ESAPI
5.3.1 ESAPI
The OWASP Enterprise Security API (ESAPI) library is a security control library for web applications written in Java.
The ESAPI library is an OWASP Lab project that is under active development for Java security controls with regular releases.
What is the ESAPI library?
The OWASP Enterprise Security API (ESAPI) library provides a set of security control interfaces which define types of parameters that are passed to the security controls.
The ESAPI is an open source web application security control library that makes it easier for Java programmers to write lower-risk applications. The ESAPI Java library is designed to help programmers retrofit security into existing Java applications, and the library also serves as a solid foundation for new development.
Why use it?
The use of the ESAPI Java library is not easy to justify, although its use should certainly be considered. The engineering decisions a development team will need to make when using ESAPI are discussed in the ‘Should I use ESAPI?’ documentation.
For new projects or for modifying an existing project then alternatives should be strongly considered:
- Output encoding: OWASP Java Encoder project
- General HTML sanitization: OWASP Java HTML Sanitizer
- Validation: JSR-303/JSR-349 Bean Validation
- Strong cryptography: Google Tink or Keyczar
- Authentication & authorization: Apache Shiro, authentication using Spring Security
- CSRF protection: OWASP CSRFGuard project
Consideration could be given for using ESAPI if multiple security controls provided by this library are used in a project, it then may be useful to use the monolithic ESAPI library rather than multiple disparate class libraries.
How to use it
If the engineering decision is to use the ESAPI library then it can be downloaded as a Java Archive (.jar) package file. There is a reference implementation for each security control.
References
- ESAPI for Java
- ESAPI documentation
- ESAPI project
- OWASP Java Encoder project
- OWASP Java HTML Sanitizer
- Spring Security
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.