ESAPI - Getting ClassNotFoundException with ESAPI 2.2.3.1

Question

My Code was working with org.owasp.esapi 2.2.0.0 but after upgrading to 2.2.3.1 I am getting ClassNotFoundException.

My Code is something like:

  Properties esapiProps = new Properties();
  try {
     esapiProps.load( SecurityUtil.class.getResourceAsStream("/ESAPI.properties") );
     
  } catch (IOException | NullPointerException e) {
     logger.log(Level.SEVERE, "esapi Exception: ", e);
  }
  ESAPI.override( new DefaultSecurityConfiguration(esapiProps));
  // ----- Then canonicalize an input -----
  ESAPI.encoder().canonicalize(input);

I read the release notes and added some properties and esapi-java-logging

my ESAPI.properties (in class path)

ESAPI.printProperties=true
LogLevel=INFO
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec

ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
Logger.ApplicationName=My Test Application
Logger.LogEncodingRequired=false
Logger.LogApplicationName=true
Logger.LogServerIP=true
Logger.LogFileName=ESAPI_logging_file
Logger.MaxLogFileSize=10000000
Logger.UserInfo=true
Logger.ClientInfo=true

my esapi-java-logging.properties (in class path)

handlers= java.util.logging.ConsoleHandler
.level= INFO
java.util.logging.ConsoleHandler.level = INFO
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format=[%1$tF %1$tT] [%3$-7s] %5$s %n

but I get this exception:

[ERROR   ] SRVE0315E: An exception occurred: java.lang.Throwable: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5095)
    at [internal classes]
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
    .
    .
    .
    at sun.reflect.GeneratedMethodAccessor521.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.wink.server.internal.handlers.InvokeMethodHandler.handleRequest(InvokeMethodHandler.java:63)
    ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.GeneratedMethodAccessor522.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 8 more
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
    ... 17 more
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory
    at com.ibm.ws.classloading.internal.AppClassLoader.findClassCommonLibraryClassLoaders(AppClassLoader.java:569)
    at [internal classes]
    at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
    ... 15 more

If I change my ESAPI.properties and copy what is in https://raw.githubusercontent.com/ESAPI/esapi-java-legacy/develop/configuration/esapi/ESAPI.properties, ClassNotFoundException goes away and I get NullPointerException exception:

[ERROR   ] SRVE0315E: An exception occurred: java.lang.Throwable: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5095)
    at [internal classes]
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
    .
    .
    .
    at sun.reflect.GeneratedMethodAccessor522.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.wink.server.internal.handlers.InvokeMethodHandler.handleRequest(InvokeMethodHandler.java:63)
    ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.GeneratedMethodAccessor523.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 8 more
Caused by: java.lang.ExceptionInInitializerError
    ... 20 more
Caused by: java.lang.NullPointerException
    ... 22 more

Answer 1

You said that you read the release notes. The reason for your problem is a detail that you missed that was documented there. Look in those release notes, in the section labeled:

*** IMPORTANT WORKAROUND for 2.2.1.0 ESAPI Logging ***

There, it states:

Lastly, if you try to use the new ESAPI 2.2.1.0 logging, you will notice that you need to change ESAPI.Logger and also possibly provide some other logging properties as well. This is because the logger packages were reorganized to improve maintainability, but we failed to mention it. To use ESAPI logging in ESAPI 2.2.1.0 (and later), you MUST set the ESAPI.Logger property to one of:

   org.owasp.esapi.logging.java.JavaLogFactory     - To use the new default, java.util.logging (JUL)
   org.owasp.esapi.logging.log4j.Log4JLogFactory   - To use the end-of-life Log4J 1.x logger
   org.owasp.esapi.logging.slf4j.Slf4JLogFactory   - To use the new (to release 2.2.0.0) SLF4J logger

Between that and a careful reading of your exception stack trace:

    ... deleted...
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
    ... 17 more
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory
    ...deleted...

I think that should explain the reason. Those classes were reorganized to different packages to accommodate SLF4J logging.

Answer 2

There is some typo with logger factory config in ESAPI.properties. The classes are in org.owasp.esapi.logging.*.

#ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
#ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory