ESAPI - Getting NoClassDefFoundError (LoggerFactory) with banned dependency

Dinesh M picture Dinesh M · Dec 15, 2015 · Viewed 11.6k times · Source

I am using ESAPI to encode string value to resolve cross site scripting issue as shown below (code snippet).

String encodedString = ESAPI.encoder().encodeForHTML(value);

Exception Trace

org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
<bold>Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/spi/LoggerFactory</bold>
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:190)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74)
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:75)
    at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:59)
    ... 71 more
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.spi.LoggerFactory
    at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:297)
    at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:270)
    at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:64)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:358)

Maven repository pom.xml

<dependency>
    <groupId>org.owasp.esapi</groupId>
    <artifactId>esapi</artifactId>
    <version>${org.owasp.esapi.version}</version>
    <exclusions>
        <exclusion>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
        </exclusion>
        <exclusion>
            <groupId>xercesImpl</groupId>
            <artifactId>xercesImpl</artifactId>
        </exclusion>
        <exclusion>
            <groupId>commons-logging</groupId>
            <artifactId>commons-logging</artifactId>
        </exclusion>
        <exclusion>
            <groupId>xml-apis</groupId>
            <artifactId>xml-apis</artifactId>
        </exclusion>
        <exclusion>
            <groupId>commons-digester</groupId>
            <artifactId>commons-digester</artifactId>
        </exclusion>
        <exclusion>
            <groupId>commons-codec</groupId>
            <artifactId>commons-codec</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.owasp.antisamy</groupId>
            <artifactId>antisamy</artifactId>
        </exclusion>
        <exclusion>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
        </exclusion>
    </exclusions>
</dependency>

If I don't exclude log4j then it will throw dependency convergence error because log4j is declared in maven banned dependency as shown below

<executions>
    <execution>
        <id>enforce</id>
        <configuration>
            <rules>
                <requireJavaVersion>
                    <version>${java.version}</version>
                </requireJavaVersion>
                <requireMavenVersion>
                    <version>3.0</version>
                </requireMavenVersion>
                <DependencyConvergence />
                <bannedDependencies>
                    <excludes>
                        <!-- This should not exist as it will force SLF4J calls to be 
                            delegated to log4j -->
                        <exclude>org.slf4j:slf4j-log4j12</exclude>
                        <!-- This should not exist as it will force SLF4J calls to be 
                            delegated to jul -->
                        <exclude>org.slf4j:slf4j-jdk14</exclude>
                        <!-- Ensure only the slf4j binding for logback is on the classpath -->
                        <exclude>log4j:log4j</exclude>
                        <!-- As recommended from the slf4j guide, exclude commons-logging -->
                        <exclude>commons-logging:commons-logging</exclude>
                    </excludes>                                     
                </bannedDependencies>
            </rules>
        </configuration>
        <goals>
            <goal>enforce</goal>
        </goals>
    </execution>
</executions>

Help in this regard would be appreciated. Please let me know if you need any more details. Thanks in advance!

Answer

Kevin W. Wall picture Kevin W. Wall · Jan 3, 2016

ESAPI does not support SLF4J, even though that in turn supports log4j. Your logging choices for ESAPI are either log4j or java.util.logging, controlled via the ESAPI.logger property in ESAPI.properties. If you decide to use log4j (i.e., ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory), then you need the log4j.jar and either a log4j.xml or log4j.properties in your classpath, depending on which version of log4j you are using. Alternately, you can use java.util.logging by setting ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory in your ESAPI.properties file.

I see you appear to be doing this for Wells Fargo. If you have further questions, look up "Kevin W. Wall" in Teamworks and send me an email as I am part of the Secure Code Review team there as well as project lead for ESAPI, so given more context, I may be able to suggest other possibilities.

-kevin