I can see from the diagram that they say that it is an API that will sit in between these layers, but I guess I am looking for a little more information on how exactly this is achieved and if the API calls from within Spring will be intercepted by the ESAPI calls, or if no matter what framework you are using you must use the ESAPI directly, and then it will call the lower-level APIs.

I can just imagine that there are alot of high-level API calls that do security at a lower level in spring, and that the ESAPI would need to be weaved in order to activate its code (probably through Aspect-Oriented Programming….I really should check and see if Aspect Software utilizes Aspect Oriented Programming, or if it is just a coincidence.) or if a Spring based application with ESAPI would leave a developer saying “Well, some of our application uses ESAPI, expect perhaps some Spring API calls that happen at a lower level that I don’t know about”

Hopefully as I delve into it more, I will be able to answer my own questions.