Fierozen / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

ClassCastException when using ESAPI logger #299

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Use a Maven project with Spring 3.0.3, ESAPI 2.0GA over  Java 7 and Tomcat 7
2. Initialise logging 
CyborgSecurityConfiguration tmpConfig = new 
CyborgSecurityConfiguration((DefaultSecurityConfiguration) 
ESAPI.securityConfiguration());

        tmpConfig.setLogImplementation( "org.owasp.esapi.reference.Log4JLogFactory" );
        tmpConfig.setLogLocation(logs.getAbsolutePath()+File.separator+"FastForward.log");
        ESAPI.override(tmpConfig);

        log = (Log4JLogger) ESAPI.getLogger(LoggingManager.class);
3. Initialise logger using Log4JLogger log = (Log4JLogger) 
ESAPI.getLogger(<classname>.class); in multiple classes

What is the expected output? What do you see instead?
Expected output is trace output. What is seen is java.lang.ClassCastException: 
org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger
                at org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:81)
                at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:146)
                at com.cyborg.comm2.model.manager.MenuManager.<clinit>(MenuManager.java:28)…

What version of the product are you using? On what operating system?
ESAPI 2.0GA on Windows 7, Tomcat 7 and Java 7

Does this issue affect only a specified browser or set of browsers?
All browsers, serverside issue

Please provide any additional information below.

Original issue reported on code.google.com by gautam...@gmail.com on 17 May 2013 at 7:57

GoogleCodeExporter commented 9 years ago
This looks like the right place to comment this? though I see no ESAPI dev 
comments here, so not sure it is?

This class casting error is caused by the log4j.xml file being parsed and 
creating an entry into the org.apache.log4j.Hierarchy HashTable of logger 
definitions (ht) for all the keys:
    <logger name="com.foo.bar.MyClass">
        <level value="info" />
    </logger>

But no class is defined in this xml definition so the default factory in 
org.apache.log4j.Hierarchy is used to create the logger 
(org.apache.log4j.DefaultCategoryFactory). Hence the logger created is a 
org.apache.log4j.Logger and this is added to the HashTable of logger 
definitions.

Then when the ESAPI.getLogger() is initialised in MyClass, the 
Heirarchy.getLogger() method returns the one in the HashTable, hence the class 
cast exception.

The workaround is to specify the class for each of the loggers defined in 
log4j.xml:
    <logger name="com.foo.bar.MyClass" class="org.owasp.esapi.reference.Log4JLogger">
        <level value="info" />
    </logger>

Could this be defaulted by the ESAPI code somehow?

Original comment by jonathan...@gmail.com on 31 Oct 2013 at 3:26

GoogleCodeExporter commented 9 years ago
My problem is worse than the scenarios described above: the server I deploy to 
has a log4j jar in the Tomcat lib directory, so this jar is shared among all 
applications. One of the applications doesn't use ESAPI and it starts first, so 
it creates a logger with the standard Log4j logger which can't be then cast to 
ESAPI logger.

Original comment by const.cr...@gmail.com on 12 Jun 2014 at 3:04

GoogleCodeExporter commented 9 years ago
One option to fix the problem would be to create a RepositorySelector, so each 
application would use its own repository, but this would require configuration 
in the application server (see http://articles.qos.ch/sc.html).

Another option would be to have Log4JLogger as a wrapper of the Log4j Logger, 
so only classes using ESAPI.getLogger would in fact log using its logger.

Original comment by const.cr...@gmail.com on 12 Jun 2014 at 4:59