GitHub - joebrislin/cfesapi: OWASP Enterprise Security API for ColdFusion/CFML Project

joebrislin / cfesapi Public

forked from nomadinjax/esapi4cf

Notifications You must be signed in to change notification settings
Fork 0
Star 0

OWASP Enterprise Security API for ColdFusion/CFML Project

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 256 Commits
demo		demo
esapi		esapi
helpers		helpers
org/owasp/esapi		org/owasp/esapi
test		test
README		README

Repository files navigation

OWASP Enterprise Security API (ESAPI)
OWASP ESAPI for ColdFusion/CFML Project
Purpose: This is the ColdFusion/CFML language version of OWASP ESAPI.
= The current release of this project *is not* suitable for production use =
License: BSD license
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=ColdFusion.2FCFML


*** SETUP/USAGE ***

Setup:
1. Ensure that J2EE session variables be enabled! You will not be able to authenticate if this is disabled.
2. The cfesapi folder should sit at the webroot level.
3. Copy /cfesapi/esapi/esapi-2.0.1.jar and selected files from /cfesapi/esapi/libs/ to your lib folder (see compatibility below).
4. Restart ColdFusion.
NOTE: there are folders included with CFESAPI that you will want to exclude from your production environment

Tests:
- You will need to create an 'esapi' folder under your User Home directory so the users.txt file can be written to disk i.e. C:\Users\myusername\esapi\
- You can run the MXUnit tests using: /cfesapi/test/TestSuite.cfm

Demos:
- See the /cfesapi/demo/ for basic examples of implementation. **Be sure to have https setup else you can't login.**

Implementation:
- You can extend any of the default implementations to overwrite the methods you need
 and/or
- You can create new implementations that implement the provided interfaces

How:
- Copy the /cfesapi/esapi/configuration/esapi/ folder to a location within your CF application and make changes to your copy of the config files
- ESAPI.properties
	- IMPORTANT: Run /cfesapi/org/owasp/esapi/reference/crypto/JavaEncryptor.cfm to calculate your *own* Encryptor.MasterKey and Encryptor.MasterSalt values
	- Update the component paths with the location of your implementation components
	- Modify other configs as needed
- Include the /cfesapi/helpers/ESAPI.cfm in your application
- Call the filters provided by CFESAPI to secure and authenticate each request.
- See demos for examples

Tips:
- You can determine whether unlimited strength crypto is installed by running: /cfesapi/test/org/owasp/esapi/reference/crypto/CryptoPolicy.cfm

*** COMPATIBILITY ***

**************************
* Railo ColdFusion 3.2.3 *
**************************
MXUnit Test Results
- 10 failures + 1 errors + 264 successes (55-65s)

Dependencies (place in [webroot]\WEB-INF\railo\lib)
- ESAPI.jar
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-beanutils.jar
- commons-configuration.jar
- nekohtml.jar
- xercesImpl.jar

**************************
* Adobe ColdFusion 9.0.1 *
**************************
MXUnit Test Results
 - 10 failures + 0 errors + 265 successes (60-70s)

Dependencies (place in [webroot]\WEB-INF\cfusion\lib)
- ESAPI.jar (http://kb2.adobe.com/cps/907/cpsid_90784.html adds version esapi-2.0_rc10.jar which may conflict with our jar - SOLUTION?)
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-configuration.jar

**************************
* Adobe ColdFusion 8.0.1 *
**************************
MXUnit Test Results
 - 9 failures + 1 errors + 265 successes (70-80s)

Dependencies (place in [webroot]\WEB-INF\cfusion\lib)
- ESAPI.jar (http://kb2.adobe.com/cps/907/cpsid_90784.html adds version esapi-2.0_rc10.jar which may conflict with our jar - SOLUTION?)
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-beanutils.jar
- commons-collections.jar (ACF8 has 2.1 but 3.2 is required)
- commons-configuration.jar
- commons-lang.jar
- nekohtml.jar