Package | Description |
---|---|
org.owasp.esapi |
The ESAPI interfaces and
Exception classes model the most
important security functions to enterprise web applications. |
org.owasp.esapi.reference |
This package contains reference implementations of the ESAPI interfaces.
|
org.owasp.esapi.reference.accesscontrol | |
org.owasp.esapi.reference.accesscontrol.policyloader |
Modifier and Type | Method and Description |
---|---|
void |
AccessController.assertAuthorized(Object key,
Object runtimeParameter)
assertAuthorized executes the AccessControlRule
that is identified by key and listed in the
resources/ESAPI-AccessControlPolicy.xml file. |
void |
AccessController.assertAuthorizedForData(String action,
Object data)
Deprecated.
|
void |
AccessController.assertAuthorizedForFile(String filepath)
Deprecated.
|
void |
AccessController.assertAuthorizedForFunction(String functionName)
Deprecated.
|
void |
AccessController.assertAuthorizedForService(String serviceName)
Deprecated.
|
void |
AccessController.assertAuthorizedForURL(String url)
Deprecated.
|
void |
HTTPUtilities.assertSecureChannel()
Calls assertSecureChannel with the *current* request.
|
void |
HTTPUtilities.assertSecureChannel(javax.servlet.http.HttpServletRequest request)
Ensures the use of SSL to protect any sensitive parameters in the request and
any sensitive data in the response.
|
void |
HTTPUtilities.assertSecureRequest()
Calls assertSecureRequest with the *current* request.
|
void |
HTTPUtilities.assertSecureRequest(javax.servlet.http.HttpServletRequest request)
Ensures that the request uses both SSL and POST to protect any sensitive parameters
in the querystring from being sniffed, logged, bookmarked, included in referer header, etc...
|
<T> T |
AccessReferenceMap.getDirectReference(K indirectReference)
Get the original direct object reference from an indirect reference.
|
<T> K |
AccessReferenceMap.removeDirectReference(T direct)
Removes a direct reference and its associated indirect reference from the AccessReferenceMap.
|
void |
HTTPUtilities.sendForward(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
HTTPUtilities.sendForward(String location)
Calls sendForward with the *current* request and response.
|
void |
HTTPUtilities.sendRedirect(javax.servlet.http.HttpServletResponse response,
String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
HTTPUtilities.sendRedirect(String location)
Calls sendRedirect with the *current* response.
|
Modifier and Type | Method and Description |
---|---|
void |
DefaultAccessController.assertAuthorized(Object key,
Object runtimeParameter)
assertAuthorized executes the AccessControlRule
that is identified by key and listed in the
resources/ESAPI-AccessControlPolicy.xml file. |
void |
DefaultAccessController.assertAuthorizedForData(String action,
Object data)
Checks if the current user is authorized to access the referenced data.
|
void |
DefaultAccessController.assertAuthorizedForFile(String filepath)
Deprecated.
|
void |
DefaultAccessController.assertAuthorizedForFunction(String functionName)
Checks if the current user is authorized to access the referenced function.
|
void |
DefaultAccessController.assertAuthorizedForService(String serviceName)
Checks if the current user is authorized to access the referenced service.
|
void |
DefaultAccessController.assertAuthorizedForURL(String url)
Checks if the current user is authorized to access the referenced URL.
|
void |
DefaultHTTPUtilities.assertSecureChannel()
Calls assertSecureChannel with the *current* request.
|
void |
DefaultHTTPUtilities.assertSecureChannel(javax.servlet.http.HttpServletRequest request)
Ensures the use of SSL to protect any sensitive parameters in the request and
any sensitive data in the response.
|
void |
DefaultHTTPUtilities.assertSecureRequest()
Calls assertSecureRequest with the *current* request.
|
void |
DefaultHTTPUtilities.assertSecureRequest(javax.servlet.http.HttpServletRequest request)
Ensures that the request uses both SSL and POST to protect any sensitive parameters
in the querystring from being sniffed, logged, bookmarked, included in referer header, etc...
|
<T> T |
AbstractAccessReferenceMap.getDirectReference(K indirectReference)
Get the original direct object reference from an indirect reference.
|
static AccessController |
DefaultAccessController.getInstance() |
<T> K |
AbstractAccessReferenceMap.removeDirectReference(T direct)
Removes a direct reference and its associated indirect reference from the AccessReferenceMap.
|
void |
DefaultHTTPUtilities.sendForward(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
DefaultHTTPUtilities.sendForward(String location)
Calls sendForward with the *current* request and response.
|
void |
DefaultHTTPUtilities.sendRedirect(javax.servlet.http.HttpServletResponse response,
String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
DefaultHTTPUtilities.sendRedirect(String location)
Calls sendRedirect with the *current* response.
|
Modifier and Type | Method and Description |
---|---|
void |
ExperimentalAccessController.assertAuthorized(Object key,
Object runtimeParameter) |
void |
ExperimentalAccessController.assertAuthorizedForData(String action,
Object data)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForFile(String filepath)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForFunction(String functionName)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForService(String serviceName)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForURL(String url)
Deprecated.
|
boolean |
FileBasedACRs.isAuthorizedForData(String action,
Object data)
TODO Javadoc
|
boolean |
FileBasedACRs.isAuthorizedForFile(String filepath)
TODO Javadoc
|
boolean |
FileBasedACRs.isAuthorizedForFunction(String functionName)
TODO Javadoc
|
boolean |
FileBasedACRs.isAuthorizedForService(String serviceName)
TODO Javadoc
|
Constructor and Description |
---|
ExperimentalAccessController() |
Modifier and Type | Method and Description |
---|---|
void |
PolicyDTO.addAccessControlRule(String key,
String accessControlRuleClassName,
Object policyParameter) |
PolicyDTO |
ACRPolicyFileLoader.load() |
Copyright © 2020 The Open Web Application Security Project (OWASP). All rights reserved.