for the identified resource.
Return

Returns true if the resource is accessible to the currently logged in user and false if it is not.

AccessReferenceMap<Key>

<Type> Key addDirectReference(Type direct)

<Type> Type getDirectReference(Key key)

<Type> Key getIndirectReference(Type directReference)

<Type> Key removeDirectReference(Type directReference)

<Type> void update(Set<Type> directReferences)

Authenticator

User login() throws AuthenticationException

void logout() throws AuthenticationException

Codec

String encode(char c)

String decode(String s)

Encoder

String encode(String s)

String decode(String s)

void addCodec(Codec c)

Set<Codec> getCodecs()

void setCodecs(Set<Codec> codecs)

Encryptor

PlainText decrypt(CipherText cipherText, SecretKey secretKey) throws EncryptionException

CipherText encrypt(PlainText plainText, SecretKey secretKey) throws EncryptionException

MessageDigest hash(PlainText plainText, Salt salt, Integer iterations) throws EncryptionException

String seal(String data, Long timestamp) throws EncryptionException

String sign(String data) throws EncryptionException

String unseal(String sealedData) throws EncryptionException

void verifySeal(String sealedData) throws DataIntegrityException

void verifySignature(String signature, String data) throws InvalidSignatureException

Executor

ExecutorResult executeSystemCommand(ExecutorTarget target, Encoder encoder) throws ExecutionException

ExecutorResult

String getErrorOutput()

String getStandardOutput()

Integer getExitValue()

ExecutorTarget

native FileHandle getExecutable()

native Handle getWorkingDirectory()

OrderedMap<String,String> getParameters()

IntrusionDetector

void addEvent(String eventName, String message)

void addException(Throwable exception)

LogFactory

Still thinking this one through

Logger

Still thinking this one through

Randomizer

Boolean getRandomBoolean()

Byte[] getRandomBytes(Integer len)

String getRandomFilename(String extension)

String getRandomUUID()

Integer getRandomInteger(Integer min, Integer max)

Long getRandomLong(Long min, Long max)

Float getRandomReal(Float min, Float max)

String getRandomString(Integer len, char[] charSet)

Resource

Marker Interface for Resources that a user can request access to.

ServiceLocator

User

<Type> Type getAccountID()

String getAccountName()

Long getExpirationTime()

Integer getFailedLoginCount()

Long getLastFailedLoginTime()

String getLastHostAddress()

Long getLastLoginTime()

Long getLastPasswordChangeTime()

String getLocale()

Set<String> getRoles()

String getScreenName()

Boolean isAnonymous()

Boolean isEnabled()

Boolean isExpired()

Boolean isInRole(String role)

Boolean isLocked()

Boolean isLoggedIn()

Validator

<Type> Boolean isValid(Type data)

<Type> void assertValid(Type data)

Exceptions

AccessDeniedException

AccountDisabledException

AccountLockedException

AuthenticationException

EncodingException

EncryptionException

EnterpriseSecurityException

EnterpriseSecurityRuntimeException

ExecutionException

IncorrectCredentialsException

Web API Specification

This API describes the components that can be used in the context of a Web Application.

ClientCookie

String getName()

void setName(String name)

String getValue()

void setValue(String value)

Integer getMaxAge()

void setMaxAge(Integer maxAge)

String getDomain()

void setDomain(String domain)

String getPath()

void setPath(String path)

Boolean isHttpOnly()

void setHttpOnly(Boolean httpOnly)

Boolean isSecure()

void setSecure(Boolean secure)

SecureHttpRequest

void assertSecureChannel()

void assertSecureRequest()

ClientCookie getCookie(String name)

List<FileHandle> getFileUploads()

<T> T getAttribute(String name)

String getHeader(String header)

String getParameter(String name)

void sendForward(String url)

void verifyCsrfToken() throws CsrfException

SecureHttpResponse

void addCookie(ClientCookie cookie)

void addHeader(String key, String value)

void killCookies()

void sendRedirect(String url)

void setContentType(String contentType)

void setNoCacheHeaders()

SecureHttpSession

<T> T getAttribute(String key)

WebUser

String getCsrfToken()

void resetCsrfToken()

void addSession(SecureHttpSession session)

void removeSession(SecureHttpSession session)

Mobile API Specification

Desktop API Specification