ESAPI upgraded to 2.2.3.1- getting ClassNotFoundException and how to use slf4j instead of log4j1.x

Question

HiAll,

I upgraded ESAPI library to 2.2.3.1 version. And our application was using log4j 1.2.17 for logger. Since log4j.1X is depreciated in the latest versions, we Needed to use slf4j loggerfactory.So below are the changes

gradle file - updated the version of esapi

  implementation ('org.owasp.esapi:esapi:2.2.3.1') {
            exclude group: 'xerces', module: 'xercesImpl'
        }

ESAPI.properties

ESAPI.printProperties=true

ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor

ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory;
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator



Authenticator.AllowedLoginAttempts=3
Authenticator.MaxOldPasswordHashes=13
Authenticator.UsernameParameterName=username
Authenticator.PasswordParameterName=password
Authenticator.RememberTokenDuration=14
Authenticator.IdleTimeoutDuration=20
Authenticator.AbsoluteTimeoutDuration=120


Encoder.AllowMultipleEncoding=false

Encoder.AllowMixedEncoding=false

Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec


Encryptor.PreferredJCEProvider=


Encryptor.EncryptionAlgorithm=AES
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding

Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC

Encryptor.cipher_modes.additional_allowed=CBC

Encryptor.EncryptionKeyLength=128

Encryptor.ChooseIVMethod=random
Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f

Encryptor.CipherText.useMAC=true

Encryptor.PlainText.overwrite=true

Encryptor.HashAlgorithm=SHA-512
Encryptor.HashIterations=1024
Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
Encryptor.DigitalSignatureKeyLength=1024
Encryptor.RandomAlgorithm=SHA1PRNG
Encryptor.CharacterEncoding=UTF-8


Encryptor.KDF.PRF=HmacSHA256
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
HttpUtilities.UploadTempDir=C:\\temp
HttpUtilities.ForceHttpOnlySession=false
HttpUtilities.ForceSecureSession=false
HttpUtilities.ForceHttpOnlyCookies=true
HttpUtilities.ForceSecureCookies=true
HttpUtilities.MaxHeaderSize=4096
HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll,.xlsx,.png,.jpg,.jpeg,.gif,.css
HttpUtilities.MaxUploadFileBytes=500000000
HttpUtilities.ResponseContentType=text/html; charset=UTF-8
HttpUtilities.HttpSessionIdName=JSESSIONID

Executor.WorkingDirectory=
Executor.ApprovedExecutables=


Logger.ApplicationName=ApplicationName
Logger.LogEncodingRequired=false
Logger.LogApplicationName=true
Logger.LogServerIP=true
Logger.LogFileName=
Logger.MaxLogFileSize=10000000
Logger.UserInfo=true
Logger.ClientInfo=true


IntrusionDetector.Disable=false

IntrusionDetector.event.test.count=2
IntrusionDetector.event.test.interval=10
IntrusionDetector.event.test.actions=disable,log

IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout

IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout

IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout



Validator.ConfigurationFile=validation.properties


Validator.AccountName=^[a-zA-Z0-9]{3,20}$
Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
Validator.RoleName=^[a-z]{1,20}$

Validator.Redirect=^http:\/\/localhost\/converis.*$

 Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
Validator.HTTPScheme=^(http|https)$
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$
Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$
Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
Validator.HTTPURL=^.*$
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$

Validator.FileName=^[\\p{L}0-9!@#$%^&{}\\()_+\\-=,.~'` ]{1,255}$
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$

Validator.AcceptLenientDates=false

Added logback.xml file as well

<?xml version="1.0" encoding="UTF-8"?>

<!-- For assistance related to logback-translator or configuration  -->
<!-- files in general, please contact the logback user mailing list -->
<!-- at http://www.qos.ch/mailman/listinfo/logback-user             -->
<!--                                                                -->
<!-- For professional support please see                            -->
<!--    http://www.qos.ch/shop/products/professionalSupport         -->
<!--                                                                -->
<configuration>

    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
        <encoder>
            <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
        </encoder>
    </appender>

    <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
            <!-- Daily rollover -->
            <fileNamePattern>log/MyExample.%d{yyyy-MM-dd}.log</fileNamePattern>

            <!-- Keep 7 days' worth of history -->
            <maxHistory>7</maxHistory>
        </rollingPolicy>

        <encoder>
            <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
        </encoder>
    </appender>

    <!-- Configure so that it outputs to both console and log file -->
    <root level="DEBUG">
        <appender-ref ref="FILE" />
        <appender-ref ref="STDOUT" />
    </root>
</configuration>

But I am getting below error while building the app

Caused by: java.lang.ExceptionInInitializerError
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.testng.internal.ObjectFactoryImpl.newInstance(ObjectFactoryImpl.java:29)
    at org.testng.internal.ClassHelper.createInstance1(ClassHelper.java:377)
    ... 43 more
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org/owasp/esapi/logging/slf4j/Slf4JLogFactory; LogFactory class (org.owasp.esapi.logging.slf4j.Slf4JLogFactory;) must be in class path.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108)
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)
    at com.converis.commons.utils.file.TempFileUtilities.<clinit>(TempFileUtilities.java:26)
    ... 49 more
Caused by: java.lang.ClassNotFoundException: org/owasp/esapi/logging/slf4j/Slf4JLogFactory;
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
    ... 52 more

Can anyone help me to solve this? what I missed to update in those files? Thanks in advance

Answer 1

In the esapi4java-core-2.2.3.1-release-notes.txt file, there is a section called "Changes Requiring Special Attention", that refers to the previous release notes, where it describes what you have to do to change your logging configuration. In the previous (2.2.3.0 and many other earlier versions), there was this under that section. Read this. It should answer your question:

Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we have deprecated the use of Log4J 1.x because we now support SLF4J and Log4J 1.x is way past its end-of-life. We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.

However, if you try to juse the new ESAPI 2.2.1.0 or later logging you will notice that you need to change ESAPI.Logger and also possibly provide some other properties as well to get the logging behavior that you desire.

To use ESAPI logging in ESAPI 2.2.1.0 (and later), you will need to set the ESAPI.Logger property to

    org.owasp.esapi.logging.java.JavaLogFactory     - To use the new default, java.util.logging (JUL)
    org.owasp.esapi.logging.log4j.Log4JLogFactory   - To use the end-of-life Log4J 1.x logger
    org.owasp.esapi.logging.slf4j.Slf4JLogFactory   - To use the new (to release 2.2.0.0) SLF4J logger

In addition, if you wish to use JUL for logging, you *MUST* supply an "esapi-java-logging.properties" file in your classpath. This file is included in the 'esapi-2.2.2.0-configuration.jar' file provided under the 'Assets' section of the GitHub Release at
    https://github.com/ESAPI/esapi-java-legacy/releases/esapi-2.2.2.0

Unfortunately, there was a logic error in the static initializer of JavaLogFactory (now fixed in this release) that caused a NullPointerException to be thrown so that the message about the missing "esapi-java-logging.properties" file was never seen.

If you are using JavaLogFactory, you will also want to ensure that you have the following ESAPI logging properties set:
    # Set the application name if these logs are combined with other applications
    Logger.ApplicationName=ExampleApplication
    # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
    Logger.LogEncodingRequired=false
    # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
    Logger.LogApplicationName=true
    # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
    Logger.LogServerIP=true
    # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\ESAPI\ESAPI_logging_file) if you
    # want to place it in a specific directory.
    Logger.LogFileName=ESAPI_logging_file
    # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
    Logger.MaxLogFileSize=10000000
    # Determines whether ESAPI should log the user info.
    Logger.UserInfo=true
    # Determines whether ESAPI should log the session id and client IP.
    Logger.ClientInfo=true

See GitHub issue #560 for additional details.