org.owasp.esapi

Class ESAPI

java.lang.Object

org.owasp.esapi.ESAPI

public final class ESAPI
extends Object

ESAPI locator class is provided to make it easy to gain access to the current ESAPI classes in use. Use the set methods to override the reference implementations with instances of any custom ESAPI implementations.

Method Summary

Modifier and Type	Method and Description
static AccessController	accessController()
static Authenticator	authenticator()
static void	clearCurrent() Clears the current User, HttpRequest, and HttpResponse associated with the current thread.
static javax.servlet.http.HttpServletRequest	currentRequest() Get the current HTTP Servlet Request being processed.
static javax.servlet.http.HttpServletResponse	currentResponse() Get the current HTTP Servlet Response being generated.
static Encoder	encoder() The ESAPI Encoder is primarily used to provide output encoding to prevent Cross-Site Scripting (XSS).
static Encryptor	encryptor()
static Executor	executor()
static Logger	getLogger(Class clazz)
static Logger	getLogger(String moduleName)
static HTTPUtilities	httpUtilities()
static String	initialize(String impl)
static IntrusionDetector	intrusionDetector()
static Logger	log()
static void	override(SecurityConfiguration config) Overrides the current security configuration with a new implementation.
static Randomizer	randomizer()
static SecurityConfiguration	securityConfiguration()
static Validator	validator()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

clearCurrent

public static void clearCurrent()

Clears the current User, HttpRequest, and HttpResponse associated with the current thread. This method MUST be called as some containers do not properly clear threadlocal variables when the execution of a thread is complete. The suggested approach is to put this call in a finally block inside a filter.

        public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException {
            try {
                HttpServletRequest request = (HttpServletRequest) req;
                HttpServletResponse response = (HttpServletResponse) resp;
                ESAPI.httpUtilities().setCurrentHTTP(request, response);
                ESAPI.authenticator().login();
                chain.doFilter(request, response);
            } catch (Exception e) {
                logger.error( Logger.SECURITY_FAILURE, "Error in ESAPI security filter: " + e.getMessage(), e );
            } finally {
                // VERY IMPORTANT
                // clear out ThreadLocal variables
                ESAPI.clearCurrent();
            }
        }
 

The advantages of having identity everywhere are worth the risk here.

currentRequest

public static javax.servlet.http.HttpServletRequest currentRequest()

Get the current HTTP Servlet Request being processed.

Returns:

the current HTTP Servlet Request.

currentResponse

public static javax.servlet.http.HttpServletResponse currentResponse()

Get the current HTTP Servlet Response being generated.

Returns:

the current HTTP Servlet Response.

accessController

public static AccessController accessController()

Returns:

the current ESAPI AccessController object being used to maintain the access control rules for this application.

authenticator

public static Authenticator authenticator()

Returns:

the current ESAPI Authenticator object being used to authenticate users for this application.

encoder

public static Encoder encoder()

The ESAPI Encoder is primarily used to provide output encoding to prevent Cross-Site Scripting (XSS).

Returns:

the current ESAPI Encoder object being used to encode and decode data for this application.

encryptor

public static Encryptor encryptor()

Returns:

the current ESAPI Encryptor object being used to encrypt and decrypt data for this application.

executor

public static Executor executor()

Returns:

the current ESAPI Executor object being used to safely execute OS commands for this application.

httpUtilities

public static HTTPUtilities httpUtilities()

Returns:

the current ESAPI HTTPUtilities object being used to safely access HTTP requests and responses for this application.

intrusionDetector

public static IntrusionDetector intrusionDetector()

Returns:

the current ESAPI IntrusionDetector being used to monitor for intrusions in this application.

getLogger

public static Logger getLogger(Class clazz)

Parameters:

clazz - The class to associate the logger with.

Returns:

The current Logger associated with the specified class.

getLogger

public static Logger getLogger(String moduleName)

Parameters:

moduleName - The module to associate the logger with.

Returns:

The current Logger associated with the specified module.

log

public static Logger log()

Returns:

The default Logger.

randomizer

public static Randomizer randomizer()

Returns:

the current ESAPI Randomizer being used to generate random numbers in this application.

securityConfiguration

public static SecurityConfiguration securityConfiguration()

Returns:

the current ESAPI SecurityConfiguration being used to manage the security configuration for ESAPI for this application.

validator

public static Validator validator()

Returns:

the current ESAPI Validator being used to validate data in this application.

initialize

public static String initialize(String impl)

override

public static void override(SecurityConfiguration config)

Overrides the current security configuration with a new implementation. This is meant to be used as a temporary means to alter the behavior of the ESAPI and should *NEVER* be used in a production environment as it will affect the behavior and configuration of the ESAPI *GLOBALLY*. To clear an overridden Configuration, simple call this method with null for the config parameter.

Parameters:

config - The new security configuration.