[Esapi-dev] HELP! RE: Exception Using ESAPI Java after Reloading or Stopping/Starting App in Tomcat

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jun 30 18:56:57 EDT 2011 

Mark,
Have you enabled verbose class loadibg like I suggested? If so, results???

-kevin
--
Kevin W. Wall
Sent from DroidX; please excuse typos.
On Jun 30, 2011 3:17 PM, "Mark Barnes" <Mark.Barnes at rightthinginc.com>
wrote:
> Kevin -
>
> I did what you suggested.
>
> From $TOMCAT_HOME, I ran a find for all files "*.jar" (we have no .war
files) and ran the command "tar tf" on each of them and piped the output to
"fgrep -i log4j" and redirected the output to a file.
>
> The listing of the jar files -- and for jars other than log4jXXX, the
class file names that match log4j -- is included below. (I removed multiple
copies of commons-logging, spy, etc, and class files that were obviously not
part of log4j.)
>
> There was a second log4jXXX.jar in server/webapps/probe/WEB-INF/lib (for
psi-Probe.) I had previously forgotten to check server/webapps.
>
> I manually removed this jar file and restarted Tomcat.
>
> It didn't help a thing.
>
> Every time I stop/start an app the app gets this Exception. Every time I
use a second app on the same Tomcat that app gets this Exception. The first
app does not, regardless of which is first.
>
> org.owasp.esapi.errors.ConfigurationException
java.lang.reflect.InvocationTargetException Encoder class
(org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
>
> The Tomcat log file gets this:
>
> Attempting to load ESAPI.properties via file I/O.
> Attempting to load ESAPI.properties as resource file via file I/O.
> Not found in 'org.owasp.esapi.resources' directory or file not readable:
C:\development\Tomcat\logs\ESAPI.properties
> Not found in SystemResource Directory/resourceDirectory:
.esapi\ESAPI.properties
> [Compatibility] Found in 'user.home' directory:
C:\Users\mark.barnes\.esapi\ESAPI.properties
> Loaded 'ESAPI.properties' properties file
> Attempting to load validation.properties via file I/O.
> Attempting to load validation.properties as resource file via file I/O.
> Not found in 'org.owasp.esapi.resources' directory or file not readable:
C:\development\Tomcat\logs\validation.properties
> Not found in SystemResource Directory/resourceDirectory:
.esapi\validation.properties
> [Compatibility] Found in 'user.home' directory:
C:\Users\mark.barnes\.esapi\validation.properties
> Loaded 'validation.properties' properties file
> 30-Jun-2011 14:03:42.310 Servlet.service() for servlet jsp threw exception
> java.lang.ClassCastException: org.owasp.esapi.reference.Log4JLogger cannot
be cast to org.owasp.esapi.Logger
> at
org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:88)
> at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
> at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:75)
> at
org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:59)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
> at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
> at com.airs.utilities.server.ESAPI.encHTML(ESAPI.java:39)
>
> How could org.owasp.esapi.reference.Log4JLogger NOT be an instance of
org.owasp.esapi.Logger ??????????
>
> We run multiple apps on the same Tomcat.
>
> Our apps don't do anything to setup or configure ESAPI. They just call
ESAPI.encoder().encodeXXX() directly each time.
>
> Each app has its own copy of esapi-2.0GA.jar in its WEB-INF/lib directory.
>
> The ESAPI config files are in ~/.esapi
>
> Is there some code our apps need to call to manually to configure ESAPI
before calling ESAPI.encoder()?????
>
> I just don't know what to do. I need to get this to work.
>
>
>
> Thanks for any help you can give me.
> ---Mark
>
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . .
> ===== ./lib/log4j-1.2.15.jar
>
> ===== ./server/webapps/probe/WEB-INF/lib/log4j-1.2.13.jar
>
> ===== ./lib/mysql.jar
> com/mysql/jdbc/log/Log4JLogger.class
>
> ===== tomcat-juli-adapters.jar
> org/apache/juli/logging/impl/Log4JLogger.class
>
> ===== commons-logging-1.1.1.jar
> org/apache/commons/logging/impl/Log4JLogger.class
>
> === slf4j-log4j12-1.4.2.jar
> org/slf4j/impl/Log4jLoggerAdapter.class
> org/slf4j/impl/Log4jLoggerFactory.class
> org/slf4j/impl/Log4jMDCAdapter.class
>
> ===== spy-2.4.jar
> net/spy/log/Log4JLogger$1.class
> net/spy/log/Log4JLogger.class
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . .
>
>
>
>
>> -----Original Message-----
>> From: esapi-dev-bounces at lists.owasp.org [mailto:esapi-dev-
>> bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
>> Sent: 27 June, 2011 6:40 PM
>> To: Mark Barnes
>> Cc: ESAPI Devs
>> Subject: Re: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after
Reloading
>> or Stopping/Starting App in Tomcat
>>
>> I don't think I'd run grep, but instead run
>>
>> jar tvf jarname | grep -i log4j
>>
>> on each jar and war file that Tomcat is using for your application. That
>> way you don't get false positives (e.g., like matching "Log4j" in an
>> error message
>> or other string).
>>
>> -kevin
>>
>> On Mon, Jun 27, 2011 at 12:25 PM, Mark Barnes
>> <Mark.Barnes at rightthinginc.com> wrote:
>> > Would running grep through all our jar files, looking for "Log4"
suffice?
>> >
>> > I have tried that and found one jar that matches (binary match,) then I
>> looked at the names of the .class files inside just that one jar, and it
seemed
>> everything was okay...
>> >
>> > Question:
>> >
>> > Is it okay to put the ESAPI config files under just "~/.esapi"
(user.home)
>> and then include the ESAPI jar in the WEB-INF/lib for each webapp that
uses
>> ESAPI?  Even though the ESAPI doc told me to place the files there, I see
lines
>> in the logs that seem to indicate this is not the standard way to do
>> things.  (Compatibility???)
>> >
>> > Attempting to load ESAPI.properties via file I/O.
>> > Attempting to load ESAPI.properties as resource file via file I/O.
>> > Not found in 'org.owasp.esapi.resources' directory or file not
readable:
>> C:\development\Tomcat\logs\ESAPI.properties
>> > Not found in SystemResource Directory/resourceDirectory:
>> .esapi\ESAPI.properties
>> > [Compatibility] Found in 'user.home' directory:
>> C:\Users\mark.barnes\.esapi\ESAPI.properties
>> > Loaded 'ESAPI.properties' properties file
>> > Attempting to load validation.properties via file I/O.
>> > Attempting to load validation.properties as resource file via file I/O.
>> > Not found in 'org.owasp.esapi.resources' directory or file not
readable:
>> C:\development\Tomcat\logs\validation.properties
>> > Not found in SystemResource Directory/resourceDirectory:
>> .esapi\validation.properties
>> > [Compatibility] Found in 'user.home' directory:
>> C:\Users\mark.barnes\.esapi\validation.properties
>> > Loaded 'validation.properties' properties file
>> >
>> >
>> >> -----Original Message-----
>> >> From: esapi-dev-bounces at lists.owasp.org [mailto:esapi-dev-
>> >> bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
>> >> Sent: 23 June, 2011 4:57 PM
>> >> To: Mark Barnes
>> >> Cc: ESAPI Devs
>> >> Subject: Re: [Esapi-dev] HELP! RE: Exception Using ESAPI Java after
>> Reloading
>> >> or Stopping/Starting App in Tomcat
>> >>
>> >> On Thu, Jun 23, 2011 at 9:37 AM, Mark Barnes
>> >> <Mark.Barnes at rightthinginc.com> wrote:
>> >> > Many thanks for your responses.  I've checked things out.  Here is
what I
>> >> > have come up with...
>> >> >
>> >> > I don't have more than one log4j*.jar file.  It appears only once,
as
>> >> > ${TOMCAT_HOME}/lib/log4j-1.2.15.jar
>> >> >
>> >> >
>> >> > There is no esapi*.jar in directory ${TOMCAT_HOME}/lib
>> >> >
>> >> > esapi-2.0GA.jar appears in the ${TOMCAT_HOME}/webapps/xxx/WEB-
>> >> INF/lib
>> >> > directory for each of my webapps.  There are no other esapi*.jar
files
>> >> under
>> >> > ${TOMCAT_HOME}/webapps.
>> >> >
>> >> > I have grep'ed for "log4k" through the other .jar files in my
webapp's
>> >> > WEB-INF/lib and got a hit only on webservices-rt.jar.  Looking
inside this
>> >> > jar, I don't find any .class files whose names match "Log4J*"
>> >> >
>> >> > Is there anything else I can check out?
>> >>
>> >> Hmm... well, here's always the possibility that one of the other
>> >> jars/wars that you are
>> >> using did something lame like WebLogic did and basically sucked up the
>> >> entire
>> >> universe into their jar file. For instance, in WebLogic Server, the
>> weblogic.jar
>> >> contains all (or at least most of) the log4j classes.
>> >>
>> >> I'm assuming that you don't want look through all the jars and wars
that
>> are
>> >> in your Tomcat, so instead, how about enabling verbose class loading
and
>> >> we can see if that reveals anything. In particular is the class
>> >> org.apache.log4j.Logger getting loaded multiple times from different
>> >> jars (or the ESAPI classes for that matter).
>> >>
>> >> Short of that, the only thing I can suggest is to attach to Tomcat
with a
>> >> debugger and set some appropriate breakpoints and try to single step
>> >> at the point where it starts to blow up.
>> >>
>> >> But I'm pretty sure that this is some sort of class-loading issue or
at least
>> >> that's one aspect of it. There might be some race condition for the
root
>> >> cause, but I still think class-loading is somehow involved.
>> >>
>> >> -kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20110630/d0ff8bcc/attachment-0001.html

More information about the Esapi-dev mailing list