I am interested in using the ESAPI project from OWASP to defend against the "OWASP Top Ten" in my web app. I would definitely like to use the validation tools, and am reviewing the HTTPUtility and Encoder interfaces as well. The remainder of the Top 10 I plan to use Shiro (authc, authz, encryption) or other approaches for.
I have two basic questions: 1) If I stick to just Validator from ESAPI, what is the right approach to implement this with Shiro involved? I'm assuming any interaction between the two would be limited to only the data elements that Shiro would look at (login credentials, essentially); all other input data I'd validate in my own non-Shiro-related classes. If that's the case, does Shiro handle all the validation necessary, and I don't need to concern myself with this? If I do need to handle, any best practices? 2) If I also wanted to use HTTPUtility and Encoder interfaces, how best should I implement them in conjunction with Shiro? I'm specifically concerned about where in the filter chain they should go so that they don't step on Shiro's toes, and if there are any limitations I need to be aware of? Maybe another question I should ask would be: which of the OWASP Top 10 does Shiro completely handle, and which do I need to do in my own code? Would it be: A3 (broken auth and session mgmt), A5 (CSRF), A7 (insecure crypto storage), and A8 (failure to restrict URL access)? It probably handles some of the others specifically for authz/authc purposes, but I'm assuming not generally. Thanks in advance for any insight in this. Mike -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-would-should-Shiro-interact-with-OWASP-ESAPI-tp7493007p7493007.html Sent from the Shiro User mailing list archive at Nabble.com.
