| Package | Description |
|---|---|
| org.owasp.esapi |
The ESAPI interfaces and
Exception classes model the most
important security functions to enterprise web applications. |
| org.owasp.esapi.reference |
This package contains reference implementations of the ESAPI interfaces.
|
| org.owasp.esapi.reference.accesscontrol | |
| org.owasp.esapi.reference.accesscontrol.policyloader |
| Modifier and Type | Method and Description |
|---|---|
void |
AccessController.assertAuthorized(java.lang.Object key,
java.lang.Object runtimeParameter)
assertAuthorized executes the AccessControlRule
that is identified by key and listed in the
resources/ESAPI-AccessControlPolicy.xml file. |
void |
AccessController.assertAuthorizedForData(java.lang.String action,
java.lang.Object data)
Checks if the current user is authorized to access the referenced data.
|
void |
AccessController.assertAuthorizedForFile(java.lang.String filepath)
Checks if the current user is authorized to access the referenced file.
|
void |
AccessController.assertAuthorizedForFunction(java.lang.String functionName)
Checks if the current user is authorized to access the referenced function.
|
void |
AccessController.assertAuthorizedForService(java.lang.String serviceName)
Checks if the current user is authorized to access the referenced service.
|
void |
AccessController.assertAuthorizedForURL(java.lang.String url)
Checks if the current user is authorized to access the referenced URL.
|
void |
HTTPUtilities.assertSecureChannel()
Calls assertSecureChannel with the *current* request.
|
void |
HTTPUtilities.assertSecureChannel(javax.servlet.http.HttpServletRequest request)
Ensures the use of SSL to protect any sensitive parameters in the request and
any sensitive data in the response.
|
void |
HTTPUtilities.assertSecureRequest()
Calls assertSecureRequest with the *current* request.
|
void |
HTTPUtilities.assertSecureRequest(javax.servlet.http.HttpServletRequest request)
Ensures that the request uses both SSL and POST to protect any sensitive parameters
in the querystring from being sniffed, logged, bookmarked, included in referer header, etc...
|
<T> T |
AccessReferenceMap.getDirectReference(K indirectReference)
Get the original direct object reference from an indirect reference.
|
<T> K |
AccessReferenceMap.removeDirectReference(T direct)
Removes a direct reference and its associated indirect reference from the AccessReferenceMap.
|
void |
HTTPUtilities.sendForward(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
java.lang.String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
HTTPUtilities.sendForward(java.lang.String location)
Calls sendForward with the *current* request and response.
|
void |
HTTPUtilities.sendRedirect(javax.servlet.http.HttpServletResponse response,
java.lang.String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
HTTPUtilities.sendRedirect(java.lang.String location)
Calls sendRedirect with the *current* response.
|
| Modifier and Type | Method and Description |
|---|---|
void |
DefaultAccessController.assertAuthorized(java.lang.Object key,
java.lang.Object runtimeParameter)
assertAuthorized executes the AccessControlRule
that is identified by key and listed in the
resources/ESAPI-AccessControlPolicy.xml file. |
void |
DefaultAccessController.assertAuthorizedForData(java.lang.String action,
java.lang.Object data)
Checks if the current user is authorized to access the referenced data.
|
void |
DefaultAccessController.assertAuthorizedForFile(java.lang.String filepath)
Deprecated.
|
void |
DefaultAccessController.assertAuthorizedForFunction(java.lang.String functionName)
Checks if the current user is authorized to access the referenced function.
|
void |
DefaultAccessController.assertAuthorizedForService(java.lang.String serviceName)
Checks if the current user is authorized to access the referenced service.
|
void |
DefaultAccessController.assertAuthorizedForURL(java.lang.String url)
Checks if the current user is authorized to access the referenced URL.
|
void |
DefaultHTTPUtilities.assertSecureChannel()
Calls assertSecureChannel with the *current* request.
|
void |
DefaultHTTPUtilities.assertSecureChannel(javax.servlet.http.HttpServletRequest request)
Ensures the use of SSL to protect any sensitive parameters in the request and
any sensitive data in the response.
|
void |
DefaultHTTPUtilities.assertSecureRequest()
Calls assertSecureRequest with the *current* request.
|
void |
DefaultHTTPUtilities.assertSecureRequest(javax.servlet.http.HttpServletRequest request)
Ensures that the request uses both SSL and POST to protect any sensitive parameters
in the querystring from being sniffed, logged, bookmarked, included in referer header, etc...
|
<T> T |
AbstractAccessReferenceMap.getDirectReference(K indirectReference)
Get the original direct object reference from an indirect reference.
|
static AccessController |
DefaultAccessController.getInstance() |
<T> K |
AbstractAccessReferenceMap.removeDirectReference(T direct)
Removes a direct reference and its associated indirect reference from the AccessReferenceMap.
|
void |
DefaultHTTPUtilities.sendForward(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
java.lang.String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
DefaultHTTPUtilities.sendForward(java.lang.String location)
Calls sendForward with the *current* request and response.
|
void |
DefaultHTTPUtilities.sendRedirect(javax.servlet.http.HttpServletResponse response,
java.lang.String location)
This method performs a forward to any resource located inside the WEB-INF directory.
|
void |
DefaultHTTPUtilities.sendRedirect(java.lang.String location)
Calls sendRedirect with the *current* response.
|
| Constructor and Description |
|---|
DefaultAccessController() |
| Modifier and Type | Method and Description |
|---|---|
void |
ExperimentalAccessController.assertAuthorized(java.lang.Object key,
java.lang.Object runtimeParameter) |
void |
ExperimentalAccessController.assertAuthorizedForData(java.lang.String action,
java.lang.Object data)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForFile(java.lang.String filepath)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForFunction(java.lang.String functionName)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForService(java.lang.String serviceName)
Deprecated.
|
void |
ExperimentalAccessController.assertAuthorizedForURL(java.lang.String url)
Deprecated.
|
boolean |
FileBasedACRs.isAuthorizedForData(java.lang.String action,
java.lang.Object data)
TODO Javadoc
|
boolean |
FileBasedACRs.isAuthorizedForFile(java.lang.String filepath)
TODO Javadoc
|
boolean |
FileBasedACRs.isAuthorizedForFunction(java.lang.String functionName)
TODO Javadoc
|
boolean |
FileBasedACRs.isAuthorizedForService(java.lang.String serviceName)
TODO Javadoc
|
| Constructor and Description |
|---|
ExperimentalAccessController() |
| Modifier and Type | Method and Description |
|---|---|
void |
PolicyDTO.addAccessControlRule(java.lang.String key,
java.lang.String accessControlRuleClassName,
java.lang.Object policyParameter) |
PolicyDTO |
ACRPolicyFileLoader.load() |