Statement in advance: I just talked about how to use this component.
In another important XX period (I hope this article will help my colleagues who are facing this need), a web application is facing security reinforcement Requirements for the first time, and the appscan Security Test Report is refreshing, the content is comprehensive, and the prompt is recommended, and it is noon. Of course, some Chinese are obviously useless.
Previously, the back-end architecture of this application was relatively stable, so the main problem was that it was close to the front-end. Some actions similar to output filtering were not in place, and mature ones should be introduced.CodeAfter doing these jobs, Wu Hanqing's classmate "white hat about Web Security" Recommended OWASP esapi, which is fully called Enterprise Security API. Official website address: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API to its home page to see, it seems to provide a lot of language branch version, I Have A javaee version, this stuff is very powerful, directly to the official documentation features list it:
The features in this release of esapi for Java EE include: esapi core componentsesapi locator and interface classes. esapi Security Control Reference implementations for the following security controls: authenticationidentityaccess controlinput validationoutput extends numbersexception extends detectionsecurity configurationesapi web application firewall (WAF) component fixes for specific issues. for more information, see "enhancements and resolved issues ".
This component is OK if it is not directly introduced into jar. during initialization, you need to read two configuration files esapi. properties and validation. properties, these two configuration files may not be found in the directory shown in the installation guide, but you can decompress and search for the DIST directory, put these two files into the src directory and you will be OK.
For more information, I used some encodexxx functions in defaultencoder. Basically, it was done by using the getinstance () Singleton method, let's take a look at all the documents. So what is this blog? I mainly want to talk about the Java Web output filtering found on the Chinese Web. This is mostly the code written by some people (in fact a version). It doesn't mean that his code is not good, it is always better to introduce component-level code that is relatively mature and tested. In other words, these things are security-related and should not be underestimated.