I'm upgrading my spring boot project to 2.7.10 and in our project we are using maven artifact esapi - 2.2.0.0. As part of our upgrade we are also upgrading esapi artifact with the version mentioned below.
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.3.0.0</version>
</dependency>
I'm trying to upgrade esapi to 2.3.0.0 based on release notes recommendation https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.0-release-notes.txt#L128-L155
In my spring boot project class path I added ESAPI.properties and overriding with below properties. Because I'm using SL4J logging.
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
ESAPI.LogEncodingRequired=false
I still always getting the following error that is always referring to org.owasp.esapi.reference.JavaLogFactory. Not sure why it is not picking the one which I overridden in ESAPI.properites. Also I see ESAPI.properties in classpath. Any thoughts would be really helpful.`
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108)
at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)
at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:83)
at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:106)
at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:67)
... 104 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:375)
at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
I think there are 2 possible explanations here.
Most likely is that you have a second ESAPI.properties file that if being found and used prior to the one that updated and it still has the old value for ESAPI.Logger. If you do not have the system property "org.owasp.esapi.logSpecial.discard" set to true, when you first start your application that uses ESAPI, there will be some output sent to stdout. If you capture the stdout when you application server starts up, you should see output that looks something like:
Look through the output says your ESAPI.properties was loaded and the previous line should indicate where it was located at. Make sure LOCATION that is the place where you intended it to be found and corresponds to the version that you updated.
The overall class Javadoc for DefaultSecurityConfiguration describes the search algorithm to locate ESAPI.properties.
The second possibility that could cause what you are observing (although I think it is much less likely than the first) is that the ESAPI.properties file you are loading has multiple values for ESAPI.Logger defined.