ESAPI Swingset Interactive - Login

Tutorial

Background

Instance of the ESAPI's authenticator Class can be created as:

Authenticator instance = ESAPI.authenticator();

If you plan on using the default Access Controller, you may need one or more of the following:

  • DataAccessRules.txt
  • FileAccessRules.txt
  • FunctionAccessRules.txt
  • ServiceAccessRules.txt
  • URLAccessRules.txt

    • You do not need users.txt. ESAPI will create this file when your application requests to create its first user.

    Create Users

    There are two ways to create users safely in ESAPI:

    Use main() from FileBasedAuthenticator to generate users.txt for the first time. To do this:

    java -Dorg.owasp.esapi.resources="/path/resources" -classpath esapi.jar org.owasp.esapi.Authenticator username password role

    To create users from within your application, use:

    ESAPI.authenticator.createUser(username, password, password)

    Two copies of the new password are required to encourage user interface designers to include a "re-type password" field in their forms.
    ''Note:Users created with the createUser method are disabled and locked by default.''

    You must call:

    ESAPI.authenticator().getUser(username).enable();
    ESAPI.authenticator().getUser(username).unlock();

    Login

    If you use the default ESAPI authenticator, you will need your login page to use SSL, so be sure to have a keystore file and adjust your server configuration settings to account for this. If you are using Apache Tomcat, please see the readme included in the latest release of the ESAPI Swingset for help setting up SSL.

    Set up SSL for tomcat 6.0

    To authenticate a user, call:

    User user = ESAPI.authenticator().login(HTTPServletRequest, HTTPServletResponse);

    Be sure to set the UsernameParameterName and PasswordParameterName variables in ESAPI.properties. The login method will use those variable names to take the username and password that the user entered from the HTTPRequest.

    Logout

    To log a User out, simply call:

    User user = ESAPI.authenticator().logout;

    ESAPI User Interface:

    ESAPI's User Interface provides support to store lot of information that an application must store for each user in order to enforce security properly.

    A user account can be in one of several states. When first created, a User should be disabled, not expired, and unlocked. To start using the account, an administrator should enable the account. The account can be locked for a number of reasons, most commonly because they have failed login for too many times. Finally, the account can expire after the expiration date has been reached. The User must be enabled, not expired, and unlocked in order to pass authentication.

    OWASP Enterprise Security API Project