Package org.owasp.esapi
Class ESAPI
- java.lang.Object
-
- org.owasp.esapi.ESAPI
-
public final class ESAPI extends java.lang.Object
ESAPI locator class is provided to make it easy to gain access to the current ESAPI classes in use. Use the set methods to override the reference implementations with instances of any custom ESAPI implementations.
-
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static AccessController
accessController()
static Authenticator
authenticator()
static void
clearCurrent()
Clears the current User, HttpRequest, and HttpResponse associated with the current thread.static javax.servlet.http.HttpServletRequest
currentRequest()
Get the current HTTP Servlet Request being processed.static javax.servlet.http.HttpServletResponse
currentResponse()
Get the current HTTP Servlet Response being generated.static Encoder
encoder()
static Encryptor
encryptor()
static Executor
executor()
static Logger
getLogger(java.lang.Class clazz)
static Logger
getLogger(java.lang.String moduleName)
static HTTPUtilities
httpUtilities()
static java.lang.String
initialize(java.lang.String impl)
static IntrusionDetector
intrusionDetector()
static Logger
log()
static void
override(SecurityConfiguration config)
Overrides the current security configuration with a new implementation.static Randomizer
randomizer()
static SecurityConfiguration
securityConfiguration()
static Validator
validator()
-
-
-
Method Detail
-
clearCurrent
public static void clearCurrent()
Clears the current User, HttpRequest, and HttpResponse associated with the current thread. This method MUST be called as some containers do not properly clear threadlocal variables when the execution of a thread is complete. The suggested approach is to put this call in a finally block inside a filter.public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException { try { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) resp; ESAPI.httpUtilities().setCurrentHTTP(request, response); ESAPI.authenticator().login(); chain.doFilter(request, response); } catch (Exception e) { logger.error( Logger.SECURITY_FAILURE, "Error in ESAPI security filter: " + e.getMessage(), e ); } finally { // VERY IMPORTANT // clear out ThreadLocal variables ESAPI.clearCurrent(); } }
The advantages of having identity everywhere are worth the risk here.
-
currentRequest
public static javax.servlet.http.HttpServletRequest currentRequest()
Get the current HTTP Servlet Request being processed.- Returns:
- the current HTTP Servlet Request.
-
currentResponse
public static javax.servlet.http.HttpServletResponse currentResponse()
Get the current HTTP Servlet Response being generated.- Returns:
- the current HTTP Servlet Response.
-
accessController
public static AccessController accessController()
- Returns:
- the current ESAPI AccessController object being used to maintain the access control rules for this application.
-
authenticator
public static Authenticator authenticator()
- Returns:
- the current ESAPI Authenticator object being used to authenticate users for this application.
-
encoder
public static Encoder encoder()
- Returns:
- the current ESAPI Encoder object being used to encode and decode data for this application.
-
encryptor
public static Encryptor encryptor()
- Returns:
- the current ESAPI Encryptor object being used to encrypt and decrypt data for this application.
-
executor
public static Executor executor()
- Returns:
- the current ESAPI Executor object being used to safely execute OS commands for this application.
-
httpUtilities
public static HTTPUtilities httpUtilities()
- Returns:
- the current ESAPI HTTPUtilities object being used to safely access HTTP requests and responses for this application.
-
intrusionDetector
public static IntrusionDetector intrusionDetector()
- Returns:
- the current ESAPI IntrusionDetector being used to monitor for intrusions in this application.
-
getLogger
public static Logger getLogger(java.lang.Class clazz)
- Parameters:
clazz
- The class to associate the logger with.- Returns:
- The current Logger associated with the specified class.
-
getLogger
public static Logger getLogger(java.lang.String moduleName)
- Parameters:
moduleName
- The module to associate the logger with.- Returns:
- The current Logger associated with the specified module.
-
log
public static Logger log()
- Returns:
- The default Logger.
-
randomizer
public static Randomizer randomizer()
- Returns:
- the current ESAPI Randomizer being used to generate random numbers in this application.
-
securityConfiguration
public static SecurityConfiguration securityConfiguration()
- Returns:
- the current ESAPI SecurityConfiguration being used to manage the security configuration for ESAPI for this application.
-
validator
public static Validator validator()
- Returns:
- the current ESAPI Validator being used to validate data in this application.
-
initialize
public static java.lang.String initialize(java.lang.String impl)
-
override
public static void override(SecurityConfiguration config)
Overrides the current security configuration with a new implementation. This is meant to be used as a temporary means to alter the behavior of the ESAPI and should *NEVER* be used in a production environment as it will affect the behavior and configuration of the ESAPI *GLOBALLY*. To clear an overridden Configuration, simple call this method with null for the config parameter.- Parameters:
config
-
-
-