Class Loader looking for wrong package class

Question

I do have two application (say App1 & App2) on a tomcat server. Both are having ESAPI-2.0-rc5.jar in the C:\Tomcat7_0_29\webapps\AppX\WEB-INF\lib folder. The App2 is using opensaml-2.6.0.jar (inside the C:\Tomcat7_0_29\webapps\App2\WEB-INF\lib folder) for SAML needs.

Now each time when I try to encode a field data in App1, I am getting java.lang.ClassNotFoundException: org.opensaml.ESAPISecurityConfig error. Tried many options and never get that working together. Please help

Full Stack Trace:

org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.opensaml.ESAPISecurityConfig SecurityConfiguration class (org.opensaml.ESAPISecurityConfig) must be in class path.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:113)
    at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:445)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:208)
    at xxx.xxx.xxxx.xx.removeBadChars(BaseObject.java:131)
    at xxx.xxx.xxxx.xx.convert(ClaimsUtil.java:45)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.opensaml.ESAPISecurityConfig
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1711)
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Unknown Source)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:85)
    ... 24 more

Answer 1

1. Check to ensure that opensaml's library is on the class path. If this simple solution isn't the case...

2. Have a look at the maven repo for the most recent release of opensaml:

http://mvnrepository.com/artifact/org.opensaml/opensaml/2.6.1

It looks like that the opensaml library has a dependency on esapi 2.0.1, and what could be happening is that ESAPI-2.0-rc5.jar gets loaded before opensaml's dependency. The only guidance that's really possible for someone who can't clone your environment, is to try downloading the source for opensaml, and build it after updating its dependency management to point to your version of ESAPI.

Answer 2

Faced exactly same issue, how i resolved this by copying opensaml-2.6.1.jar file into tomcat shared/common lib folder "/tomcat/lib/."