search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
616 stars 366 forks source link

Extract standalone methods from Authenticator class #128

Open meg23 opened 10 years ago

meg23 commented 10 years ago

From ntcho...@gmail.com on April 21, 2010 11:11:05

The following issue is an enhancement request, to aid in the usability of the methods in the Authenticator class.

I was looking at the Authenticator class for Java and noticed methods for "verifyPasswordStrength" and "generateStrongPassword". I would like to use both methods to augment our existing portal architecture which does not support (or at least is not obvious to me) password strength checking other than requiring passwords of a configurable length. As the portal handles the authentication for our application, I wasn't keen on trying to map the internal portal SDK to the Authenticator Interface, just to get support for password strength validation. I may be alone in my thinking, but shouldn't these stand-alone methods be moved to a separate concrete class with static implementations of the methods. Or at minimum another interface, AuthenticatorUtil for instance, that has these methods and can be overridden to provide a custom implementation or the base reference implementation can be used.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=118

meg23 commented 10 years ago

From manico.james@gmail.com on November 02, 2010 00:42:18

Let me run this by Jeff, this seems reasonable.

Labels: Milestone-Release2.0

meg23 commented 10 years ago

From manico.james@gmail.com on November 02, 2010 00:59:06

Status: Accepted

meg23 commented 10 years ago

From manico.james@gmail.com on November 02, 2010 05:05:42

(From Jeff Willams)

Yes - seems reasonable. PasswordUtils? Long term, pulling all the password related details out of Authenticator is probably the right thing to do.
The Authenticator could have other non-password based authentication plug-in providers.

meg23 commented 10 years ago

From manico.james@gmail.com on November 02, 2010 05:06:11

I agree w/ Jeff and would like to target these changes for 2.1

Labels: -Type-Defect -Priority-Medium Type-Enhancement Priority-High

kwwall commented 6 years ago

I am marking this as Milestone 3.0 because this would be a change to an major interface and could break the code of anyone who has customized their own Authenticator. (I'm assuming that no one is using FileBasedAuthenticator for anything other than toy programs.) But changes to interfaces should be reserved for the next major release. I also am going lowering the priority from High to Medium.