On Fri, Jan 23, 2009 at 1:31 PM, Peter Ledbrook <[email protected]>wrote:
> > Yeah - I need to investigate further before forming an opinion. The key > > question is what advantage does implementing ESAPI's interfaces in > JSecurity > > offer the project and it's users. Right now I'm not clear on the > > advantages. > > > > Does anyone else have a better understanding? Peter? > > I wasn't sure what was in there, but it seems to be a few things, such > as codecs, input validation, protected command execution (wrapper on > Runtime.exec() kind of thing), intrusion detection (based on > exceptions it seems), and some access control stuff. > > I thought from the OWASP site that it might have some more fancy > stuff. If JSecurity has most (if not all) of those things, then it's > not worth the hassle. I'm not sure the interfaces are used widely > enough to warrant implementing them. However, if there are some > features that might make sense, then I think it's worth contemplating > borrowing the implementation or providing our own. I definitely agree with this - fill in any gaps that might be valuable that we don't have currently, and then if we do feel implementing their API is desirable (as a separate module), it would be a trivial task. Something I find interesting about ESAPI and other frameworks is that it seems as if a JSR around application security (not just VM security) might be of benefit to the Java community. I've heard stories about the JSR process, so I don't know if we'd want to go down that road, but still - makes me wonder... - Les
