peval / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

ClassCastException during web application redeploy due to the grift logging classes #319

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Hi,

We are using log4j as logger implementation.
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory

Our log4j libraries resides in application server's lib folder. On the other 
hand, ESAPI jar file has to be under the web app's folder (WEB-INF/lib) since 
the different web app modules needs different authenticator.

When the module containing the ESAPI jar is redeployed, a ClassCastException is 
thrown because the log4j's LogManager was loaded by the top level class loader. 
Second LogManager.getLogger invocation returns the instance of 
org.owasp.esapi.Logger that it's class was loaded by the previous class loader.

In other words, the current ESAP architecture requires both log4j dependencies 
and esapi itself to be loaded by the SAME class loader.

We should move the esapi logging classes to another jar file and make esapi jar 
dependent on this jar.

Regards.

Original issue reported on code.google.com by rkarak...@gmail.com on 23 Feb 2014 at 12:30

GoogleCodeExporter commented 9 years ago
Yep just went through the same issue on old JBoss 4 deployment.  

Original comment by greg.far...@answers.com on 25 Feb 2015 at 6:13