Where is the ESAPI documentation located?
ESAPI has good intentions, it is referenced de facto in OWASP Top 10 issues.
However its main development is not really active. The library is provided as is.
There are two Java libraries depending on the versions:
-
OWASP Enterprise Security API for Java: version >= 3.x
- Maintained by one contributor (Chris Schmidt), last code commit (as of today) was on Nov 20, 2013.
-
Enterprise Security API for Java (Legacy): version <= 2.x
- Maintained by at least 3 contributors, last code commit (as of today) was on May 30, 2015.
There is a wish to have documentation (https://www.owasp.org/index.php/ESAPI_Documentation), especially: How to Use ESAPI in a New Application.
But currently, it is really light...
As of March 2014 the project was downgraded away from flagship status (http://off-the-wall-security.blogspot.fr/2014/03/esapi-no-longer-owasp-flagship-project.html). (credits to avgvstvs)
If you still want to learn ESAPI, the best you can have currently:
- The ESAPI swing set, a "web application which demonstrates the many uses of the ESAPI" (https://www.owasp.org/index.php/ESAPI_Swingset)
- The tests of the legacy version (https://github.com/ESAPI/esapi-java-legacy/tree/master/src/test/java/org/owasp/esapi).
- The wiki of the legacy version (https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API)
- The mailing list archives (http://lists.owasp.org/pipermail/esapi-dev/)
The README on the new version annonce new stuff to come:
2 Sept 2014 - We are gearing up to get some great stuff done at AppSecUSA in Denver this month. We'll be announcing our schedule and where we'll be at the conference soon! Stay tuned!
Maybe the doc will arrive one day...
sahlouls
Updated on June 25, 2022Comments
-
sahlouls almost 2 years
I'm interested in ESAPI to use in a production environment.
Is there any official documentation on how to setup properly a web application, and if so, where?
-
avgvstvs almost 9 yearsThis answer is the best. I think you should add this. As of March 2014 the project was downgraded away from flagship status: off-the-wall-security.blogspot.com/2014/03/…
-
superbob almost 9 yearsThanks for the link @avgvstvs, is is valuable information, I didn't know it. Unless it bothers you, I will also mention ESAPI_Swingset in my answer, to make it more complete
-
avgvstvs almost 9 yearsGo ahead, its all the same to me.
-
Federico Piazza almost 5 years@superbob is ESAPI currently used nowadays (2019)? If not, do you know what have replaced this framework? And if so... are there any migration steps documentation to do that?
-
superbob almost 5 years@FedericoPiazza, AFAIK it is not used currently. I don't use it in either personal or professional projects.