Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Esapi 2.3.0.0 does not supported in opensaml 2.6.6 #695

Closed
Nikhilkarande33 opened this issue May 11, 2022 · 5 comments
Closed

Esapi 2.3.0.0 does not supported in opensaml 2.6.6 #695

Nikhilkarande33 opened this issue May 11, 2022 · 5 comments
Labels

Comments

@Nikhilkarande33
Copy link

Esapi 2.3.0.0 does not supported in opensaml 2.6.6.

we are getting below error when using opensaml 2.6.6 with 2.3.0.0 as a forceful dependency.

org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [default] in context with path [/santaba] threw exception [org.opensaml.ws.message.encoder.MessageEncodingException: Error creating output document] with root cause java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1415) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1223) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158) at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81) at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139) at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)

Its seems that opensaml refers to older package "org.owasp.esapi.reference.JavaLogFactory" and this package not present in esapi 2.3.0.0.

image

Is esapi not backward compatible or do you have any alternatives to resolve this issue.

@jeremiahjstacey
Copy link
Collaborator

Please refer to issue #567

As noted in both that issue and in your description above, this is not an issue with ESAPI.
This is a bug in the opensaml project where they are hard-coding to a class rather than using the project API.

In this comment @kwwall offers options for remediation to the opensaml implementation.

@harish-dhina-sghealthit

Any updates on this. Were you able to get a workaround? @Nikhilkarande33

@kwwall
Copy link
Contributor

kwwall commented Jan 25, 2023

@jeremiahjstacey is correct in closing this. If you want to report this issue, it should be reported as an opensaml GitHub issue, not as an ESAPI issue. We have no control over what version they are using, nor how they configure their ESAPI.properties file.

@harish-dhina-sghealthit

@kwwall Thanks so much Kevin. I created a custom opensaml jar, but now get an NullpointerException. I will create a new stackoverflow question. Thanks for being so active and responsive. Hope to resolve this soon. Thanks again

@kwwall
Copy link
Contributor

kwwall commented Jan 26, 2023

@kwwall Thanks so much Kevin. I created a custom opensaml jar, but now get an NullpointerException. I will create a new stackoverflow question. Thanks for being so active and responsive. Hope to resolve this soon. Thanks again

@harish-dhina-sghealthit - If you have a public fork of opensaml and can point me specifically to the commit(s) that you made along with the unit tests that you are running (and details about your JDK), I might be able to take a look at it next week. (I am swamped the rest of this week). Drop me an email (easy to find at the OWASP ESAPI wiki page) and provide me some links and I'll see if I can help you out. No promises I will be able to figure it out, but if you have a simple unit test that shows can reproduce the problem, I ought to be able to solve it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants