Skip to content

Commit 3d7e6fb

Browse files
author
planetlevel
committed
Stable. Many updates from initial release.
1 parent 5226112 commit 3d7e6fb

261 files changed

Lines changed: 63363 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.classpath

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<classpath>
3+
<classpathentry kind="src" path="src"/>
4+
<classpathentry kind="src" path="test"/>
5+
<classpathentry exported="true" kind="lib" path="lib/commons-fileupload-1.2.jar" sourcepath="lib/commons-fileupload-1.2-sources.jar">
6+
<attributes>
7+
<attribute name="org.eclipse.jst.component.dependency" value="../"/>
8+
</attributes>
9+
</classpathentry>
10+
<classpathentry exported="true" kind="lib" path="lib/commons-io-1.3.2.jar" sourcepath="lib/commons-io-1.3.2-sources.jar">
11+
<attributes>
12+
<attribute name="org.eclipse.jst.component.dependency" value="../"/>
13+
</attributes>
14+
</classpathentry>
15+
<classpathentry exported="true" kind="lib" path="lib/antisamy-bin.1.0.jar">
16+
<attributes>
17+
<attribute name="org.eclipse.jst.component.dependency" value="../"/>
18+
</attributes>
19+
</classpathentry>
20+
<classpathentry kind="lib" path="lib/servlet-api.jar" sourcepath="C:/Users/jwilliams/Workbench/codereview/libraries/j2ee-1_4_1-src-scsl.zip"/>
21+
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
22+
<classpathentry kind="con" path="org.eclipse.jdt.junit.JUNIT_CONTAINER/3"/>
23+
<classpathentry kind="output" path="build/classes"/>
24+
</classpath>

.project

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<projectDescription>
3+
<name>ESAPI</name>
4+
<comment></comment>
5+
<projects>
6+
</projects>
7+
<buildSpec>
8+
<buildCommand>
9+
<name>org.eclipse.jdt.core.javabuilder</name>
10+
<arguments>
11+
</arguments>
12+
</buildCommand>
13+
<buildCommand>
14+
<name>org.eclipse.wst.common.project.facet.core.builder</name>
15+
<arguments>
16+
</arguments>
17+
</buildCommand>
18+
<buildCommand>
19+
<name>org.eclipse.wst.validation.validationbuilder</name>
20+
<arguments>
21+
</arguments>
22+
</buildCommand>
23+
</buildSpec>
24+
<natures>
25+
<nature>org.eclipse.wst.common.project.facet.core.nature</nature>
26+
<nature>org.eclipse.jdt.core.javanature</nature>
27+
<nature>org.eclipse.wst.common.modulecore.ModuleCoreNature</nature>
28+
<nature>org.eclipse.jem.workbench.JavaEMFNature</nature>
29+
</natures>
30+
</projectDescription>

LICENSE

Lines changed: 503 additions & 0 deletions
Large diffs are not rendered by default.

documentation/Installation.html

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
<html>
2+
3+
<head>
4+
<title>ESAPI Installation Notes</title>
5+
</head>
6+
7+
<body>
8+
9+
<H1>Welcome to <a href="http://www.owasp.org/index.php/ESAPI">ESAPI</a></H1>
10+
11+
<p>The OWASP Enterprise Security API Project may be found at http://www.owasp.org/index.php/ESAPI. This software
12+
is available under the LGPL, and we encourage your participation in the project.</p>
13+
14+
<p>ESAPI consists of two key parts, an API defined in a set of interfaces, and a reference implementation of those
15+
interfaces. Within your enterprise, you may want to customize the ESAPI to suit the way you do business. The important
16+
thing is that you work towards creating your ESAPI and getting all of your projects to use it. This will dramatically
17+
increase the likelihood that your developers are producing secure code.</p>
18+
19+
<p>Your ESAPI can be viewed as a unified facade to all of your organization's security functionality. Have a clear, easy
20+
to understand API make it easy to find security mechanisms and use them properly. Many of the existing security libraries,
21+
while providing excellent security functions, are much too complex for most developers to use without mistakes. Establishing
22+
your ESAPI will help to prevent this kind of problem.</p>
23+
24+
<p>Having an ESAPI has other benefits as well, including:</p>
25+
<ul>
26+
<li>Simplifed requirements</li>
27+
<li>Easier developer security training</li>
28+
<li>Faster and more reliable security scanning and penetration testing</li>
29+
<li>Better results from static analysis and code review</li>
30+
<li>Ability to change security mechanisms across applications</li>
31+
<li>Higher assurance in your security mechanisms</li>
32+
<li>Solid coverage of most of the OWASP Top Ten</li>
33+
</ul>
34+
35+
<h1>Installation</h1>
36+
<p>To install the ESAPI in your environment, you should include the following jar files on your classpath:
37+
<ul>
38+
<li>owasp-esapi-1.0.jar</li>
39+
<li>commons-fileupload-1.2.jar</li>
40+
<li>commons-io-1.3.2.jar</li>
41+
</ul>
42+
<p>Newer versions of the Apache Commons projects may also work.</p>
43+
44+
<h1>Invoking</h1>
45+
46+
<p>The ESAPI needs to know where to find the ESAPI.properties and other configuration files. This is done by way of a Java system property.
47+
The property should point to the resources directory where the ESAPI files reside. You can specify the system property where you invoke the JVM as follows:</p>
48+
49+
<pre>java -Dorg.owasp.esapi.resources="/path/to/resources/directory"</pre>
50+
51+
<p>You can then add calls to the ESAPI methods from your code. For example, to use the ESAPI Validator, you should
52+
get an instance from the singleton with
53+
54+
<PRE>Validator validator = Validator.getInstance()</PRE>
55+
56+
Then you can use validation calls directly. For example, to validate an email address, you can use:
57+
58+
<PRE>validation.isValidDataFromBrowser( "Email", input );</PRE>
59+
60+
Or
61+
62+
<PRE>
63+
try {
64+
String validEmail = validation.getValidDataFromBrowser( "Email", input );
65+
} catch( ValidationException e ) {
66+
// handle bad data
67+
}
68+
</PRE>
69+
70+
The regular expressions that define validators such as "Email" above are defined in the ESAPI properties file. Note
71+
that the Validator class performs a significant amount of canonicalization work before validating and prevents
72+
many common forms of attack.</p>
73+
74+
<h1>Configuring</h1>
75+
<p>All of the configuration options for ESAPI are in ESAPI.properties. Generally the values specified there are
76+
good options for a web application that needs to be secure.</p>
77+
78+
<h1>Building</h1>
79+
<p>ESAPI is set up as an Eclipse project. If you download the full zip archive, you should be able to import it into
80+
Eclipse and get it to compile. You should be able to run the test cases, provided that you remember that your launch
81+
configuration for the test suite will have to have the org.owasp.esapi.resources property defined as described above.</p>
82+
83+
</body>
84+
85+
</html>
86+
87+

documentation/OWASP ESAPI Overview.html

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
<html>
2+
3+
<head>
4+
<!-- this content is automatically included in the ESAPI javadoc overview page -->
5+
</head>
6+
7+
<body>
8+
<p>The OWASP Enterprise Security API (ESAPI) is both a set of
9+
interfaces and a reference implementation of a library that provides
10+
enterprise web application developers the most important security
11+
functions they need in order to build web applications and web services
12+
that protect themselves against attacks.</p>
13+
14+
<p>The <a href="http://www.owasp.org">The Open Web Application
15+
Security Project (OWASP)</a> is a worldwide free and open community focused
16+
on improving the security of application software. Our mission is to
17+
make application security "visible," so that people and organizations
18+
can make informed decisions about application security risks. Everyone
19+
is free to participate in OWASP and all of our materials are available
20+
under an open source license. The OWASP Foundation is a 501c3
21+
not-for-profit charitable organization that ensures the ongoing
22+
availability and support for our work.</p>
23+
24+
<p>The OWASP ESAPI Project is led by Jeff Williams, <a href="http://www.aspectsecurity.com">Aspect Security</a>
25+
26+
<p>You can find more information about the ESAPI project, or join
27+
the mailing list and help us make it better from the OWASP project page
28+
at <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.</p>
29+
30+
<img src="org/owasp/esapi/doc-files/Architecture.jpg" height="600">
31+
32+
<p>The library builds on the excellent security libraries available,
33+
such as Java Logging, JCE, and Adobe Commons FileUpload. It uses the
34+
concepts from many of the security packages out there, such as ACEGI,
35+
Apache Commons Validator, Microsoft's AntiXSS library, and many many
36+
more. This library provides a single consistent interface to security
37+
functions that is intuitive for enterprise developers.</p>
38+
39+
<img src="org/owasp/esapi/doc-files/OWASPTopTen.jpg" height="600">
40+
41+
<p>Used properly, the ESAPI provides enough functions to protect
42+
against most of the OWASP Top Ten. The only real exception is the
43+
Insecure Communications category, which is generally outside the control
44+
of the software developer.</p>
45+
46+
<p>This project and all associated code is Copyright (c) 2007 - The OWASP Foundation</p>
47+
48+
<p>The ESAPI is published by OWASP under the LGPL. You should read and accept the LICENSE
49+
before you use, modify, and/or redistribute this software.</p>
50+
51+
</body>
52+
53+
</html>
54+
55+

documentation/OWASP ESAPI Overview.pptx

409 KB
Binary file not shown.

documentation/OWASP ESAPI Requirements.docx

13.4 KB
Binary file not shown.

javadoc/allclasses-frame.html

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,123 @@
1+
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2+
<!--NewPage-->
3+
<HTML>
4+
<HEAD>
5+
<!-- Generated by javadoc (build 1.6.0_03) on Thu Jan 17 03:28:46 EST 2008 -->
6+
<TITLE>
7+
All Classes
8+
</TITLE>
9+
10+
<META NAME="date" CONTENT="2008-01-17">
11+
12+
<LINK REL ="stylesheet" TYPE="text/css" HREF="stylesheet.css" TITLE="Style">
13+
14+
15+
</HEAD>
16+
17+
<BODY BGCOLOR="white">
18+
<FONT size="+1" CLASS="FrameHeadingFont">
19+
<B>All Classes</B></FONT>
20+
<BR>
21+
22+
<TABLE BORDER="0" WIDTH="100%" SUMMARY="">
23+
<TR>
24+
<TD NOWRAP><FONT CLASS="FrameItemFont"><A HREF="org/owasp/esapi/errors/AccessControlException.html" title="class in org.owasp.esapi.errors" target="classFrame">AccessControlException</A>
25+
<BR>
26+
<A HREF="org/owasp/esapi/AccessController.html" title="class in org.owasp.esapi" target="classFrame">AccessController</A>
27+
<BR>
28+
<A HREF="org/owasp/esapi/AccessReferenceMap.html" title="class in org.owasp.esapi" target="classFrame">AccessReferenceMap</A>
29+
<BR>
30+
<A HREF="org/owasp/esapi/errors/AuthenticationAccountsException.html" title="class in org.owasp.esapi.errors" target="classFrame">AuthenticationAccountsException</A>
31+
<BR>
32+
<A HREF="org/owasp/esapi/errors/AuthenticationCredentialsException.html" title="class in org.owasp.esapi.errors" target="classFrame">AuthenticationCredentialsException</A>
33+
<BR>
34+
<A HREF="org/owasp/esapi/errors/AuthenticationException.html" title="class in org.owasp.esapi.errors" target="classFrame">AuthenticationException</A>
35+
<BR>
36+
<A HREF="org/owasp/esapi/errors/AuthenticationHostException.html" title="class in org.owasp.esapi.errors" target="classFrame">AuthenticationHostException</A>
37+
<BR>
38+
<A HREF="org/owasp/esapi/errors/AuthenticationLoginException.html" title="class in org.owasp.esapi.errors" target="classFrame">AuthenticationLoginException</A>
39+
<BR>
40+
<A HREF="org/owasp/esapi/Authenticator.html" title="class in org.owasp.esapi" target="classFrame">Authenticator</A>
41+
<BR>
42+
<A HREF="org/owasp/esapi/errors/AvailabilityException.html" title="class in org.owasp.esapi.errors" target="classFrame">AvailabilityException</A>
43+
<BR>
44+
<A HREF="org/owasp/esapi/errors/CertificateException.html" title="class in org.owasp.esapi.errors" target="classFrame">CertificateException</A>
45+
<BR>
46+
<A HREF="org/owasp/esapi/Encoder.html" title="class in org.owasp.esapi" target="classFrame">Encoder</A>
47+
<BR>
48+
<A HREF="org/owasp/esapi/errors/EncodingException.html" title="class in org.owasp.esapi.errors" target="classFrame">EncodingException</A>
49+
<BR>
50+
<A HREF="org/owasp/esapi/EncryptedProperties.html" title="class in org.owasp.esapi" target="classFrame">EncryptedProperties</A>
51+
<BR>
52+
<A HREF="org/owasp/esapi/errors/EncryptionException.html" title="class in org.owasp.esapi.errors" target="classFrame">EncryptionException</A>
53+
<BR>
54+
<A HREF="org/owasp/esapi/Encryptor.html" title="class in org.owasp.esapi" target="classFrame">Encryptor</A>
55+
<BR>
56+
<A HREF="org/owasp/esapi/errors/EnterpriseSecurityException.html" title="class in org.owasp.esapi.errors" target="classFrame">EnterpriseSecurityException</A>
57+
<BR>
58+
<A HREF="org/owasp/esapi/filters/ESAPIFilter.html" title="class in org.owasp.esapi.filters" target="classFrame">ESAPIFilter</A>
59+
<BR>
60+
<A HREF="org/owasp/esapi/Executor.html" title="class in org.owasp.esapi" target="classFrame">Executor</A>
61+
<BR>
62+
<A HREF="org/owasp/esapi/errors/ExecutorException.html" title="class in org.owasp.esapi.errors" target="classFrame">ExecutorException</A>
63+
<BR>
64+
<A HREF="org/owasp/esapi/HTTPUtilities.html" title="class in org.owasp.esapi" target="classFrame">HTTPUtilities</A>
65+
<BR>
66+
<A HREF="org/owasp/esapi/interfaces/IAccessController.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IAccessController</I></A>
67+
<BR>
68+
<A HREF="org/owasp/esapi/interfaces/IAccessReferenceMap.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IAccessReferenceMap</I></A>
69+
<BR>
70+
<A HREF="org/owasp/esapi/interfaces/IAuthenticator.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IAuthenticator</I></A>
71+
<BR>
72+
<A HREF="org/owasp/esapi/interfaces/IEncoder.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IEncoder</I></A>
73+
<BR>
74+
<A HREF="org/owasp/esapi/interfaces/IEncryptedProperties.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IEncryptedProperties</I></A>
75+
<BR>
76+
<A HREF="org/owasp/esapi/interfaces/IEncryptor.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IEncryptor</I></A>
77+
<BR>
78+
<A HREF="org/owasp/esapi/interfaces/IExecutor.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IExecutor</I></A>
79+
<BR>
80+
<A HREF="org/owasp/esapi/interfaces/IHTTPUtilities.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IHTTPUtilities</I></A>
81+
<BR>
82+
<A HREF="org/owasp/esapi/interfaces/IIntrusionDetector.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IIntrusionDetector</I></A>
83+
<BR>
84+
<A HREF="org/owasp/esapi/interfaces/ILogger.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>ILogger</I></A>
85+
<BR>
86+
<A HREF="org/owasp/esapi/errors/IntegrityException.html" title="class in org.owasp.esapi.errors" target="classFrame">IntegrityException</A>
87+
<BR>
88+
<A HREF="org/owasp/esapi/IntrusionDetector.html" title="class in org.owasp.esapi" target="classFrame">IntrusionDetector</A>
89+
<BR>
90+
<A HREF="org/owasp/esapi/errors/IntrusionException.html" title="class in org.owasp.esapi.errors" target="classFrame">IntrusionException</A>
91+
<BR>
92+
<A HREF="org/owasp/esapi/interfaces/IRandomizer.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IRandomizer</I></A>
93+
<BR>
94+
<A HREF="org/owasp/esapi/interfaces/ISecurityConfiguration.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>ISecurityConfiguration</I></A>
95+
<BR>
96+
<A HREF="org/owasp/esapi/interfaces/IUser.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IUser</I></A>
97+
<BR>
98+
<A HREF="org/owasp/esapi/interfaces/IValidator.html" title="interface in org.owasp.esapi.interfaces" target="classFrame"><I>IValidator</I></A>
99+
<BR>
100+
<A HREF="org/owasp/esapi/Logger.html" title="class in org.owasp.esapi" target="classFrame">Logger</A>
101+
<BR>
102+
<A HREF="org/owasp/esapi/Randomizer.html" title="class in org.owasp.esapi" target="classFrame">Randomizer</A>
103+
<BR>
104+
<A HREF="org/owasp/esapi/SecurityConfiguration.html" title="class in org.owasp.esapi" target="classFrame">SecurityConfiguration</A>
105+
<BR>
106+
<A HREF="org/owasp/esapi/Threshold.html" title="class in org.owasp.esapi" target="classFrame">Threshold</A>
107+
<BR>
108+
<A HREF="org/owasp/esapi/User.html" title="class in org.owasp.esapi" target="classFrame">User</A>
109+
<BR>
110+
<A HREF="org/owasp/esapi/errors/ValidationAvailabilityException.html" title="class in org.owasp.esapi.errors" target="classFrame">ValidationAvailabilityException</A>
111+
<BR>
112+
<A HREF="org/owasp/esapi/errors/ValidationException.html" title="class in org.owasp.esapi.errors" target="classFrame">ValidationException</A>
113+
<BR>
114+
<A HREF="org/owasp/esapi/errors/ValidationUploadException.html" title="class in org.owasp.esapi.errors" target="classFrame">ValidationUploadException</A>
115+
<BR>
116+
<A HREF="org/owasp/esapi/Validator.html" title="class in org.owasp.esapi" target="classFrame">Validator</A>
117+
<BR>
118+
</FONT></TD>
119+
</TR>
120+
</TABLE>
121+
122+
</BODY>
123+
</HTML>

0 commit comments

Comments
 (0)