JavaEE Enterprise Security API 2 Release Notes

From OWASP
Jump to: navigation, search

Overview of Changes from RC2

  • Encryption Refactor
  • Java 5 Generics
  • Thread-Safety Overhaul
  • Documentation Cleanup
  • Bug Fixes from Issue Tracker

Detailed Changelog from RC2

ChangeLog

  • 2009-07-21 00:05 manico.james
  • [#r569 [r569]] . ESAPI 2.0 quality branch for the many very talented newcomers to experiement with.
  • 2009-07-22 05:54 chrisisbeef
  • [#r571 [r571]] src/main/java/org/owasp/esapi/reference/AbstractAccessReferenceMap.java New AbstractAccessReferenceMap to combine functionality between the 2 reference implmentations.

    The new reference implementations are backed by ConcurrentHashMap instead of HashMap to promote thread-safety as an aspect of security. They also leverage Java5 generics to allow strict typing of both direct references to objects and the type of key that is the indirect objects, allowing for complex key-types to be generated and used as indirect references.
  • 2009-07-22 05:56 chrisisbeef
  • [#r572 [r572]] src/main/java/org/owasp/esapi/AccessReferenceMap.java, src/main/java/org/owasp/esapi/reference/IntegerAccessReferenceMap.java, src/main/java/org/owasp/esapi/reference/RandomAccessReferenceMap.java Adjusted reference implementations to extend the new AbstractAccessReferenceMap instead of directly implementing the AccessReferenceMap interface. Added Java5 generics.
  • 2009-07-22 06:53 chrisisbeef
  • [#r573 [r573]] src/main/java/org/owasp/esapi/HTTPUtilities.java, src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java Updated for thread-safety and Java5 Generics.
  • 2009-07-24 07:43 chrisisbeef
  • [#r575 [r575]] pom.xml Added AntiSamy dependency repository and adjusted dependency descriptor.
  • 2009-07-24 07:53 chrisisbeef
  • [#r576 [r576]] src/main/java/org/owasp/esapi/filters/RequestRateThrottleFilter.java Modified synchronized block to block on session.getId().intern()
  • 2009-07-24 08:30 chrisisbeef
  • [#r577 [r577]] src/main/java/org/owasp/esapi/HTTPUtilities.java, src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java, src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java Add new methods to retrieve typed attributes from the session and request from either the current calling thread or the passed in request/session
  • 2009-07-24 21:39 chrisisbeef
  • [#r578 [r578]] src/main/java/org/owasp/esapi/User.java, src/main/java/org/owasp/esapi/reference/DefaultUser.java, src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java, src/main/java/org/owasp/esapi/util/StringUtils.java FileBasedAuthenticator:
    1. Updated source to take advantage of Java5 generics and auto-boxing.
    2. Added similarity check to the generateStrongPassword method using recursion using the Levenshtein Distance algorythm.
    3. Corrected some small bugs such as inserting the user.getAccountName() into the passwordMap instead of the user and there were
    a few places where we were creating an AuthenticationException but not throwing it.
    4. Made a few performance enhancements with loops.

    User/DefaultUser:
    1. Updated source to take advantage of Java5 Generics

    StringUtils:
    1. New util class to hold String analysis and transformation utility methods
  • 2009-07-25 05:06 chrisisbeef
  • [#r579 [r579]] src/main/java/org/owasp/esapi/Authenticator.java Corrected a typo in the JavaDocs
  • 2009-07-28 03:02 kevin.w.wall
  • [#r580 [r580]] src/main/resources/.esapi/ESAPI.properties Updated regex for Validator.FileName and Validator.DirectoryName to exclude empty names.
    I.e., changed regex from {0,255} to {1,255}.
  • 2009-07-28 03:15 kevin.w.wall
  • [#r581 [r581]] src/test/resources/.esapi/ESAPI.properties Updated regex for Validator.FileName and Validator.DirectoryName to exclude empty names.
    I.e., changed regex from {0,255} to {1,255}.
  • 2009-07-28 03:45 kevin.w.wall
  • [#r582 [r582]] src/main/java/org/owasp/esapi/codecs/Base64.java Added 3 CHECKME comments as well as new logging in exception and fixed one spelling
    error.
  • 2009-08-04 03:26 kevin.w.wall
  • [#r583 [r583]] src/main/java/org/owasp/esapi/codecs/Base64.java 1) Enhanced initial CHECKME comment about tracker Harder version vs forking from his version.
    2) Combined 5 separate logging entries in caught exception with one logging entry to prevent interleaving of logs by other threads making log hard to read. Still have CHECKME comment there as not sure if format is satisfactory with everyone. (Some may prefer one very long line.)
    3) Changed caught exception to log warning rather than error, reasoning that if exception not rethrown but rather simply swallowed this doesn't justify being called an error. (OTOH, one could argue if your JRE is missing UTF-8 encoding, it is probably FUBAR and thus you might want it to be an error.) Rather than debating the merits on my own, I left CHECKME comment that we can discuss the approach during inspection.
  • 2009-08-04 03:38 kevin.w.wall
  • [#r584 [r584]] src/main/java/org/owasp/esapi/reference/JavaEncryptor.java Changes to JavaEncrytor CTOR, and hash(), sign(), verifySignature()
    member functions to account for preferred byte encoding (defaults to UTF-8)
    rather using than native platform byte encoding that can vary from one
    platform to the next.

    Updated main()'s javadoc and changed System.out.println from using "\n" to
    the Java property line.separator which should pick the correct line
    terminator as per native OS. Defaults to newline in unusual event that
    line.separator property is not set.

    Completed Javadoc for main().

    NB: These changes could conceivably affect those that were running on a
    platform where UTF-8 is not the native encoding (e.g., Windows OS) resulting
    in a different master secret. If this is a problem we can revert back to previous
    version or user could change encoding in ESAPI.properties. However, I'd rather
    cause issues now rather than later when many more are using it. I still need to
    check the EncryptorTest. I think it will be OK with these changes, but have not
    yet verified that it didn't write something out to a file that it later reads back
    in. If so, that may break too.
  • 2009-08-04 04:03 kevin.w.wall
  • [#r585 [r585]] src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java 1) Changed e.printStackTrace() to logger.error() message plus exception.
    2) Changed encoding in redirectUserToErrorPage() from default encoding to character encoding used by InterceptingHttpServletResponse object.
  • 2009-08-05 04:51 neil.matatall
  • [#r586 [r586]] src/main/java/org/owasp/esapi/Encoder.java, src/main/java/org/owasp/esapi/EncoderConstants.java, src/main/java/org/owasp/esapi/StringUtilities.java, src/main/java/org/owasp/esapi/ValidationErrorList.java, src/main/java/org/owasp/esapi/ValidationRule.java, src/main/java/org/owasp/esapi/reference/validation/BaseValidationRule.java, src/main/java/org/owasp/esapi/reference/validation/CreditCardValidationRule.java, src/main/java/org/owasp/esapi/reference/validation/DateValidationRule.java, src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java, src/main/java/org/owasp/esapi/reference/validation/IntegerValidationRule.java, src/main/java/org/owasp/esapi/reference/validation/NumberValidationRule.java, src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java Moved Encoder constants to own class, EncoderConstants per https://lists.owasp.org/pipermail/owasp-esapi/2009-August/000680.html
    StringUtilities: converted union to use varargs
    ValidationErrorList: Now uses generics
    ValidationRule: documented each method, removed unecessary declarations

    BaseValidationRule: fixed whitelist implementation, added whitelist(String, Set) updated docs, cleaned up findbugs findings
    CreditCardValidationRule: cleaned up code, abstracted validCreditCardFormat to allow for custom validation (currently uses Luhn validation), renamed getCCRule because it was misleading, added getter method for the ccRule
    DateValidation: fixed sanitize implementation to be consistent with the interface, code Cleanup
    HTMLValidationRule: fixed sanitize implementation to be consistent with the interface, code cleanup
    IntegerValidationRule: fixed sanitize implementation to be consistent with the interface, code cleanup
    NumberValidationRule: fixed sanitize implementation to be consistent with the interface, code cleanup
    StringValidationRule: Cleanup
  • 2009-08-06 04:06 neil.matatall
  • [#r587 [r587]] src/main/java/org/owasp/esapi/EncoderConstants.java, src/main/java/org/owasp/esapi/util/CollectionsUtil.java Moved arrayToSet method from EncoderConstants to new CollectionsUtil class. Renamed method from array2Set.
  • 2009-08-06 04:15 neil.matatall
  • [#r588 [r588]] src/main/java/org/owasp/esapi/SecurityConfiguration.java, src/main/java/org/owasp/esapi/Validator.java, src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java, src/main/java/org/owasp/esapi/reference/DefaultValidator.java Updated classes to use generics.
  • 2009-08-07 02:46 kevin.w.wall
  • [#r589 [r589]] src/main/resources/.esapi/ESAPI.properties Changed regular expressions for Validator.SystemCommand,
    Validator.HTTPParameterName, HTTPCookieName, and Validator.HTTPHeaderName
    properties from matching '0 to N' of character class to '1 to N' of same,
    where N varies depending on the property. (Note: I suppose it's debatable
    whether or not one should allow an empty SystemCommand. A small group
    of us decided not, but this should be reviewed.)

    Props to Craig Younkins for pointing these out.
  • 2009-08-07 02:48 kevin.w.wall
  • [#r590 [r590]] src/test/resources/.esapi/ESAPI.properties Changed regular expressions for Validator.SystemCommand,
    Validator.HTTPParameterName, HTTPCookieName, and Validator.HTTPHeaderName
    properties from matching '0 to N' of character class to '1 to N' of same,
    where N varies depending on the property. (Note: I suppose it's debatable
    whether or not one should allow an empty SystemCommand. A small group
    of us decided not, but this should be reviewed.)

    Props to Craig Younkins for pointing these out.
  • 2009-08-14 04:22 kevin.w.wall
  • [#r591 [r591]] src/test/java/org/owasp/esapi/util, src/test/java/org/owasp/esapi/util/ThePrefectClass.java Auxiliary class used with ObjFactoryTest class.
  • 2009-08-14 05:05 kevin.w.wall
  • [#r592 [r592]] src/main/java/org/owasp/esapi/util/ObjFactory.java New generic class used to create various ESASPI classes from
    org.owasp.esapi.ESAPI. This class is generally reusable as well.
  • 2009-08-14 05:28 kevin.w.wall
  • [#r593 [r593]] src/main/java/org/owasp/esapi/CipherText.java Interface to represent general ciphertext. This interface is in preparation for a rewrite of
    the Encryptor interface that will allow a more general encryption mechanism with other
    cipher modes. (The goal is to get rid of the cryptographically weak ECB mode and replace
    it with CBC mode or another equally strong mode. Note all other modes require IVs.)
  • 2009-08-14 05:31 kevin.w.wall
  • [#r594 [r594]] src/main/java/org/owasp/esapi/reference/DefaultCipherText.java This class will ultimately be the reference ESAPI implementation of the new CipherText
    interface.

    Note that this class is just stubbed out at this time. Work on it continues.
  • 2009-08-14 05:36 kevin.w.wall
  • [#r595 [r595]] src/main/java/org/owasp/esapi/reference/JavaEncryptor.java Replaced some of the older collection classes with their generic
    equivalents (e.g., TreeMap).

    Some documentation corrections.

    Added stubs for new encrypt and decrypt methods using the new CipherText
    interface.
  • 2009-08-14 05:38 kevin.w.wall
  • [#r596 [r596]] src/main/java/org/owasp/esapi/Encryptor.java Some Javadoc improvements.

    Added the new encrypt and decrypt methods using the new CipherText
    interface.
  • 2009-08-14 05:40 kevin.w.wall
  • [#r597 [r597]] src/main/java/org/owasp/esapi/errors/ConfigurationException.java Moved ConfigurationException class to org.owasp.esapi.errors package with most
    of the other ESAPI exceptions. Also changed it so that it extends RuntimeException
    rather than just Exception so these may be treated as unchecked exceptions
    thus simplifying the client's code.
  • 2009-08-14 05:41 kevin.w.wall
  • [#r598 [r598]] src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java Changed import to reflect new package for ConfigurationException.
  • 2009-08-14 05:42 kevin.w.wall
  • [#r599 [r599]] src/main/java/org/owasp/esapi/waf/ConfigurationException.java Removing. This class was moved to the org.owasp.esapi.errors package.
    (Hope this commit will actually remove it from here. We'll see.)
  • 2009-08-14 05:43 kevin.w.wall
  • [#r600 [r600]] src/main/java/org/owasp/esapi/waf/configuration/ConfigurationParser.java Changed import to reflect new package for ConfigurationException.
  • 2009-08-14 05:46 kevin.w.wall
  • [#r601 [r601]] src/main/resources/.esapi/ESAPI.properties Updated with new properties in preparation for the new, more general, encryption / decryption
    facilities using the CipherText interface.

    Also updated many of the related comments.
  • 2009-08-14 05:47 kevin.w.wall
  • [#r602 [r602]] src/test/java/org/owasp/esapi/util/ObjFactoryTest.java New Junit tests for ObjFactory.
  • 2009-08-14 05:55 kevin.w.wall
  • [#r603 [r603]] src/test/java/org/owasp/esapi/reference/EncoderTest.java Changes to use generics instead of the older collection classes.

    Changes to use UTF-8 encoding rather than the native encoding of
    wherever the JVM is running at the time. (This is mostly in case
    we want to persist some encoded data to use as a test baseline.)
  • 2009-08-14 05:56 kevin.w.wall
  • [#r604 [r604]] src/test/java/org/owasp/esapi/reference/ValidatorTest.java Changes to use UTF-8 encoding rather than the native encoding of
    wherever the JVM is running at the time. (This is mostly in case
    we want to persist some encoded data to use as a test baseline.)
  • 2009-08-14 05:59 kevin.w.wall
  • [#r605 [r605]] src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java Changes encoding to use the standard response encoding rather than using
    the native encoding of wherever the JVM is running at the time.
  • 2009-08-14 06:03 kevin.w.wall
  • [#r606 [r606]] src/test/java/org/owasp/esapi/reference/EncryptorTest.java Added TODO about adding new test that persists encrypted data so we can test
    encrypting / decrypting across different OSes and architectures.
  • 2009-08-14 06:12 kevin.w.wall
  • [#r607 [r607]] src/main/java/org/owasp/esapi/ESAPI.java Refactored a half-dozen or so code fragments of code like this:
    String accessControllerName =
    securityConfiguration().getAccessControlImplementation();
    try {
    Class theClass = Class.forName(accessControllerName);
    accessController = (AccessController)theClass.newInstance();
    } catch ( ClassNotFoundException ex ) {
    System.out.println( ex + " AccessController class (" + accessControllerName + ") must be in class path.");
    } catch( InstantiationException ex ) {
    System.out.println( ex + " AccessController class (" + accessControllerName + ") must be concrete.");
    } catch( IllegalAccessException ex ) {
    System.out.println( ex + " AccessController class (" + accessControllerName + ") must have a no-arg constructor.");
    }

    with the much simpler refactored code that looks like this:
    String accessControllerName =
    securityConfiguration().getAccessControlImplementation();
    accessController =
    (new ObjFactory()).make(accessControllerName, "AccessController");
  • 2009-08-20 00:48 kevin.w.wall
  • [#r609 [r609]] src/main/java/org/owasp/esapi/util/ObjFactory.java Add private CTOR to prevent instantiation.
  • 2009-08-20 21:35 chrisisbeef
  • [#r610 [r610]] src/main/java/org/owasp/esapi/codecs/CSSCodec.java, src/main/java/org/owasp/esapi/codecs/Codec.java, src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java, src/main/java/org/owasp/esapi/codecs/JavaScriptCodec.java, src/main/java/org/owasp/esapi/codecs/PercentCodec.java Updated code to use Java5 Generics and new API's
  • 2009-08-25 03:38 kevin.w.wall
  • [#r611 [r611]] documentation/ESAPI_2.0_ReleaseNotes_CryptoChanges.html New file -- Explains why we are making changes to the Encryptor encrypt / decrypt methods in ESAPI Java 2.0 and gives some examples of use.
  • 2009-08-25 03:42 kevin.w.wall
  • [#r612 [r612]] src/main/resources/.esapi/ESAPI.properties Summarized crypto changes, added new properties to support new Encryptor encrypt / decrypt methods, briefly explained backward compatibility for Encryptor.
  • 2009-08-25 03:47 kevin.w.wall
  • [#r613 [r613]] src/main/java/org/owasp/esapi/CipherText.java Untested! Made Serializable, added several new methods, flushed out Javadoc.
  • 2009-08-25 03:49 kevin.w.wall
  • [#r614 [r614]] src/main/java/org/owasp/esapi/Encryptor.java Flushed out Javadoc. Added 2 new methods (encrypt() and decrypt() that take a SecretKey).
  • 2009-08-25 03:53 kevin.w.wall
  • [#r615 [r615]] src/main/java/org/owasp/esapi/ESAPI.java Added some comments for discussion (marked 'DISCUSS').
  • 2009-08-25 03:54 kevin.w.wall
  • [#r616 [r616]] src/main/java/org/owasp/esapi/PreparedString.java Fixed Javadoc so it wouldn't prematurely die.
  • 2009-08-25 03:56 kevin.w.wall
  • [#r617 [r617]] src/main/java/org/owasp/esapi/Randomizer.java Added new method, getRandomBytes(int n).
  • 2009-08-25 03:58 kevin.w.wall
  • [#r618 [r618]] src/main/java/org/owasp/esapi/SecurityConfiguration.java Fixed misc Javadoc, added several new mthods to support new Encryptor encrypt / decrypt methods.
  • 2009-08-25 03:59 kevin.w.wall
  • [#r619 [r619]] src/main/java/org/owasp/esapi/codecs/Hex.java New class to do hexadecimal encoding / decoding.
  • 2009-08-25 04:04 kevin.w.wall
  • [#r620 [r620]] src/main/java/org/owasp/esapi/reference/DefaultCipherText.java Untested! Completed implementation and Javadoc.
  • 2009-08-25 04:05 kevin.w.wall
  • [#r621 [r621]] src/main/java/org/owasp/esapi/reference/DefaultRandomizer.java Untested! Implemented new gentRandomBytes(int) method.
  • 2009-08-25 04:07 kevin.w.wall
  • [#r622 [r622]] src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java Untested! - Implemented new methods to support new Encryptor encrypt / decrypt methods, Javadoc corrections.
  • 2009-08-25 04:09 kevin.w.wall
  • [#r623 [r623]] src/main/java/org/owasp/esapi/reference/JavaEncryptor.java Untested! Lots of Javadoc changes. Implemented 2 new encrypt() and 2 new decrypt() methods.
  • 2009-08-25 04:12 kevin.w.wall
  • [#r624 [r624]] src/main/java/org/owasp/esapi/util/CipherSpec.java Untested! New class. A Serializable class that carries all info about a specific cipher specification that was used to encrypt some particular ciphertext (other than the SecretKey of course). Main intent is to be used with CipherText, but may be used alone.
  • 2009-08-25 04:15 kevin.w.wall
  • [#r625 [r625]] src/main/java/org/owasp/esapi/util/CryptoHelper.java Untested! New class. Some static methods to simplify encryption and decryption of plaintext Strings, to be used as a replacement for the deprecated Encryptor encrypt() and decrypt() methods if ESAPI users find the newer methods too inconvenient to use.
  • 2009-08-25 04:18 kevin.w.wall
  • [#r626 [r626]] src/main/java/org/owasp/esapi/util/ObjFactory.java Mostly tested (except for one or 2 'catch' clauses). Fixed some Javadoc. Made CTOR public (probably is a way to just do this using a static method, but it wasn't obvious and I didn't want to screw with it). Improved some internal documentation. Added OWASP copyright notice.
  • 2009-08-25 04:20 kevin.w.wall
  • [#r627 [r627]] src/main/java/org/owasp/esapi/util/StringUtils.java Added new notNullOrEmpty() method used in assertions. (untested).
  • 2009-08-25 05:12 kevin.w.wall
  • [#r628 [r628]] src/main/resources/owasp-esapi-dev.jks New keystore file for DEVELOPMENT only. It is self-signed. Purpose is for jar signing.
    Note that passphrases for both the keystore and the private key is 'changeme' (without
    the quotes). Modified pom.xml to use this.
  • 2009-08-25 05:14 kevin.w.wall
  • [#r629 [r629]] pom.xml Try to fix the jar signing by using new self-signed Java keystore file. Still needs lots of work. See comments regarding this therein.
  • 2009-08-26 04:02 kevin.w.wall
  • [#r630 [r630]] src/main/java/org/owasp/esapi/util/StringUtils.java Duh! Fix brainfart #1 (don't code even _simple_ stuff when your sleepy :); fixed notNullOrEmpty()
    Fix spelling error in Javadoc.
  • 2009-08-26 04:02 kevin.w.wall
  • [#r631 [r631]] src/test/java/org/owasp/esapi/util/StringUtilsTest.java New JUnit test for StringUtils class.
  • 2009-08-26 04:08 kevin.w.wall
  • [#r632 [r632]] target/ESAPI-2.0-javadoc.jar Jar containing latest ESAPI Java 2.0 javadoc.
    This will have to do until we can post the actual (unjarred) Javadoc somewhere.
  • 2009-08-30 04:17 kevin.w.wall
  • [#r633 [r633]] src/test/java/org/owasp/esapi/util/CipherSpecTest.java New - JUnit test for org.owasp.esapi.util.CipherSpec class.
  • 2009-08-30 04:20 kevin.w.wall
  • [#r634 [r634]] src/main/java/org/owasp/esapi/util/CipherSpec.java Changes made to CipherSpec as result of JUnit testing. Biggest change had to
    do with being able to hand cipher transformation specified like this:
    Cipher cipher = Cipher.getInstance("AES"); // No mode or padding scheme given.
    CipherSpec cipherSpec = new CipherSpec(cipher);

    For those I used "ECB" for cipher mode and "NoPadding" for padding scheme
    which seems to be the defaults I've run across, at least for SunJCE and AES,
    DES, and DESede.
  • 2009-08-30 04:21 kevin.w.wall
  • [#r635 [r635]] src/main/resources/.esapi/ESAPI.properties Added some more comments to try to clarify things a bit.
  • 2009-08-30 04:23 kevin.w.wall
  • [#r636 [r636]] src/test/resources/.esapi/ESAPI.properties Bring this ESAPI.properties in line with the one under src/main directory.
  • 2009-08-30 04:25 kevin.w.wall
  • [#r637 [r637]] src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java Change to make IV type case insensitive.
    Added comment for discussion at future code inspection.
  • 2009-09-06 19:46 kevin.w.wall
  • [#r641 [r641]] src/main/java/org/owasp/esapi/ESAPI.java Changes to comments targeted for discussion of code inspection.
  • 2009-09-06 19:47 kevin.w.wall
  • [#r642 [r642]] src/main/java/org/owasp/esapi/Encryptor.java Change signature and Javadoc for new encryption method. (Can't overwrite key as SecretKey.)
  • 2009-09-06 19:51 kevin.w.wall
  • [#r643 [r643]] src/main/java/org/owasp/esapi/CipherText.java Removed method to obtain the nonce used for the MIC. (Now a private method in DefaultCipherText.).

    Many minor changes to Javadoc. Lots of other comment changes.
  • 2009-09-06 19:52 kevin.w.wall
  • [#r644 [r644]] src/main/java/org/owasp/esapi/codecs/Hex.java Improved / clarified Javadoc for fromHex() method.
  • 2009-09-06 19:54 kevin.w.wall
  • [#r645 [r645]] src/main/resources/.esapi/ESAPI.properties Added comment that AES cipher block size is 16 bytes. (Most block ciphers have block size of 8 bytes.)
  • 2009-09-06 19:55 kevin.w.wall
  • [#r646 [r646]] src/test/java/org/owasp/esapi/util/ThePrefectClass.java Comment change.
  • 2009-09-06 19:57 kevin.w.wall
  • [#r647 [r647]] src/test/java/org/owasp/esapi/util/ObjFactoryTest.java Added new test (testNullorEmptyTypeName()) where typeName is null or empty string.
  • 2009-09-06 19:59 kevin.w.wall
  • [#r648 [r648]] src/test/java/org/owasp/esapi/util/CryptoHelperTest.java New JUnit test class for unit testing of org.owasp.esapi.util.CryptoHelper class.
  • 2009-09-06 20:01 kevin.w.wall
  • [#r649 [r649]] src/test/java/org/owasp/esapi/util/CipherSpecTest.java Added commented out line to show effects of CipherSpec.toString() method.
    Should probably write test for this, but no time for now.
  • 2009-09-06 20:04 kevin.w.wall
  • [#r650 [r650]] src/main/java/org/owasp/esapi/util/CryptoHelper.java Bug fixes found from unit testing.
    Polish Javadoc.
    Added new method to generate a random SecretKey.
  • 2009-09-06 20:07 kevin.w.wall
  • [#r651 [r651]] src/main/java/org/owasp/esapi/util/CipherSpec.java Bug fixes found from unit testing.
    Default blocksize now 16 bytes, to correspond to AES blocksize.
    Changes to some Java assertions.
    New toString() method.
  • 2009-09-06 20:10 kevin.w.wall
  • [#r652 [r652]] src/main/java/org/owasp/esapi/reference/JavaEncryptor.java Bug fixes found from unit testing.
    Polish Javadoc.
    (Note: JUnit testing not complete.)
  • 2009-09-06 20:11 kevin.w.wall
  • [#r653 [r653]] src/test/java/org/owasp/esapi/reference/DefaultCipherTextTest.java New JUnit test for unit testing org.owasp.esapi.reference.DefaultCipherText.
  • 2009-09-06 20:15 kevin.w.wall
  • [#r654 [r654]] src/main/java/org/owasp/esapi/reference/DefaultCipherText.java Bug fixes found from unit testing.
    Major code reorganization to use Enum's and EnumSet's.
    Polished Javadoc and lots of other comment changes.
    Reorganized code--all private methods now at the end.
    Added public toString() method.
  • 2009-09-08 01:58 kevin.w.wall
  • [#r655 [r655]] src/main/java/org/owasp/esapi/SecurityConfiguration.java Added setCipherTransformation() method to allow a way (albeit kludgy) to
    use an alternate cipher algorithm without having to change ESAPI.properties.
  • 2009-09-08 01:59 kevin.w.wall
  • [#r656 [r656]] src/main/java/org/owasp/esapi/reference/DefaultEncryptedProperties.java Added TODO in setProperty() method.
  • 2009-09-08 01:59 kevin.w.wall
  • [#r657 [r657]] src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java Implemented new setCipherTransformation() method.
  • 2009-09-08 02:01 kevin.w.wall
  • [#r658 [r658]] src/main/java/org/owasp/esapi/reference/JavaEncryptor.java Use CryptoHelper.generateSecretKey() to generate master secret.
    Added few comments for discussion.
    Changes and bug fixes to encrypt() and decrypt() methods, especially
    to deal with DES and DESede key size idiosyncrasies.
  • 2009-09-08 02:01 kevin.w.wall
  • [#r659 [r659]] src/test/java/org/owasp/esapi/AllTests.java Added test suites for org.owasp.esapi.util classes.
  • 2009-09-08 02:02 kevin.w.wall
  • [#r660 [r660]] src/test/java/org/owasp/esapi/reference/EncryptorTest.java Add some sunny day tests for new encryption / decryption. (Still needs work.)
    Did lots of testing of error cases while debugging but didn't codify into JUnit
    test cases.
  • 2009-09-08 02:03 kevin.w.wall
  • [#r661 [r661]] src/test/java/org/owasp/esapi/util/CipherSpecTest.java Added suite() method.
  • 2009-09-08 02:03 kevin.w.wall
  • [#r662 [r662]] src/test/java/org/owasp/esapi/util/CryptoHelperTest.java Added suite() method.
  • 2009-09-08 02:03 kevin.w.wall
  • [#r663 [r663]] src/test/java/org/owasp/esapi/util/ObjFactoryTest.java Added Javadoc comments to suite() method.
  • 2009-09-08 02:04 kevin.w.wall
  • [#r664 [r664]] src/test/java/org/owasp/esapi/util/StringUtilsTest.java Added Javadoc comments to suite() method.
  • 2009-09-08 02:39 kevin.w.wall
  • [#r665 [r665]] src/main/java/org/owasp/esapi/CipherText.java Changes for Javadoc.
  • 2009-09-08 02:40 kevin.w.wall
  • [#r666 [r666]] src/main/java/org/owasp/esapi/Encryptor.java Changes for Javadoc.
  • 2009-09-08 02:40 kevin.w.wall
  • [#r667 [r667]] src/main/java/org/owasp/esapi/ESAPI.java Changes for Javadoc.
  • 2009-09-08 02:40 kevin.w.wall
  • [#r668 [r668]] src/main/java/org/owasp/esapi/StringUtilities.java Changes for Javadoc.
  • 2009-09-08 02:40 kevin.w.wall
  • [#r669 [r669]] src/main/java/org/owasp/esapi/ValidationErrorList.java Changes for Javadoc.
  • 2009-09-08 02:41 kevin.w.wall
  • [#r670 [r670]] src/main/java/org/owasp/esapi/reference/accesscontrol/FileBasedACRs.java Changes for Javadoc.
  • 2009-09-08 02:41 kevin.w.wall
  • [#r671 [r671]] src/main/java/org/owasp/esapi/reference/DefaultCipherText.java Changes for Javadoc.
  • 2009-09-08 02:41 kevin.w.wall
  • [#r672 [r672]] src/main/java/org/owasp/esapi/reference/IntegerAccessReferenceMap.java Changes for Javadoc.
  • 2009-09-08 02:41 kevin.w.wall
  • [#r673 [r673]] src/main/java/org/owasp/esapi/util/CipherSpec.java Changes for Javadoc.
  • 2009-09-08 02:42 kevin.w.wall
  • [#r674 [r674]] src/test/java/org/owasp/esapi/reference/SafeFileTest.java Changes for Javadoc.
  • 2009-09-24 22:53 chrisisbeef
  • [#r676 [r676]] src/main/java/org/owasp/esapi/errors/EnterpriseSecurityException.java Updated documentation per fortify scan.
    https://owasp.fortify.com/teamserver/audit/82/index.html?id=716023303C20DF2DB1578438A33572BC&t=d

    Intent is to make the documentation clear that when getting the user message when it has been set by an unknown source, or when setting it when creating a new instance of the exception to sanitize the user message to ensure that it is safe for display to the user as it is intended.
  • 2009-10-16 03:52 kevin.w.wall
  • [#r692 [r692]] src/main/java/org/owasp/esapi/PlainText.java New class. Roughly corresponds to CipherText, but for plaintext; provided after discussion on OWASP-ESAPI mailing list.
  • 2009-10-16 03:53 kevin.w.wall
  • [#r693 [r693]] src/test/java/org/owasp/esapi/PlainTextTest.java JUnit 4 test for PlainText class.
  • 2009-10-16 03:55 kevin.w.wall
  • [#r694 [r694]] src/main/java/org/owasp/esapi/errors/ConfigurationException.java Some Javadoc changes / improvements.
  • 2009-10-16 03:59 kevin.w.wall
  • [#r695 [r695]] src/main/java/org/owasp/esapi/reference/LegacyJavaEncryptor.java Provide "legacy" (cough, cough) String-based encryption / decryption methods with ESAPI Java 1.4 and earlier versions. Note that these methods use the cryptographically weak ECB cipher mode and provide no mechanism for proving authenticity of the ciphertext.
  • 2009-10-16 04:00 kevin.w.wall
  • [#r696 [r696]] src/test/java/org/owasp/esapi/reference/LegacyEncryptorTest.java JUnit 4 test case for new LegacyEncryptor class.
  • 2009-10-16 04:01 kevin.w.wall
  • [#r697 [r697]] src/main/java/org/owasp/esapi/util/StringUtils.java Minor Javadoc change.
  • 2009-10-16 04:04 kevin.w.wall
  • [#r698 [r698]] documentation/ESAPI_2.0_ReleaseNotes_CryptoChanges.html Completed new sections of ESAPI 2.0 crypto changes intended for release notes. Still some work left to do on this.