Rapid Application Secured - OWASP ESAPI Library

Monday, September 20, 2010

Fred Williams

D5e39323dd0a7b8534af8a5043a05da2

There have been some great postings on The Island about writing secure software.  Some of the discussions revolve around developers being ignorant of secure coding practices and that is the avenue that I am approaching with a series of postings regarding "Secure Coding". 

I am going to explore the OWASP ESAPI library.  The OWASP ESAPI is a development library that assists development teams with writing secure enterprise software.  The ESAPI has versions that interface with most of the popular programming languages and since I'm a Java developer, I am going to use the ESAPI for JEE.

The ESAPI provides libraries to handle development chores for most issues that make websites unsecure:  Positive HTTP Protection, Positive Access Control, Positive Input Validation, Generating strong passwords, etc.  So many things!  Search in your favorite search engine for ESAPI book then download and read the PDF.

Great thing about this article is that all of the tools listed are FREE!  You don't have to spend a dime to follow this guide.  If you find that you don't like the approach, trash it.

For this article, you will need the following tools:

1)  Your IDE of choice - I am using SpringSource Tool Suite from SpringSource.  This is an Eclipse based IDE and you can feel free to use vanilla Eclipse as long as you have the Web tools platform plugin installed.

2)  Latest version of Java SDK available from the Java web site.

3) Grails - Groovy on Rails.  Grails did for Groovy what Rails did for Ruby - provide a great framework for Rapid Application Development.  Grails runs on the JVM and allows any Java library to be used.  You can mix and match Groovy and Java code in the same project.

4) OWASP ESAPI distribution for Java bundled in a Jar file.

First, fire up your IDE and create a new Dynamic Web Project, then put the ESAPI jar file in the "lib" folder of your application.  Next, you will have to find the ESAPI.properties and validation.properties files that came as part of the ESAPI distribution.  Copy these 2 files and make sure they are in your project's classpath.  If not, your application will fail to start and you will receive messages that alert you to the fact that these properties files were not found.

If you see these messages once you start your application, then you know you have completed the initial setup:

------------------------------------------------------------------------------- 

Attempting to load ESAPI.properties via file io.
Attempting to load ESAPI.properties via file io.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\workspaces\esapi\esapigrails\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' directory: C:\Users\frwill\.esapi\ESAPI.properties
Loading ESAPI.properties via file io failed.
Attempting to load ESAPI.properties via the classpath.
Successfully loaded ESAPI.properties via the classpath! BOO-YA!
Attempting to load validation.properties via file io.
Attempting to load validation.properties via file io.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\workspaces\esapi\esapigrails\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Not found in 'user.home' directory: C:\Users\frwill\.esapi\validation.properties
Loading validation.properties via file io failed.
Attempting to load validation.properties via the classpath.
Successfully loaded validation.properties via the classpath! BOO-YA!

----------------------------------------------------------------------------------------

You can see from this actual console listing that ESAPI will look in several locations of your classpath to find the properties file.  You get a nice "BOO-YA!" if you are successful.

That is it for the introduction and set up.  Stay tuned next time as I start on coding examples that explore the ESAPI Positive Authentication that includes password management, session ID protections and using SSL. 

Possibly Related Articles:
18747
Webappsec->General
OWASP Web Application Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.