<body bgcolor="white">

The ESAPI interfaces and {@code Exception} classes model the most

important security functions to enterprise web applications.

The interfaces in this package are intended to be extended and

customized within an enterprise to match their custom data,

security services, and application environment. A reference

implementation of this interface is provided as an example of how this

library can be implemented successfully, but is useful in many ways

by itself as well.

OWASP ESAPI interfaces and reference implementation provides

enterprise web application developers with the most important

security functions they need in ordre to build secure web applications

and web services that stand up to most common-day web-based attacks.

<h2>Sponsor</h2>

<p>The <a href="http://www.owasp.org">The Open Web Application

Security Project (OWASP)</a> is a worldwide free and open community focused

on improving the security of application software. Our mission is to

make application security "visible," so that people and organizations

can make informed decisions about application security risks. Everyone

is free to participate in OWASP and all of our materials are available

under an open source license. The OWASP Foundation is a 501c3

not-for-profit charitable organization that ensures the ongoing

availability and support for our work.</p>

<p>The

<a href="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API">

OWASP ESAPI Project</a>

is led by Jeff Williams,

<a href="http://www.aspectsecurity.com">Aspect Security</a>.

<p>You can find more information about the ESAPI Java project, or join

the mailing list and help us make it better from the OWASP project page

at <a

href="http://www.owasp.org/index.php/ESAPI#tab=Java_EE">http://www.owasp.org/index.php/ESAPI#tab=Java_EE</a>.</p>

<h2>ESAPI Architecture</h2>

<p>The ESAPI class library builds on the excellent security libraries available,

such as Java Logging, JCE, and Adobe Commons FileUpload. It uses the

concepts from many of the security packages out there, such as ACEGI,

Apache Commons Validator, Microsoft's AntiXSS library, and many many

more. This library provides a single consistent interface to security

functions that is intuitive for enterprise developers.</p>

<img src="doc-files/Architecture.jpg">

<h2>Addressing OWASP Top Ten</h2>

<p>Used properly, the ESAPI provides enough functions to protect

against most of the

<a href="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">

OWASP Top Ten</a>. The only real exception is the

Insecure Communications category, which is generally outside the control

of the software developer.</p>

<img src="doc-files/OWASPTopTen.jpg">

<h2>Copyright and License</h2>

<p>This project and all associated code is Copyright (c) 2007 - The OWASP Foundation</p>

<p>This project licensed under the <a href="http://en.wikipedia.org/wiki/BSD_license">BSD license</a>,

which is very permissive and about as close to public domain as is possible. You can use or modify

ESAPI however you want, even include it in commercial products.</p>

<h2>References</h2>

This library builds on some of the ideas found in:

<li><a href="http://www.owasp.org/">OWASP</a></li>

<li><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en">Microsoft's AntiXSS</a></li>

<li><a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html">Java JCE</a></li>

<li><a href="http://java.sun.com/j2se/1.5.0/docs/guide/logging/overview.html">Java Logging API</a></li>

<li><a href="http://commons.apache.org/fileupload/">Apache Commons FileUpload</a></li>