Class ESAPI


  • public final class ESAPI
    extends java.lang.Object
    ESAPI locator class is provided to make it easy to gain access to the current ESAPI classes in use. Use the set methods to override the reference implementations with instances of any custom ESAPI implementations.
    • Method Detail

      • clearCurrent

        public static void clearCurrent()
        Clears the current User, HttpRequest, and HttpResponse associated with the current thread. This method MUST be called as some containers do not properly clear threadlocal variables when the execution of a thread is complete. The suggested approach is to put this call in a finally block inside a filter.
                        public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException {
                                try {
                                        HttpServletRequest request = (HttpServletRequest) req;
                                        HttpServletResponse response = (HttpServletResponse) resp;
                                        ESAPI.httpUtilities().setCurrentHTTP(request, response);
                                        ESAPI.authenticator().login();
                                        chain.doFilter(request, response);
                                } catch (Exception e) {
                                        logger.error( Logger.SECURITY_FAILURE, "Error in ESAPI security filter: " + e.getMessage(), e );
                                } finally {
                                        // VERY IMPORTANT
                                        // clear out ThreadLocal variables
                                        ESAPI.clearCurrent();
                                }
                        }
         
        The advantages of having identity everywhere are worth the risk here.
      • currentRequest

        public static javax.servlet.http.HttpServletRequest currentRequest()
        Get the current HTTP Servlet Request being processed.
        Returns:
        the current HTTP Servlet Request.
      • currentResponse

        public static javax.servlet.http.HttpServletResponse currentResponse()
        Get the current HTTP Servlet Response being generated.
        Returns:
        the current HTTP Servlet Response.
      • accessController

        public static AccessController accessController()
        Returns:
        the current ESAPI AccessController object being used to maintain the access control rules for this application.
      • authenticator

        public static Authenticator authenticator()
        Returns:
        the current ESAPI Authenticator object being used to authenticate users for this application.
      • encoder

        public static Encoder encoder()
        The ESAPI Encoder is primarilly used to provide output encoding to prevent Cross-Site Scripting (XSS).
        Returns:
        the current ESAPI Encoder object being used to encode and decode data for this application.
      • encryptor

        public static Encryptor encryptor()
        Returns:
        the current ESAPI Encryptor object being used to encrypt and decrypt data for this application.
      • executor

        public static Executor executor()
        Returns:
        the current ESAPI Executor object being used to safely execute OS commands for this application.
      • httpUtilities

        public static HTTPUtilities httpUtilities()
        Returns:
        the current ESAPI HTTPUtilities object being used to safely access HTTP requests and responses for this application.
      • intrusionDetector

        public static IntrusionDetector intrusionDetector()
        Returns:
        the current ESAPI IntrusionDetector being used to monitor for intrusions in this application.
      • getLogger

        public static Logger getLogger​(java.lang.Class clazz)
        Parameters:
        clazz - The class to associate the logger with.
        Returns:
        The current Logger associated with the specified class.
      • getLogger

        public static Logger getLogger​(java.lang.String moduleName)
        Parameters:
        moduleName - The module to associate the logger with.
        Returns:
        The current Logger associated with the specified module.
      • log

        public static Logger log()
        Returns:
        The default Logger.
      • randomizer

        public static Randomizer randomizer()
        Returns:
        the current ESAPI Randomizer being used to generate random numbers in this application.
      • securityConfiguration

        public static SecurityConfiguration securityConfiguration()
        Returns:
        the current ESAPI SecurityConfiguration being used to manage the security configuration for ESAPI for this application.
      • validator

        public static Validator validator()
        Returns:
        the current ESAPI Validator being used to validate data in this application.
      • initialize

        public static java.lang.String initialize​(java.lang.String impl)
      • override

        public static void override​(SecurityConfiguration config)
        Overrides the current security configuration with a new implementation. This is meant to be used as a temporary means to alter the behavior of the ESAPI and should *NEVER* be used in a production environment as it will affect the behavior and configuration of the ESAPI *GLOBALLY*. To clear an overridden Configuration, simple call this method with null for the config parameter.
        Parameters:
        config - The new security configuration.