ESAPI authentication bug

[GoogleCodeExporter]

What steps will reproduce the problem?
When submitting a username and password pair over a SSL link established
with a self-signed certificate to Webgoat application running on the
localhost, the ESAPI validated the password submitted but aborted the login
process with exceptions. 

The exceptions were AccessControlException and AuthenticationException with
a message “Received non-SSL request”.  The exception occurred in ESAPI
component IntrusionDetector. 


What is the expected output? What do you see instead?
the request was submitted over SSL link, and password has been validated.
So, authentication success should be expected instead of an "Non-SSL
request" exception.


What version of the product are you using? On what operating system?
ESAPI 1.3
Webgoat 5.2 developer edition
JDK 1.6
WinXP Professional, SP2

Please provide any additional information below.
- Please see attachment for detailed audit log

Original issue reported on code.google.com by lian2...@gmail.com on 19 Nov 2008 at 9:24

Attachments:

• [Bugs in ESAPI Authenticator.doc](https://storage.googleapis.com/google-code-attachments/owasp-esapi-java/issue-5/comment-0/Bugs in ESAPI Authenticator.doc)

[GoogleCodeExporter]

We've updated the assertSecureRequest() method and added several test cases in 
the 
SVN baseline. Could you sync the latest and let us know if it fixes the problem?

Original comment by planetlevel on 26 Nov 2008 at 6:43

• Changed state: Fixed