[Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading or Stopping/Starting App in Tomcat

Mark Barnes Mark.Barnes at rightthinginc.com
Thu Jun 23 12:54:04 EDT 2011 

One more thing.

Our code doesn't do anything special to enable/configure/initialize ESAPI.

It just blindly calls the ESAPI.encoder().encodeXXX() methods.

From: Mark Barnes
Sent: 23 June, 2011 12:43 PM
To: 'Chris Schmidt'
Cc: Kevin W. Wall; Jim Manico; ESAPI Devs
Subject: RE: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading or Stopping/Starting App in Tomcat

Apache Tomcat/6.0.20
Java 1.6.0_24-b07
Windows 7 6.1 amd64
Running with the latest Cygwin.

There's only one lib directory under $TOMCAT_HOME.  No sub-directories.
I've run "find . -name '*log4*.jar'" from directory $TOMCAT_HOME.  The *ONLY* *log4j*.jar found is in $TOMCAT_HOME/lib
I've also run the same find command from $JAVA_HOME.  No *log4j*jar
We don't add anything to the classpath on the java command line.

This is CLASSPATH just before the tomcat executable is run:
.;C:\development\Tomcat\bin\bootstrap.jar

There are no .class (or .jar) files in "." (the current directory.)

Our code isn't using log4j directly.  It logs via the Servlet Context.

From: Chris Schmidt [mailto:chris.schmidt at owasp.org]
Sent: 23 June, 2011 11:25 AM
To: Mark Barnes
Cc: Kevin W. Wall; Jim Manico; ESAPI Devs
Subject: Re: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading or Stopping/Starting App in Tomcat

I am guessing that there has to be one in the classpath somewhere. Perhaps in one of the other lib directories under ${tomcat_home}

On 6/23/2011 9:01 AM, Mark Barnes wrote:
We use cvs and ant.


From: Chris Schmidt [mailto:chris.schmidt at owasp.org]
Sent: 23 June, 2011 11:00 AM
To: Mark Barnes
Cc: Kevin W. Wall; Jim Manico; ESAPI Devs
Subject: Re: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading or Stopping/Starting App in Tomcat

Is this a Maven project?

On 6/23/2011 8:59 AM, Mark Barnes wrote:
Below are the contents on my log4j.properties file (in ${TOMCAT_HOME}/lib) if that makes any difference...

log4j.rootLogger=INFO, tomcat, stdout

log4j.appender.tomcat=org.apache.log4j.DailyRollingFileAppender
log4j.appender.tomcat.threshold=INFO
log4j.appender.tomcat.File=${catalina.base}/logs/tomcat.sql
log4j.appender.tomcat.DatePattern='.'yyyy-MM-dd
log4j.appender.tomcat.layout=org.apache.log4j.PatternLayout
log4j.appender.tomcat.layout.ConversionPattern=%d{MM-dd-yyyy HH:mm:ss.SSS} %m%n

log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.threshold=ALL
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{dd-MMM-yyyy HH:mm:ss.SSS} %m%n

log4j.logger.org.apache.commons.httpclient=INFO
log4j.logger.httpclient.wire=INFO
log4j.logger.com.gargoylesoftware.htmlunit=INFO
log4j.logger.org.apache.axis=INFO

From: Mark Barnes
Sent: 23 June, 2011 9:38 AM
To: 'Kevin W. Wall'; Chris Schmidt
Cc: ESAPI Devs; Jim Manico
Subject: RE: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading or Stopping/Starting App in Tomcat

Many thanks for your responses.  I've checked things out.  Here is what I have come up with...

I don't have more than one log4j*.jar file.  It appears only once, as ${TOMCAT_HOME}/lib/log4j-1.2.15.jar

There is no esapi*.jar in directory ${TOMCAT_HOME}/lib

esapi-2.0GA.jar appears in the ${TOMCAT_HOME}/webapps/xxx/WEB-INF/lib directory for each of my webapps.  There are no other esapi*.jar files under ${TOMCAT_HOME}/webapps.

I have grep'ed for "log4k" through the other .jar files in my webapp's WEB-INF/lib and got a hit only on webservices-rt.jar.  Looking inside this jar, I don't find any .class files whose names match "Log4J*"

Is there anything else I can check out?

Thanks,
---Mark

From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
Sent: 22 June, 2011 8:31 PM
To: Chris Schmidt
Cc: Mark Barnes; ESAPI Devs; Jim Manico
Subject: Re: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading or Stopping/Starting App in Tomcat


Chris, I think youre onto something. Perhaps 2 different log4j.jar files w/ incompatible log4j Logger classes???

-kevin
--
Kevin W. Wall
Sent from DroidX; please excuse typos.
On Jun 22, 2011 7:10 PM, "Chris Schmidt" <chris.schmidt at owasp.org<mailto:chris.schmidt at owasp.org>> wrote:
> I don't think that will make a difference. This is pretty obviously a classloading dependency issue. Is there more than one log4j jar file in your classpath?
>
> Sent from my iPwn
>
> On Jun 22, 2011, at 5:06 PM, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:
>
>> Can you upgrade to Tomcat 6.0.32 and Java 6 update 26 please and retest?
>>
>> - Jim
>>
>>> Jim -
>>>
>>> Thank you for your response!
>>>
>>> I did remove the esapiport.jar from my classpath.
>>>
>>> The application that I have that uses ESAPI is also the same application the uses OpenAM. I have NOT yet verified that OpenAM is still working on my dev system without esapiport.jar. I have not removed esapiport.jar in production. Both esapiport.jar and esapi2.0GA.jar are still there. OpenAM continues to work in prduction. There is no code in production that uses ESAPI yet.
>>>
>>>
>>>
>>> I am looking at the stack trace and the ESAPI 2.0 GA source and I don't see how the ClassCastException is even possible! It just doesn't make any sense to me.
>>>
>>> Here are lines 87-89 of Log4JLogFactory:
>>> public org.owasp.esapi.Logger getLogger(String moduleName) {
>>> return (org.owasp.esapi.Logger)LogManager.getLogger(moduleName, factory);
>>> }
>>>
>>> Here is the "factory" member field of Log4JLogFactory
>>> LoggerFactory factory = new Log4JLoggerFactory();
>>>
>>> From Log4JLoggerFactory:
>>> public org.apache.log4j.Logger makeNewLoggerInstance(String name) {
>>> return new Log4JLogger(name);
>>> }
>>>
>>> From Log4JLogger:
>>> public class Log4JLogger extends org.apache.log4j.Logger implements org.owasp.esapi.Logger {
>>>
>>> Could something be overwriting the "factory" member field, causing line #88 in Log4JLogFactory to user a different LoggerFactory implementation such that LogManager.getLogger() returns something unexpected???
>>>
>>>
>>>
>>> Even more perplexing, why does this happen only for the second and subsequent apps to start up on the server???
>>>
>>> ---Mark
>>>
>>>
>>>> -----Original Message-----
>>>> From: Jim Manico [mailto:jim.manico at owasp.org<mailto:jim.manico at owasp.org>]
>>>> Sent: 19 June, 2011 2:42 AM
>>>> To: Mark Barnes
>>>> Cc: Chris Schmidt; ESAPI Devs
>>>> Subject: Re: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading
>>>> or Stopping/Starting App in Tomcat
>>>>
>>>>> I am using ESAPI 2.0 GA on Windows 7 running Apache Tomcat 6.0.20 on
>>>> JDK 1.6.0_24-b07
>>>>
>>>> I've never run into this. Can you try a different logging implementation
>>>> and let us know if you get the same problem?
>>>>
>>>> This is a interesting problem where a 3rd party library and the app
>>>> itself is using ESAPI. Even worse, OpenAM seems to have forked ESAPI
>>>> while using the same name-space. Not a solid move if its true.
>>>>
>>>> - Jim
>>>>
>>>>> Could some kind soul help me out with this?
>>>>>
>>>>>
>>>>>
>>>>> This problem worse than I thought.
>>>>>
>>>>>
>>>>>
>>>>> We run multiple applications per Tomcat instance. The first one that
>>>>> starts up has no problem, but each one that starts up after that has the
>>>>> same problem as mentioned before.
>>>>>
>>>>>
>>>>>
>>>>> org.owasp.esapi.errors.ConfigurationException :
>>>>> java.lang.reflect.InvocationTargetException Encoder class
>>>>> (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
>>>>>
>>>>>
>>>>>
>>>>> java.lang.ClassCastException: org.owasp.esapi.reference.Log4JLogger
>>>>> cannot be cast to org.owasp.esapi.Logger
>>>>>
>>>>>
>>>>>
>>>>> This is making it difficult for me to do things.
>>>>>
>>>>>
>>>>>
>>>>> So far, I am using ESAPI only on my dev machine. It's not in
>>>>> productio... thank goodness!
>>>>>
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> ---Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *From:*esapi-dev-bounces at lists.owasp.org<mailto:esapi-dev-bounces at lists.owasp.org>
>>>>> [mailto:esapi-dev-bounces at lists.owasp.org<mailto:esapi-dev-bounces at lists.owasp.org>] *On Behalf Of *Mark Barnes
>>>>> *Sent:* 13 June, 2011 3:11 PM
>>>>> *To:* Chris Schmidt; ESAPI Devs
>>>>> *Subject:* Re: [Esapi-dev] Exception Using ESAPI Java after Reloading or
>>>>> Stopping/Starting App in Tomcat
>>>>>
>>>>>
>>>>>
>>>>> Thank you for your response, Chris -
>>>>>
>>>>>
>>>>>
>>>>> You were correct! I did have ESAPI in my path twice... sort of. We use
>>>>> OpenAM (formerly OpenSSO,) and that requires a whole list of libraries.
>>>>> One of these libraries is called "esapiport.jar" and it is provided
>>>>> with the OpenAM distro.
>>>>>
>>>>>
>>>>>
>>>>> I looked inside both jar files and did note that the classes in
>>>>> esapiport.jar seem to be a subset of those in the ESAPI 2.0 GA jar file.
>>>>>
>>>>>
>>>>>
>>>>> I removed esapiport.jar from both our deploy script and from the
>>>>> WEB-INF/lib directory and tried again. It didn't fix the problem.
>>>>>
>>>>>
>>>>>
>>>>> I also made sure that the Tomcat libs directory had no ESAPI jars, and
>>>>> also the classpath built externally to Tomcat and passed on the java
>>>>> command line.
>>>>>
>>>>>
>>>>>
>>>>> The ClassCastException mentioned in my original message is the only
>>>>> Exception in our Tomcat logs.
>>>>>
>>>>>
>>>>>
>>>>> Has no one else ever seen this problem before???
>>>>>
>>>>>
>>>>>
>>>>> Does anyone know how to fix it? I just can't stop and restart Tomcat
>>>>> all the time. There are other web apps running on the same Tomcat.
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> ---Mark
>>>>>
>>>>>
>>>>>
>>>>> *From:*Chris Schmidt [mailto:chris.schmidt at owasp.org<mailto:chris.schmidt at owasp.org>]
>>>>> *Sent:* 09 June, 2011 11:06 AM
>>>>> *To:* Mark Barnes; ESAPI Devs
>>>>> *Subject:* Re: [Esapi-dev] Exception Using ESAPI Java after Reloading or
>>>>> Stopping/Starting App in Tomcat
>>>>>
>>>>>
>>>>>
>>>>> This is indeed a place to reach out for help with ESAPI! :) This is
>>>>> actually the developers list, there is also a esapi-user mailing list,
>>>>> but either works fine.
>>>>>
>>>>> As far as the problem you are experiencing, I have not encountered this
>>>>> issue before, but just at a quick glance I would guess that maybe you
>>>>> have 2 versions of ESAPI in your classpath perhaps?
>>>>>
>>>>> There error being reported doesn't make a great deal of sense, as
>>>>> Log4JLogger clearly implements the org.owasp.esapi.Logger interface, are
>>>>> there any more exceptions occuring before or after this one?
>>>>>
>>>>>
>>>>> On 6/8/11 8:54 PM, "Mark Barnes" <Mark.Barnes at rightthinginc.com<mailto:Mark.Barnes at rightthinginc.com>>
>>>> wrote:
>>>>>
>>>>> Additional info...
>>>>>
>>>>> I see the following in my Tomcat log file:
>>>>>
>>>>> java.lang.ClassCastException: org.owasp.esapi.reference.Log4JLogger
>>>>> cannot be cast to org.owasp.esapi.Logger
>>>>> at
>>>>>
>>>> org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:
>>>> 88)
>>>>> at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
>>>>> at
>>>>> org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:75)
>>>>> at
>>>>>
>>>> org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java
>>>> :59)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>> Method)
>>>>> at
>>>>>
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
>>>> ava:39)
>>>>> at
>>>>>
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>> sorImpl.java:25)
>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>> at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
>>>>> at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
>>>>>
>>>>>
>>>>> *From:*esapi-dev-bounces at lists.owasp.org<mailto:esapi-dev-bounces at lists.owasp.org>
>>>>> [mailto:esapi-dev-bounces at lists.owasp.org<mailto:esapi-dev-bounces at lists.owasp.org>] *On Behalf Of *Mark Barnes
>>>>> *Sent:* 07 June, 2011 7:22 PM
>>>>> *To:* esapi-dev at lists.owasp.org<mailto:esapi-dev at lists.owasp.org>
>>>>> *Subject:* [Esapi-dev] Exception Using ESAPI Java after Reloading or
>>>>> Stopping/Starting App in Tomcat
>>>>>
>>>>> Is this the correct place to get help using ESAPI for Java? If so,
>>>>> could someone please help me to resolve this problem I am having? Or if
>>>>> not, where should I go?
>>>>>
>>>>>
>>>>> The problem I am having is this:
>>>>>
>>>>> When I Reload or Stop/Start my App, which is an essential part of our
>>>>> deployment, I get the following exception:
>>>>>
>>>>> org.owasp.esapi.errors.ConfigurationException :
>>>>> java.lang.reflect.InvocationTargetException Encoder class
>>>>> (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
>>>>>
>>>>> StackTrace:
>>>>>
>>>>> org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
>>>>> org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
>>>>> com.airs.utilities.server.ESAPI.encHTML(ESAPI.java:39)
>>>>> .
>>>>> .
>>>>> .
>>>>>
>>>>> I am using ESAPI 2.0 GA on Windows 7 running Apache Tomcat 6.0.20 on
>>>> JDK
>>>>> 1.6.0_24-b07
>>>>>
>>>>> Prior to the App restart, my code had repeatedly used ESAPI.encoder()
>>>>> many times to call encodeHTML() with no problems.
>>>>>
>>>>> When I completely shut down Tomcat and start it back up, things are okay
>>>>> again.
>>>>>
>>>>> Is there some call my code needs to make to re-initialize ESAPI under
>>>>> these circumstances, perhaps is the Servlet init() method??? The code
>>>>> is not doing anything to initialize ESAPI at this time. It just calls
>>>>> ESAPI.encoder().encodeHTML().
>>>>>
>>>>> Thanks for any assistance.
>>>>>
>>>>> ---Mark
>>>>>
>>>>> *Mark Barnes*, Software Engineering
>>>>> The RightThing, LLC * 67 Etna Road, Suite 400 * Lebanon, NH 03766
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Esapi-dev mailing list
>>>>> Esapi-dev at lists.owasp.org<mailto:Esapi-dev at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>>>
>>>>>
>>>>> Chris Schmidt
>>>>> ESAPI Project Manager (http://www.esapi.org)
>>>>> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>>>>> Blog: http://yet-another-dev.blogspot.com
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Esapi-dev mailing list
>>>>> Esapi-dev at lists.owasp.org<mailto:Esapi-dev at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org<mailto:Esapi-dev at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/esapi-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20110623/5878762e/attachment-0001.html

More information about the Esapi-dev mailing list