OWASP ESAPI simpleTest in a Maven Java EE project

security jakarta-ee maven owasp esapi
Joergi picture Joergi · Mar 3, 2012 · Viewed 16.6k times · Source

i have a litte JavaEE project, and i have to secure it with the OWASP ESAPI

i integrated the ESAPI like this in Maven:

<!-- ESAPI Version 2.0.1 -->
<dependency>
    <groupId>org.owasp.esapi</groupId>
    <artifactId>esapi</artifactId>
    <version>2.0.1</version>
</dependency>

So after this i can use the ESAPI classes for programming.

i also included the .esapi folder in the server start:

 -Dorg.owasp.esapi.resources=/home/joergi/.esapi/

I also copied the ESAPI.properties and the validation.properties into

src/main/resources

(I'm not sure if it works, but i get no error while starting the server)

I looked at the ESAPI install guide (pdf) (really bad documented) and copied the example

"To test if ESAPI has been successfully integrated and configured, create a file called EsapiIntegrationTest.java and paste in:"

 import org.owasp.esapi.ESAPI;
 public class EsapiTest {
     public static void main(String[] args){
         System.out.println("ESAPI.accessController found: " 
                                + ESAPI.accessController());
     }
 }

"If you can run this file and see the println output, then ESAPI has been successfully installed and configured! You can now begin using ESAPI functionality to secure your web applications!"

I "translated" it for my example:

@ManagedBean(name="testController")
@RequestScoped
public class TestController  {  

    public String esapiTest(){

    System.out.println("ESAPI.accessController found: " 
                               + ESAPI.accessController());

    return "ESAPI.accessController found: " + ESAPI.accessController();
    }
}

and i have a file test.xhtml: 

<?xml version="1.0" encoding="UTF-8"?>
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
template="/WEB-INF/templates/default.xhtml">
<ui:define name="content">

    <h2>esapi test</h2>

        <h:outputText value="#{testController.esapiTest()}" />  

</ui:define>
</ui:composition>

when entering the test.xhtml i get this really long error (for a nicer few you can see it also in pastebin)

03:32:00,521 Schwerwiegend [javax.enterprise.resource.webcontainer.jsf.application] (http--127.0.0.1-8080-2) Error Rendering View[/pages/test/test.xhtml]: javax.el.ELException: /pages/test/test.xhtml @10,58 value="#{testController.esapiTest()}": org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception.
    at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:114) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:194) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:182) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIOutput.getValue(UIOutput.java:169) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:205) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:355) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:164) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:875) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1764) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:402) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:131) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:288) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:121) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
    at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardContextValve.__invoke(StandardContextValve.java:161) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java) [jbossweb-7.0.10.Final.jar:]
    at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]
    at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03]
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.accessController(ESAPI.java:85) [esapi-2.0.1.jar:2.0.1]
    at de.liedl.bachelor.controller.TestController.esapiTest(TestController.java:45) [classe:]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
    at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
    at javax.el.BeanELResolver.invokeMethod(BeanELResolver.java:735) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
    at javax.el.BeanELResolver.invoke(BeanELResolver.java:467) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
    at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:246) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
    at org.apache.el.parser.AstValue.getValue(AstValue.java:159) [jbossweb-7.0.10.Final.jar:]
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) [jbossweb-7.0.10.Final.jar:]
    at org.jboss.weld.el.WeldValueExpression.getValue(WeldValueExpression.java:50) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
    at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:109) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    ... 35 more
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
    at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) [esapi-2.0.1.jar:2.0.1]
    ... 48 more
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2 from [Module "deployment.bachelor_demo.war:main" from Service Module Loader] LogFactory class (org.owasp.esapi.reference.Log4JLogFactory2) must be in class path.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.reference.DefaultAccessController.<init>(DefaultAccessController.java:29) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.reference.DefaultAccessController.getInstance(DefaultAccessController.java:22) [esapi-2.0.1.jar:2.0.1]
    ... 53 more
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2 from [Module "deployment.bachelor_demo.war:main" from Service Module Loader]
    at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
    at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
    at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
    at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
    at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
    at java.lang.Class.forName0(Native Method) [rt.jar:1.7.0_03]
    at java.lang.Class.forName(Class.java:186) [rt.jar:1.7.0_03]
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74) [esapi-2.0.1.jar:2.0.1]
    ... 57 more

03:32:00,574 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/bachelor_demo].[FacesServlet]] (http--127.0.0.1-8080-2) Servlet.service() for servlet FacesServlet threw exception: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2 from [Module "deployment.bachelor_demo.war:main" from Service Module Loader]
    at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
    at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
    at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
    at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
    at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
    at java.lang.Class.forName0(Native Method) [rt.jar:1.7.0_03]
    at java.lang.Class.forName(Class.java:186) [rt.jar:1.7.0_03]
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.reference.DefaultAccessController.<init>(DefaultAccessController.java:29) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.reference.DefaultAccessController.getInstance(DefaultAccessController.java:22) [esapi-2.0.1.jar:2.0.1]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
    at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) [esapi-2.0.1.jar:2.0.1]
    at org.owasp.esapi.ESAPI.accessController(ESAPI.java:85) [esapi-2.0.1.jar:2.0.1]
    at de.liedl.bachelor.controller.TestController.esapiTest(TestController.java:45) [classe:]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_03]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_03]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
    at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
    at javax.el.BeanELResolver.invokeMethod(BeanELResolver.java:735) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
    at javax.el.BeanELResolver.invoke(BeanELResolver.java:467) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
    at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:246) [jboss-el-api_2.2_spec-1.0.0.Final.jar:1.0.0.Final]
    at org.apache.el.parser.AstValue.getValue(AstValue.java:159) [jbossweb-7.0.10.Final.jar:]
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:189) [jbossweb-7.0.10.Final.jar:]
    at org.jboss.weld.el.WeldValueExpression.getValue(WeldValueExpression.java:50) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
    at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:109) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:194) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:182) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIOutput.getValue(UIOutput.java:169) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:205) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:355) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:164) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:875) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1764) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1760) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:402) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:131) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:288) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:121) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) [jsf-impl-2.1.5-jbossorg-1.jar:2.1.5-SNAPSHOT]
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) [jboss-jsf-api_2.1_spec-2.0.0.Final.jar:2.0.0.Final]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
    at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardContextValve.__invoke(StandardContextValve.java:161) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java) [jbossweb-7.0.10.Final.jar:]
    at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.0.Final.jar:7.1.0.Final]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]
    at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03]

i know the ESAPI Swingset Demo - and this is running in my configuration

I have 2 questions:
is my maven and my server start configuration right?
because the error looks like the ESAPI can't find the ESAPI Logger functions....

And
Is it even possible to use the simple test code-snippet in my setup at all?

(p.s. also tried to it without maven and just with including the downloaded jar - but its not working)

I miss something like:
(this is from the swingset demo example, NOT from my own project)

Seeking ESAPI.properties
  Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/joergi/dev/projects/esapi_demo_1punkt0/ESAPI.properties
  Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
  Not found in SystemResource Directory/.esapi: .esapi/ESAPI.properties
  Not found in SystemResource Directory: ESAPI.properties
  Found in 'user.home' directory: /home/joergi/.esapi/ESAPI.properties
Loaded 'ESAPI.properties' properties file
Seeking validation.properties
  Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/joergi/dev/projects/esapi_demo_1punkt0/validation.properties
  Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
  Not found in SystemResource Directory/.esapi: .esapi/validation.properties
  Not found in SystemResource Directory: validation.properties
  Found in 'user.home' directory: /home/joergi/.esapi/validation.properties
Loaded 'validation.properties' properties file
Seeking ESAPI_logging_file
  Not found in 'org.owasp.esapi.resources' directory or file not readable: /home/joergi/dev/projects/esapi_demo_1punkt0/ESAPI_logging_file
  Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI_logging_file
  Not found in SystemResource Directory/.esapi: .esapi/ESAPI_logging_file
  Not found in SystemResource Directory: ESAPI_logging_file
  Found in 'user.home' directory: /home/joergi/.esapi/ESAPI_logging_file

Hopefully somebody can help!

Answer

Chris Schmidt picture Chris Schmidt · Mar 6, 2012

You have multiple versions of the Log4J library in your classpath, likely as a result of a downstream dependency from another library being used by your application. Examine your dependency tree to figure out where the duplicate library is being loaded and exclude it in your pom.xml

mvn dependency:tree

This will show you the dependency tree for your application.

<exclusion>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
</exclusion>

Add this exclusion to the culprit dependency in your pom.xml and all should be right with the world.

Related questions

How can I restrict access to certain URLs by source IP in Tomcat?

I want to restrict access to certain URLs in my Tomcat webapp. Only 3 known IP addresses should be allowed access to URLs that fit a certain pattern. e.g. http://example.com:1234/abc/personId How can I achieve this?

Read More
HttpServletRequest.getRemoteUser() vs HttpServletRequest.getUserPrincipal().getName()

These two seem to be doing the same things. Can anyone explain the main difference between the two? When would you use one vs the other? HttpServletRequest.getRemoteUser() HttpServletRequest.getUserPrincipal().getName()

Read More
How to properly logout of a Java EE 6 Web Application after logging in

A pretty simple requirement. After logging into web J2EE 6 application, how can I have the user logout again? Most (all?) the books and tutorials I have seen show how to add a login/loginerror page to their application and …

Read More