Esapi 2.3.0.0 does not supported in opensaml 2.6.6

[Nikhilkarande33]

Esapi 2.3.0.0 does not supported in opensaml 2.6.6.

we are getting below error when using opensaml 2.6.6 with 2.3.0.0 as a forceful dependency.

org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [default] in context with path [/santaba] threw exception [org.opensaml.ws.message.encoder.MessageEncodingException: Error creating output document] with root cause java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1415) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1223) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81) at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139) at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)

Its seems that opensaml refers to older package "org.owasp.esapi.reference.JavaLogFactory" and this package not present in esapi 2.3.0.0.

Is esapi not backward compatible or do you have any alternatives to resolve this issue.

[jeremiahjstacey]

Please refer to issue #567

As noted in both that issue and in your description above, this is not an issue with ESAPI.
This is a bug in the opensaml project where they are hard-coding to a class rather than using the project API.

In this comment @kwwall offers options for remediation to the opensaml implementation.

[harish-dhina-sghealthit]

Any updates on this. Were you able to get a workaround? @Nikhilkarande33

[kwwall]

@jeremiahjstacey is correct in closing this. If you want to report this issue, it should be reported as an opensaml GitHub issue, not as an ESAPI issue. We have no control over what version they are using, nor how they configure their ESAPI.properties file.

[harish-dhina-sghealthit]

@kwwall Thanks so much Kevin. I created a custom opensaml jar, but now get an NullpointerException. I will create a new stackoverflow question. Thanks for being so active and responsive. Hope to resolve this soon. Thanks again

[kwwall]

@kwwall Thanks so much Kevin. I created a custom opensaml jar, but now get an NullpointerException. I will create a new stackoverflow question. Thanks for being so active and responsive. Hope to resolve this soon. Thanks again

@harish-dhina-sghealthit - If you have a public fork of opensaml and can point me specifically to the commit(s) that you made along with the unit tests that you are running (and details about your JDK), I might be able to take a look at it next week. (I am swamped the rest of this week). Drop me an email (easy to find at the OWASP ESAPI wiki page) and provide me some links and I'll see if I can help you out. No promises I will be able to figure it out, but if you have a simple unit test that shows can reproduce the problem, I ought to be able to solve it.