| Method and Description |
|---|
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.assertAuthorizedForData(String, Object) |
| org.owasp.esapi.reference.DefaultAccessController.assertAuthorizedForFile(String) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.assertAuthorizedForFile(String) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.assertAuthorizedForFunction(String) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.assertAuthorizedForService(String) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.assertAuthorizedForURL(String) |
| org.owasp.esapi.crypto.CryptoHelper.computeDerivedKey(SecretKey, int, String)
Use
KeyDerivationFunction instead. This method will be removed as of
ESAPI release 2.1 so if you are using this, please change your code. |
| org.owasp.esapi.codecs.Base64.decodeToObject(String)
Because of security issues, this method will be
removed from ESAPI in a future release and no substitute
is planned. Because as of JDK 8 (in 1Q2016) there is
currently no way to restrict which objects
ObjectInputStream.readObject()
may safely deserialize in the general case. Oracle
may decide to address this deficiency in a future Java
release, but until they do, there is no simple way for
a general class library like ESAPI to address this. |
| org.owasp.esapi.filters.SecurityWrapperResponse.encodeRedirectUrl(String)
in servlet spec 2.1. Use
SecurityWrapperResponse.encodeRedirectUrl(String) instead. |
| org.owasp.esapi.filters.SecurityWrapperResponse.encodeUrl(String)
in servlet spec 2.1. Use
SecurityWrapperResponse.encodeURL(String) instead. |
| org.owasp.esapi.SecurityConfiguration.getAccessControlImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getAllowedFileUploadSize()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getAllowedLoginAttempts()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getAllowMixedEncoding()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getAllowMultipleEncoding()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getApplicationName()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getAuthenticationImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getCharacterEncoding()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getCipherTransformation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getDigitalSignatureAlgorithm()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getDigitalSignatureKeyLength()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getDisableIntrusionDetection()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getEncoderImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getEncryptionAlgorithm()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getEncryptionImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getEncryptionKeyLength()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getExecutorImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getFixedIV()
Short term: use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name")
instead. Longer term: There will be a more general method in JavaEncryptor
to explicitly set an IV. This whole concept of a single fixed IV has
always been a kludge at best, as a concession to those who have used
a single fixed IV in the past. It's time to put it to death
as it was never intended for production in the first place.
|
| org.owasp.esapi.SecurityConfiguration.getForceHttpOnlyCookies()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getForceHttpOnlySession()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getForceSecureCookies()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getForceSecureSession()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getHashAlgorithm()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getHashIterations()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getHttpSessionIdName()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getHTTPUtilitiesImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getIntrusionDetectionImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getIVType()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getKDFPseudoRandomFunction()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getLenientDatesAccepted()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getLogApplicationName()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.waf.configuration.AppGuardianConfiguration.getLogDirectory() |
| org.owasp.esapi.SecurityConfiguration.getLogEncodingRequired()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getLogFileName()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getLogImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getLogLevel()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.waf.configuration.AppGuardianConfiguration.getLogLevel() |
| org.owasp.esapi.SecurityConfiguration.getLogServerIP()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getMasterKey()
Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getMasterSalt()
Use SecurityConfiguration.getByteArrayProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getMaxHttpHeaderSize()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getMaxLogFileSize()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getMaxOldPasswordHashes()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getPasswordParameterName()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getPreferredJCEProvider()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getRandomAlgorithm()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getRandomizerImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.filters.SecurityWrapperRequest.getRealPath(String)
in servlet spec 2.1. Use
ServletContext.getRealPath(String) instead. |
| org.owasp.esapi.SecurityConfiguration.getResponseContentType()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.crypto.CipherText.getSerialVersionUID()
Use
CipherText.cipherTextVersion instead. Will
disappear as of ESAPI 2.1. |
| org.owasp.esapi.SecurityConfiguration.getSessionAbsoluteTimeoutLength()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getSessionIdleTimeoutLength()
Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getUsernameParameterName()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.getValidationImplementation()
Use SecurityConfiguration.getStringProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.isAuthorizedForData(String, Object) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.isAuthorizedForFile(String) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.isAuthorizedForFunction(String) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.isAuthorizedForService(String) |
| org.owasp.esapi.reference.accesscontrol.ExperimentalAccessController.isAuthorizedForURL(String) |
| org.owasp.esapi.filters.SecurityWrapperRequest.isRequestedSessionIdFromUrl()
in servlet spec 2.1. Use
SecurityWrapperRequest.isRequestedSessionIdFromURL() instead. |
| org.owasp.esapi.reference.crypto.DefaultEncryptedProperties.main(String[])
Use
EncryptedPropertiesUtils instead, which allows creating, reading,
and writing encrypted properties. |
| org.owasp.esapi.SecurityConfiguration.overwritePlainText()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| org.owasp.esapi.SecurityConfiguration.setCipherTransformation(String)
To be replaced by new class in ESAPI 2.1, but here if you need it
until then. Details of replacement forthcoming to ESAPI-Dev
list. Most likely to be replaced by a new public CTOR for
JavaEncryptor that takes a list of properties to override.
|
| org.owasp.esapi.waf.configuration.AppGuardianConfiguration.setLogDirectory(String) |
| org.owasp.esapi.waf.configuration.AppGuardianConfiguration.setLogLevel(Level) |
| org.owasp.esapi.filters.SecurityWrapperResponse.setStatus(int, String)
In Servlet spec 2.1.
|
| org.owasp.esapi.SecurityConfiguration.useMACforCipherText()
Use SecurityConfiguration.getBooleanProp("appropriate_esapi_prop_name") instead.
|
| Constructor and Description |
|---|
| org.owasp.esapi.reference.AbstractAccessReferenceMap(Set
This constructor internally calls the abstract method
AbstractAccessReferenceMap.getUniqueReference(). Since this is a constructor, any
subclass that implements getUniqueReference() has not had it's
own constructor run. This leads to strange bugs because subclass
internal state is initializaed after calls to getUniqueReference()
have already happened. If this constructor is desired in a
subclass, consider running AbstractAccessReferenceMap.update(Set) in the subclass
constructor instead. |
| org.owasp.esapi.reference.AbstractAccessReferenceMap(Set
This constructor internally calls the abstract method
AbstractAccessReferenceMap.getUniqueReference(). Since this is a constructor, any
subclass that implements getUniqueReference() has not had it's
own constructor run. This leads to strange bugs because subclass
internal state is initializaed after calls to getUniqueReference()
have already happened. If this constructor is desired in a
subclass, consider running AbstractAccessReferenceMap.update(Set) in the subclass
constructor instead. |
| org.owasp.esapi.codecs.MySQLCodec(int) |
Copyright © 2016 The Open Web Application Security Project (OWASP). All rights reserved.