ClassCastException when using ESAPI logger
GoogleCodeExporter opened this issue · comments
Google Code Exporter commented
What steps will reproduce the problem?
1. Use a Maven project with Spring 3.0.3, ESAPI 2.0GA over Java 7 and Tomcat 7
2. Initialise logging
CyborgSecurityConfiguration tmpConfig = new
CyborgSecurityConfiguration((DefaultSecurityConfiguration)
ESAPI.securityConfiguration());
tmpConfig.setLogImplementation( "org.owasp.esapi.reference.Log4JLogFactory" );
tmpConfig.setLogLocation(logs.getAbsolutePath()+File.separator+"FastForward.log");
ESAPI.override(tmpConfig);
log = (Log4JLogger) ESAPI.getLogger(LoggingManager.class);
3. Initialise logger using Log4JLogger log = (Log4JLogger)
ESAPI.getLogger(<classname>.class); in multiple classes
What is the expected output? What do you see instead?
Expected output is trace output. What is seen is java.lang.ClassCastException:
org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger
at org.owasp.esapi.reference.Log4JLogFactory.getLogger(Log4JLogFactory.java:81)
at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:146)
at com.cyborg.comm2.model.manager.MenuManager.<clinit>(MenuManager.java:28)…
What version of the product are you using? On what operating system?
ESAPI 2.0GA on Windows 7, Tomcat 7 and Java 7
Does this issue affect only a specified browser or set of browsers?
All browsers, serverside issue
Please provide any additional information below.
Original issue reported on code.google.com by gautam...@gmail.com
on 17 May 2013 at 7:57
Google Code Exporter commented
This looks like the right place to comment this? though I see no ESAPI dev
comments here, so not sure it is?
This class casting error is caused by the log4j.xml file being parsed and
creating an entry into the org.apache.log4j.Hierarchy HashTable of logger
definitions (ht) for all the keys:
<logger name="com.foo.bar.MyClass">
<level value="info" />
</logger>
But no class is defined in this xml definition so the default factory in
org.apache.log4j.Hierarchy is used to create the logger
(org.apache.log4j.DefaultCategoryFactory). Hence the logger created is a
org.apache.log4j.Logger and this is added to the HashTable of logger
definitions.
Then when the ESAPI.getLogger() is initialised in MyClass, the
Heirarchy.getLogger() method returns the one in the HashTable, hence the class
cast exception.
The workaround is to specify the class for each of the loggers defined in
log4j.xml:
<logger name="com.foo.bar.MyClass" class="org.owasp.esapi.reference.Log4JLogger">
<level value="info" />
</logger>
Could this be defaulted by the ESAPI code somehow?
Original comment by jonathan...@gmail.com
on 31 Oct 2013 at 3:26
Google Code Exporter commented
My problem is worse than the scenarios described above: the server I deploy to
has a log4j jar in the Tomcat lib directory, so this jar is shared among all
applications. One of the applications doesn't use ESAPI and it starts first, so
it creates a logger with the standard Log4j logger which can't be then cast to
ESAPI logger.
Original comment by const.cr...@gmail.com
on 12 Jun 2014 at 3:04
Google Code Exporter commented
One option to fix the problem would be to create a RepositorySelector, so each
application would use its own repository, but this would require configuration
in the application server (see http://articles.qos.ch/sc.html).
Another option would be to have Log4JLogger as a wrapper of the Log4j Logger,
so only classes using ESAPI.getLogger would in fact log using its logger.
Original comment by const.cr...@gmail.com
on 12 Jun 2014 at 4:59