> Yeah - I need to investigate further before forming an opinion. The key > question is what advantage does implementing ESAPI's interfaces in JSecurity > offer the project and it's users. Right now I'm not clear on the > advantages. > > Does anyone else have a better understanding? Peter?
I wasn't sure what was in there, but it seems to be a few things, such as codecs, input validation, protected command execution (wrapper on Runtime.exec() kind of thing), intrusion detection (based on exceptions it seems), and some access control stuff. I thought from the OWASP site that it might have some more fancy stuff. If JSecurity has most (if not all) of those things, then it's not worth the hassle. I'm not sure the interfaces are used widely enough to warrant implementing them. However, if there are some features that might make sense, then I think it's worth contemplating borrowing the implementation or providing our own. I'm mainly thinking along the lines of input validation, escaping output, and CSRF things. Cheers, Peter
