ESAPI Logger Integration with SLF4J/Logback

[JavaTypica]

I had a question about incorporating ESAPI logging framework to our project. We are using WebSphere, RAD, Java 8, esapi-2.4.0.0.jar. There is a separate folder for dependencies and esapi-2.4.0.0.jar is there on the classpath. We are not using Maven. The application flow is like below.

MyCode -> ESAPI_LOGGER -> SLF4J/Logback -> Console

Application has client and server side modules. ESAPI is able to find ESAPI.properties and validation.properties placed under client root but failed to find those under server root. Those were visible when I placed it along with Java source. Enabled ESAPI.properties entry and replaced SLF4J reference as below...

ESAPI.Logger=org. owasp. esapi. logging. slf4j.Slf4JLogFactory
Logger esapiLogger = ESAPI.getLogger(myLogger.class)

1.  The problem I am facing now is "Caused by: java.lang.NoClassDefFoundError: org.owasp.esapi.ESAPI" followed by a "Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.ESAPI" at runtime. I did not get this at compile time and the server starts without any issues. I did get the same exception before at compile time at the top of the stack trace but was able to fix it by adding a lib folder with esapi-2.4.0.0.jar in it. The folder structure looks like root/WebContent/WEB-INF/Lib. Now its coming at the bottom of the stack trace at runtime.
   

2.  Is there a zip file of esapi-2.4.0.0.jar along with all dependencies? If yes, please let me know the location.
   

3.  Is there a document for ESAPI 2.4.0.0 like the one at https://owasp.org/www-pdf-archive/JavaEE-ESAPI_2.0a_install.pdf
   

I would greatly appreciate if you could guide me or direct me to the right location.

Thanks in advance.

John

[kwwall]

@jeremiahjstacey - Could you take a look at this and see if you can figure it out? Looks like ESAPI.Logger is set correctly here. Also looks like John's class loader is not finding the esapi-2.4.0.0.jar at all as the class that it is complaining can't be found is org.owasp.esapi.ESAPI.

[jeremiahjstacey]

To answer the explicit questions above:

2. Is there a zip file of esapi-2.4.0.0.jar along with all dependencies

I am not aware of a specific 'zip' file existing.
The esapi jar file is basically a glorified zip. You should be able to extract the jar to view the contents, which will include all required dependencies for the default features of the project (those on the maven compile and runtime scopes)

3. Is there a document for ESAPI 2.4.0.0 like the one at https://owasp.org/www-pdf-archive/JavaEE-ESAPI_2.0a_install.pdf

There are several resources available, but I'm not sure if any will be exactly what you're asking for.

• See the Documentation directory of the project for several instructional components.
• The Github Project Wiki also contains some instructional information
• Finally, there is more information available in the OWASP ESAPI Project Wiki

---

From what's being described, I would assume this would be resolved by having the esapi jar in the dependencies directory for the server.
Here's a couple things to try out:

Try to specify the ESAPI jar explicitly on the Websphere classpath

I'm not familiar with Websphere, but the documentation I'm seeing suggests that this can be added through the web console
https://www.ibm.com/docs/en/itcam-app-mgr/7.2.0?topic=transactions-modify-libpath-classpath

Build an Uber Jar for your project

Bundling esapi with your artifact should guarantee the resolution at runtime. Maven makes this easier, but it is possible to do it by hand with the java jar command
https://riptutorial.com/java/example/27478/creating-an-uberjar-for-an-application-and-its-dependencies

[JavaTypica]

@jeremiahjstacey - Appreciate the quick and prompt response. I was able to fix the issue by specifying the ESAPI jar explicitly on the Websphere classpath as you suggested. But then I got a "Caused by: java.lang.NoClassDefFoundError: org.slf4j.LoggerFactory" which was eliminated by adding the SLF4J jar as well to the Websphere classpath.

Also, appreciate the clarification on other questions as well.

Thank you so much for your help!

[kwwall]

@JavaTypica - First off, I'm assuming that you are using ESAPI classes in your application directly, correctly, and not via some other class library? If not, then it could be that it's trying to load it via reflection and it's a different class loader than the one you need it to be in or that other library is directly trying to load the ESAPI jar and messing something up. So, please confirm that my assumption first.

Next (assuming the above), I recommend that you first check to make sure that the ESAPI jar is getting loaded at all. I recommend starting WebSphere using 'java -verbose:class' to enable verbose class loading and ensure that you save stdout (where the output will be sent to). Then after you get that NoClassDefFoundError, stop and look through the stdout that you collected and search for 'Loaded org.owasp.esapi' in the file you redirected your stdout to. First, let's be sure that it is finding the ESAPI jar at all. If you find no instances of 'Loaded org.owasp.esapi' it's not finding the ESAPI jar at all. (If it finds any ESAPI classes, the org.owasp.esapi.ESAPI class should be listed; if it's not but other ESAPI classes are, then you have a corrupt jar file.) However, if you find 'org.owasp.esapi.ESAPI' listed, where does it indicate that it is being loaded from? There are multiple class loaders with JavaEE applications so it can get complicated.

Alternately, you can explicitly set the WebSphere class path as @jeremiahjstacey noted. I've not read that URL he sent, but you probably can start WebSphere with the '-cp' or '-classpath' argument including an explicit path to the esapi-2.4.0.0.jar or possibly resetting it from the exported environment variable CLASSPATH. (Although, the WebSphere start-up script might reset that, so YMMV.)

[JavaTypica]

@kwwall - Appreciate the quick and prompt response. Yes, I am calling the ESAPI classes directly. Couldn't find 'Loaded org.owasp.esapi' after enabling verbose class. So explicitly set the WebSphere class path as @jeremiahjstacey suggested and it worked!

Thank you so much for your help!