After looking at this some more, I figured I'd partially answer my own
question below in case somebody else comes along looking for info on this.
I only used Validator from ESAPI. ESAPI is set up internally right now to
require many of its other components (like HTTPUtilities and Encoder), but I
didn't use them directly.
As expected, using Validator for the pieces that are outside of authc/authz
was straightforward, and went without issues. Unfortunately, using Validator
with Shiro required a bit more work.
What I discovered is that Shiro doesn't appear to validate the parameters
(username, password) that are passed to it. My subclass of
AuthenticatingFilter, which was largely modeled after
FormAuthenticationFilter, had two methods that I had copied directly from
FormAuthenticationFilter: getUsername() and getPassword().
AuthenticatingFilter.executeLogin() calls the createToken() method of my
filter subclass, which in turn calls these two methods, and then passes them
up to AuthenticatingFilter's version of the same, and that then returns a
UsernamePasswordToken back to executeLogin(). This general flow is the same
as FormAuthenticationFilter. The original methods internally called the
WebUtils.getCleanParam() method, which in turn made a simple
request.getParameter() call, and passed the results through
StringUtils.clean(). StringUtils.clean() didn't do very much, just did a
trim() and returned null if the string existed but was empty.
TL;DR version - the approach to logging in through the
FormAuthenticationFilter example in Shiro doesn't validate the submitted
parameters in any significant way, so I had to handle on my own.
What I did to correct this was to forget using the methods like in
FormAuthenticationFilter, and instead had something like the below code,
which did a validation of the submitted password, and passed it through
StringUtils.clean() just to be sure that Shiro was getting what it expected.
Note that, in the case of ValidationException, I returned null, which
upstream triggers an AuthenticationException causing a failed login. I
didn't want to return "invalid entry" to my application from the server-side
for security reasons, and instead just the standard failed authentication
message, so this worked perfectly for my needs. If I had had to send back a
custom "invalid" message, this would have been trickier.
protected String getPassword(ServletRequest request) {
String password = null;
try {
password = validator.getValidInput("Password",
request.getParameter(getPasswordParam()), "SafePwd", MAX_PASSWORD_SIZE,
false);
return StringUtils.clean(password);
} catch (ValidationException ve) {
logger.info("ValidationException", ve);
return password; // null here
}
}
In my public constructor method for the filter, I had: validator =
ESAPI.validator(); and validator itself was a class variable.
Anyway, hope this helps somebody else out.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-would-should-Shiro-interact-with-OWASP-ESAPI-tp7493007p7497818.html
Sent from the Shiro User mailing list archive at Nabble.com.
