Tuesday, April 14, 2015

ESAPI4CF v2 code is in GitHub master

Yup, I am still working on ESAPI4CF and now the initial code for verson 2 has been pushed to GitHub master.  I have not made a release yet as the code still needs work and that's where the community can help pitch in.

Be sure to check it out here: https://github.com/damonmiller/esapi4cf/

A few things about this version:
  • updated to follow the ESAPI-java v2.1.0.
  • full script components - no more hideous tags.
  • aims for compatibility with CF10+, latest Railo, and latest Lucee.
  • overhauled configuration to make it simpler to implement.
That last point is big!  Personally I hated trying to implement ESAPI4CF v1.x into my projects for 2 main reasons:
  1. Trying to secure the ESAPI.properties file and keep it separate per CF app.
  2. Having to overwrite/extend the Authenticator and AccessController just so ESAPI could talk to my DB.
So I took my own personal complaints and addressed them.
  1. ESAPI.properties is gone and you can now configure ESAPI by passing a struct into init().  This makes it simple to configure ESAPI different for each of your CF applications.
  2. Introducation of the ESAPIAdaptor interface.  This is not in esapi-java at all so this veers a bit - maybe they'll like this idea and include it in future versions.  So all of the file-based interaction built-in to ESAPI has been moved into the default Adaptor and is still used by ESAPI by default.  You can very easily roll you own Adaptor and tell ESAPI to use it, via the new ESAPI init(), and this is how ESAPI will talk to your DB, BeanFactory, whatever you use.  The Adaptor is meant to be part of "your" application so it can extend your architecture, it merely needs to implement the ESAPI Adaptor interface and that's it.
Anyway, this version is not done and is definitely in need of more hands to help finish it so I could use any help.

Areas needed for help:
  1. I have not updated any of the documentation as of yet, not even the readme file, so it is all still for v1.x.
  2. I have only been testing against CF11 and Lucee (was Railo until Lucee came out).  I would like it to be tested under CF10 and Railo as well.
  3. I have not finished the AccessController yet as it is a mess to implement in java v2.1.0 so this will take some time and patience.  Then once its working it needs all its file-based code moved into the Adapter as well.
  4. Anything that seems overly complicated to implement in CF.  Let's make this version easy to use!
  5. Everything else!  Still lots of unit tests to get passing.
Also, I will point out that I have been slowly implementing v2 into a production app already.  I do it cause I know the ESAPI code very well and can fix any issues that comes up quickly and then go back and fix it in the project.  But a warning to anyone else wanting to use it in a live project right now - it is not finished, it is buggy, so use at your own risk, read the license around liability cause you assume it all :)

With that said, if you do decide to use it in a live app that is great for the project as it will get the real world exposure and testing that it needs.  Just don't forget to commit your bug fixes back to your fork and submit a pull request - it will only make the project better for all!

Thank you to those who continue to support this project.