Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release 2.2.1.1 Not Loading Properties in dependant JARs #567

Closed
tntim96 opened this issue Jul 28, 2020 · 7 comments
Closed

Release 2.2.1.1 Not Loading Properties in dependant JARs #567

tntim96 opened this issue Jul 28, 2020 · 7 comments

Comments

@tntim96
Copy link

tntim96 commented Jul 28, 2020

After waiting for the fix for #560 , I upgraded from 2.2.0.0 to 2.2.1.1 and added the required properties so my tests pass without error in the module, let's call it module A, which includes the ESAP JAR dependency.

When running the tests in module B, which depends on module A, I get the following errors (even though module A contains the necessary properties files, and this wasn't an issue before the upgrade):

Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
	at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108)
	at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
	at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)
	at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:83)
	at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:67)
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory
	at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:264)
	at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
	at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)

The ESAPI.properties file works fine in module A with these contents:

ESAPI.printProperties=false
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

Encryptor.CipherTransformation=AES/CBC/PKCS5Padding

ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
Logger.ApplicationName=MyAppName
Logger.LogEncodingRequired=false
Logger.LogApplicationName=true
Logger.LogServerIP=true
Logger.LogFileName=ESAPI.log
Logger.UserInfo=true
Logger.ClientInfo=true

Validator.ConfigurationFile=esapi-validation.properties
Validator.ConfigurationFile.MultiValued=false
@kwwall
Copy link
Contributor

kwwall commented Jul 28, 2020 via email

@kwwall
Copy link
Contributor

kwwall commented Jul 28, 2020

@tntim96 - Specifically, you appear to still have
ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
in your ESAPI.properties file. Change it to:
ESAPI.Logger=org.owasp.logging.java.JavaLogFactory
and that should at least fix this problem. You will also need do drop rhe esapi-java-logging.properties (from the configuration jar;see GitHub 'Releases') into your application's class path for this to work.

Those details should all be in the 2.2.1.1 release notes.

If this doesn't address this for you, let me know with a comment on this issue and I will reopen this and look into it deeper.

@kwwall kwwall closed this as completed Jul 28, 2020
@tntim96
Copy link
Author

tntim96 commented Jul 28, 2020

Hi @kwwall

you appear to still have ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory

I've posted the contents of my ESAPI.properties file above, and don't have that. I did think it might be in an old copy of the dependency (module A), but I just bumped the version and still get the error in module B. It's possible I've mistakenly included an old ESAPI copy, but I don't see how. There is no copy of the string org.owasp.esapi.reference.JavaLogFactory anywhere in my code that I can find. I've also searched through the dependencies and can't find an old copy, but will keep digging.

in your ESAPI.properties file. Change it to: ESAPI.Logger=org.owasp.logging.java.JavaLogFactory

That class doesn't exist. It should be ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory, no?

You will also need do drop rhe esapi-java-logging.properties

I've already done that (otherwise the ESAPI tests in module A wouldn't have passed).

@tntim96
Copy link
Author

tntim96 commented Jul 29, 2020

I think I've found the problem in org/opensaml/ESAPISecurityConfig.java

    public String getLogImplementation() {
        return "org.owasp.esapi.reference.JavaLogFactory";
    }

@kwwall
Copy link
Contributor

kwwall commented Jul 29, 2020 via email

@ArunenduRavi
Copy link

Hi @kwwall , do we have any workaround to change the SAML's getLogImplementation in opensaml2.6.4 jar? FYI, I am using esapi 2.2.3.1 and since opensaml is using old reference of JavaLogFactory as indicated by @tntim96 , application is not working as per expectation. Can you please guide

@kwwall
Copy link
Contributor

kwwall commented Mar 20, 2022

@ArunenduRavi - The best thing to do -- assuming that the OpenSAML folks would accept it, I think the best approach would be to create a PR against OpenSAML to fix this on their side. Because without playing some really UGLY games with the class loader, I can't see how we can fix this in ESAPI.

If they prefer to keep getLogImplementation() method to return a String instead of the ESAPI Logger interface, then instead of:

public org.owasp.esapi.Logger getLogImplementation() {
        return ESAPI.log();
}

(which is way more straight forward and ought to be what they are doing anyhow), you would have your PR do this instead:

public String getLogImplementation() {
        String val = ESAPI.securityConfiguration().getStringProp("ESAPI.Logger");
        if ( val == null || val.length() == 0 ) {
            throw new org.owasp.esapi.errors.ConfigurationException("ESAPI property 'ESAPI.Logger' not set in ESAPI.properties file");
        }
        return val;
}

Alternatively, instead of throwing a ConfigurationException (which is a RuntimeException), you could just return "org.owasp.esapi.logging.java.JavaLogFactory", but I don't recommend that because that will confuse the heck out of ESAPI clients that are using some other ESAPI logger, such as SLF4J.

When you submit a PR for OpenSAML, you probably should also create a GitHub issue (or BugZilla or Jira or whatever bug tracking system they are using) and link to this issue so they know it was the ESAPI team that sent youthere.

However, if they don't accept a PR, that's a bit harder to solve. If their jar is not sealed, you could pull out their affected class that has the getLogImplementation() in it and put it into your own separate jar file (e.g., say "opensaml-esapi-patch.jar") and then make sure that jar is the first jar in your class path (or at least that it gets loaded before the opensaml jar).

Lastly, if you do create a GitHub issue for OpenSAML regarding this, please do return here and provide us a link to the issue you create so I can watch it and maybe comment on it.

Hope that helps. -kevin
P.S. - I'm not planning on re-opening this issue because I don't really think this is an ESAPI problem to solve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants