How do I get started using ESAPI WAF?

Question

I've been to the OWASP Enterprise Security API (Java Edition) Google Groups page and found this information missing.

Found the author's blog entry about the WAF release at, http://i8jesus.com/?p=96. It has a link to a detailed pdf that will certainly help. — Tim Troy, Nov 12 '10 at 22:52

score 2 · Answer 1 · answered Nov 12 '10 at 17:51

2

You might try the wiki or javadocs.

answered Nov 12 '10 at 17:51

James T

1,853
1
17
26

6

The OWASP wiki has not been helpful to me. I never seem to find what I am looking for. The javadocs is what I would use once I was digging in deep. Just want to know how to get started with the tool. – Tim Troy Nov 12 '10 at 22:49

score 1 · Answer 2 · answered Nov 14 '10 at 02:00

Start with org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter.
From the javadocs:

This is the main class for the ESAPI Web Application Firewall (WAF). It is a standard J2EE servlet filter that, in different methods, invokes the reading of the configuration file and handles the runtime processing and enforcing of the developer-specified rules. Ideally the filter should be configured to catch all requests (/*) in web.xml. If there are URL segments that need to be extremely fast and don't require any protection, the pattern may be modified with extreme caution.

score 1 · Answer 3 · answered Jan 03 '15 at 03:19

The documentation for ESAPI is sparse at best. Here are a few nuggets that might help:

Web Application Firewall Policy File Specification
Configuring ESAPI for Web Applications
OWASP ESAPI Authenticator Tutorial
WAF Filter Test Harness (versions after r565 abstract the code)

How do I get started using ESAPI WAF?

3 Answers3