Java Security vs. ESAPI

Question

I'm a Java developer heading down the road that leads to App Security, and I've stumbled across the OWASP organization and its companion Java API, ESAPI.

In another question I asked on this site months ago, it was pointed out to me that ESAPI is a major player in the open source app sec industry.

What I'm wondering now is, I'm sure ESAPI overlaps with the built-in Java security model (rooted at javax.security.auth) in the areas of authentication/authorization, and perhaps in other areas. But are there areas of app sec that ESAPI clearly addresses that cannot be achieved if one strictly sticks with the Java security API?

Basically, I'm asking if it makes sense for me to learn ESAPI if all of its benefits/features are already covered in some existing Java API. Thanks in advance!

Answer 1

AFAIK, ESAPI also using java API and adds wrapper specific to real world threats. For example WAF (web application firewall), to achieve this using Java API, you will end of writing lot of code, which was done by ESAPI and nicely wrapped in as API, so, now if you want to do WAF checks, you can just implement it with-in couple of method calls.

In simple words, ESAPI is something like wrapper library (built-in java API), which reduces re-inventing the wheel again and helps in counteracting real world security threats.

If you see this ESAPI API URL, you can easily identiyfy how ESAPI developed API to counteract each possible threat.