问题
i have a litte JavaEE project, and i have to secure it with the OWASP ESAPI
i integrated the ESAPI like this in Maven:
<!-- ESAPI Version 2.0.1 -->
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.0.1</version>
</dependency>
So after this i can use the ESAPI classes for programming.
i also included the .esapi
folder in the server start:
-Dorg.owasp.esapi.resources=/home/joergi/.esapi/
I also copied the ESAPI.properties
and the validation.properties
into
src/main/resources
(I'm not sure if it works, but i get no error while starting the server)
I looked at the ESAPI install guide (pdf) (really bad documented) and copied the example
"To test if ESAPI has been successfully integrated and configured, create a file called EsapiIntegrationTest.java and paste in:"
import org.owasp.esapi.ESAPI;
public class EsapiTest {
public static void main(String[] args){
System.out.println("ESAPI.accessController found: "
+ ESAPI.accessController());
}
}
"If you can run this file and see the println output, then ESAPI has been successfully installed and configured! You can now begin using ESAPI functionality to secure your web applications!"
I "translated" it for my example:
@ManagedBean(name="testController")
@RequestScoped
public class TestController {
public String esapiTest(){
System.out.println("ESAPI.accessController found: "
+ ESAPI.accessController());
return "ESAPI.accessController found: " + ESAPI.accessController();
}
}
and i have a file test.xhtml
:
<?xml version="1.0" encoding="UTF-8"?>
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
template="/WEB-INF/templates/default.xhtml">
<ui:define name="content">
<h2>esapi test</h2>
<h:outputText value="#{testController.esapiTest()}" />
</ui:define>
</ui:composition>
when entering the test.xhtml
i get this really long error (for a nicer few you can see it also in pastebin)
03:32:00,521 Schwerwiegend [javax.enterprise.resource.webcontainer.jsf.application] (http--127.0.0.1-8080-2) Error Rendering View[/pages/test/test.xhtml]: javax.el.ELException: /pages/test/test.xhtml @10,58 value="#{testController.esapiTest()}": org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception.
at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:114) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:194) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:182) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIOutput.getValue(UIOutput.java:169) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:205) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:355) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:164) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:875) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1764) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:402) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:131) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:288) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:121) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardContextValve.__invoke(StandardContextValve.java:161) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java) [jbossweb-7.0.10.Final.jar:]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03]
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.ESAPI.accessController(ESAPI.java:85) [esapi-2.0.1.jar:2.0.1]
at de.liedl.bachelor.controller.TestController.esapiTest(TestController.java:45) [classe:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
at javax.el.BeanELResolver.invokeMethod(BeanELResolver.java:735) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
at javax.el.BeanELResolver.invoke(BeanELResolver.java:467) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:246) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.el.parser.AstValue.getValue(AstValue.java:159) [jbossweb-7.0.10.Final.jar:]
at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) [jbossweb-7.0.10.Final.jar:]
at org.jboss.weld.el.WeldValueExpression.getValue(WeldValueExpression.java:50) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:109) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
... 35 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) [esapi-2.0.1.jar:2.0.1]
... 48 more
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2 from [Module "deployment.bachelor_demo.war:main" from Service Module Loader] LogFactory class (org.owasp.esapi.reference.Log4JLogFactory2) must be in class path.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.reference.DefaultAccessController.<init>(DefaultAccessController.java:29) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.reference.DefaultAccessController.getInstance(DefaultAccessController.java:22) [esapi-2.0.1.jar:2.0.1]
... 53 more
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2 from [Module "deployment.bachelor_demo.war:main" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
at java.lang.Class.forName0(Native Method) [rt.jar:1.7.0_03]
at java.lang.Class.forName(Class.java:186) [rt.jar:1.7.0_03]
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74) [esapi-2.0.1.jar:2.0.1]
... 57 more
03:32:00,574 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/bachelor_demo].[FacesServlet]] (http--127.0.0.1-8080-2) Servlet.service() for servlet FacesServlet threw exception: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2 from [Module "deployment.bachelor_demo.war:main" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
at java.lang.Class.forName0(Native Method) [rt.jar:1.7.0_03]
at java.lang.Class.forName(Class.java:186) [rt.jar:1.7.0_03]
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.reference.DefaultAccessController.<init>(DefaultAccessController.java:29) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.reference.DefaultAccessController.getInstance(DefaultAccessController.java:22) [esapi-2.0.1.jar:2.0.1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) [esapi-2.0.1.jar:2.0.1]
at org.owasp.esapi.ESAPI.accessController(ESAPI.java:85) [esapi-2.0.1.jar:2.0.1]
at de.liedl.bachelor.controller.TestController.esapiTest(TestController.java:45) [classe:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
at javax.el.BeanELResolver.invokeMethod(BeanELResolver.java:735) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
at javax.el.BeanELResolver.invoke(BeanELResolver.java:467) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:246) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.el.parser.AstValue.getValue(AstValue.java:159) [jbossweb-7.0.10.Final.jar:]
at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) [jbossweb-7.0.10.Final.jar:]
at org.jboss.weld.el.WeldValueExpression.getValue(WeldValueExpression.java:50) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:109) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:194) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:182) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIOutput.getValue(UIOutput.java:169) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:205) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:355) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:164) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:875) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1764) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:402) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:131) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:288) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:121) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardContextValve.__invoke(StandardContextValve.java:161) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java) [jbossweb-7.0.10.Final.jar:]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03]
i know the ESAPI Swingset Demo - and this is running in my configuration
I have 2 questions:
is my maven and my server start configuration right?
because the error looks like the ESAPI can't find the ESAPI Logger functions....
And
Is it even possible to use the simple test code-snippet in my setup at all?
(p.s. also tried to it without maven and just with including the downloaded jar - but its not working)
I miss something like:
(this is from the swingset demo example, NOT from my own project)
Seeking ESAPI.properties
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/joergi/dev/projects/esapi_demo_1punkt0/ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
Not found in SystemResource Directory/.esapi: .esapi/ESAPI.properties
Not found in SystemResource Directory: ESAPI.properties
Found in 'user.home' directory: /home/joergi/.esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
Seeking validation.properties
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/joergi/dev/projects/esapi_demo_1punkt0/validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
Not found in SystemResource Directory/.esapi: .esapi/validation.properties
Not found in SystemResource Directory: validation.properties
Found in 'user.home' directory: /home/joergi/.esapi/validation.properties
Loaded 'validation.properties' properties file
Seeking ESAPI_logging_file
Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/joergi/dev/projects/esapi_demo_1punkt0/ESAPI_logging_file
Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI_logging_file
Not found in SystemResource Directory/.esapi: .esapi/ESAPI_logging_file
Not found in SystemResource Directory: ESAPI_logging_file
Found in 'user.home' directory: /home/joergi/.esapi/ESAPI_logging_file
Hopefully somebody can help!
回答1:
You have multiple versions of the Log4J library in your classpath, likely as a result of a downstream dependency from another library being used by your application. Examine your dependency tree to figure out where the duplicate library is being loaded and exclude it in your pom.xml
mvn dependency:tree
This will show you the dependency tree for your application.
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
Add this exclusion to the culprit dependency in your pom.xml and all should be right with the world.
回答2:
I wasted a day trying to fix this issue ClassNotFoundException Log4JLogFactory2
. Tried to see if there were any log4j duplicate dependencies as top rated accepted answer suggested but to no avail.
Finally I realized ESAPI looks for configuration in $HOME/.esapi/
folder first and only if its not there it falls back to classpath's esapi
folder. The problem in my case was I had just deployed the example Swingset application and as described in its README I had copied over its configuration to my home folder, in that configuration this was the offending line
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory2
Then I assumed my app would take configuration from its classpath's esapi folder. Log4JLogFactory2
is present in the Demo code base ghost that I have been chasing the whole time.
回答3:
All I can say is that esapi is correctly installed. Esapi loves to output a lot but the interesting parts are:
Found in 'user.home' directory: /home/joergi/.esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
Found in 'user.home' directory: /home/joergi/.esapi/validation.properties
Loaded 'validation.properties' properties file
Found in 'user.home' directory: /home/joergi/.esapi/ESAPI_logging_file
I think you are missing a dependency in your project. Check the following line from the stack-trace:
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2 from [Module "deployment.bachelor_demo.war:main" from Service Module Loader]
It might be in the wrong class loader or you might have configured the wrong logger for your project in the esapi.properties file.
[edit]
In the ESPAI.properties file there are the following lines:
# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
I think these are quiet important in your case.
Beside that, the class Log4JLogFactory exists in the esapi jar so there should not really be a problem.
来源:https://stackoverflow.com/questions/9543218/owasp-esapi-simpletest-in-a-maven-java-ee-project