Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

Question

I am trying to run a sample program which encodes using ESAPI.

Here is the sample program

package hello;

import java.io.UnsupportedEncodingException;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.errors.EncodingException;

public class Sample {

    public static void main(String[] args) {
        // TODO Auto-generated method stub
        
        
        String encodedString = encodeForXML("comma underscore hyphen");
        System.out.println("The encoded string is "+encodedString); 
        

    }
    

    
    public static String encodeForXML(String str)
    {
        return ESAPI.encoder().encodeForXML(str);
    }
    
    
    

}

This results in the exception

Exception in thread "main" org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
    at hello.HelloWorld.encodeForXML(HelloWorld.java:24)
    at hello.HelloWorld.main(HelloWorld.java:14)
Caused by: java.lang.reflect.InvocationTargetException
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:564)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 3 more
Caused by: java.lang.ExceptionInInitializerError
    at java.base/java.lang.Class.forName0(Native Method)
    at java.base/java.lang.Class.forName(Class.java:377)
    at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:83)
    at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:67)
    ... 8 more
Caused by: org.owasp.esapi.errors.ConfigurationException: Unable to locate resource: esapi-java-logging.properties
    at org.owasp.esapi.logging.java.JavaLogFactory.readLoggerConfiguration(JavaLogFactory.java:95)
    at org.owasp.esapi.logging.java.JavaLogFactory.<clinit>(JavaLogFactory.java:81)
    ... 16 more

I am using Maven build and included ESAPI dependency in my pom.xml and also included esapi.properties and validation.properties(both downloaded from here: https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.2.1.1) in src/main/resources and both are successfully loaded as per the the message in console. Please let me know what I am missing out here.

Answer 1

@avgvstvs is absolutely correct. If you look at the Javadoc for JavaLogFactory, it states: "This implementation requires that a file named 'esapi-java-logging.properties' exists on the classpath."

The rules for ESAPI finding this particular property file is not the same as locating ESAPI.properties. There's a reason for that, but it's complicated to explain because logger components need to be bootstrapped a bit differently than the other ESAPI components.