4

I'm newbie Java developer and while trying to develop some website using JBOSS and ESAPI for security I'm getting exception

java.lang.ClassCastException: org.jboss.logmanager.log4j.BridgeLogger cannot be cast to org.owasp.esapi.Logger

when I try to use ESAPI package from OWASP.

My Maven project consists of 2 modules: oak-parent and oak-web.

Maven dependency tree is as follows:

[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) @ oak-web ---
[INFO] org.me.oak:oak-web:war:0.0.1-SNAPSHOT
[INFO] +- javax:javaee-api:jar:6.0:provided
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- log4j:log4j:jar:1.2.16:provided
[INFO] +- org.reflections:reflections:jar:0.9.8:compile
[INFO] |  +- javassist:javassist:jar:3.12.1.GA:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- org.jboss:jboss-vfs:jar:3.0.1.GA:provided
[INFO] |  \- org.jboss.logging:jboss-logging:jar:3.0.0.CR1:provided
[INFO] +- org.owasp.esapi:esapi:jar:2.0.1:compile
[INFO] |  +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  |  |  +- logkit:logkit:jar:1.0.1:compile
[INFO] |  |  |  +- avalon-framework:avalon-framework:jar:4.1.3:compile
[INFO] |  |  |  \- javax.servlet:servlet-api:jar:2.3:compile
[INFO] |  |  \- commons-digester:commons-digester:jar:1.8:compile
[INFO] |  |     \- commons-beanutils:commons-beanutils:jar:1.8.3:compile
[INFO] |  +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2:compile
[INFO] |  +- xom:xom:jar:1.1:compile
[INFO] |  |  +- xerces:xmlParserAPIs:jar:2.6.2:compile
[INFO] |  |  +- xalan:xalan:jar:2.7.0:compile
[INFO] |  |  \- jaxen:jaxen:jar:1.1-beta-8:compile
[INFO] |  |     \- jdom:jdom:jar:1.0:compile
[INFO] |  +- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] |  \- org.owasp.antisamy:antisamy:jar:1.4.3:compile
[INFO] |     +- org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] |     +- net.sourceforge.nekohtml:nekohtml:jar:1.9.12:compile
[INFO] |     \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] |        \- commons-codec:commons-codec:jar:1.7:compile
[INFO] +- org.jsoup:jsoup:jar:0.2.2:compile
[INFO] |  \- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- xerces:xercesImpl:jar:2.11.0:compile
[INFO] |  \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- org.apache.xmlgraphics:batik-codec:jar:1.7:compile
[INFO] |  +- org.apache.xmlgraphics:batik-awt-util:jar:1.7:compile
[INFO] |  +- org.apache.xmlgraphics:batik-bridge:jar:1.7:compile
[INFO] |  |  +- org.apache.xmlgraphics:batik-anim:jar:1.7:compile
[INFO] |  |  +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] |  |  +- org.apache.xmlgraphics:batik-parser:jar:1.7:compile
[INFO] |  |  \- org.apache.xmlgraphics:batik-script:jar:1.7:compile
[INFO] |  \- org.apache.xmlgraphics:batik-util:jar:1.7:compile
[INFO] \- org.apache.xmlgraphics:batik-transcoder:jar:1.7:compile
[INFO]    +- org.apache.xmlgraphics:fop:jar:0.94:compile
[INFO]    |  +- org.apache.xmlgraphics:xmlgraphics-commons:jar:1.2:compile
[INFO]    |  +- commons-io:commons-io:jar:2.4:compile
[INFO]    |  +- org.apache.avalon.framework:avalon-framework-api:jar:4.3.1:compile
[INFO]    |  \- org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-dom:jar:1.7:compile
[INFO]    +- org.apache.xmlgraphics:batik-gvt:jar:1.7:compile
[INFO]    +- org.apache.xmlgraphics:batik-svg-dom:jar:1.7:compile
[INFO]    +- org.apache.xmlgraphics:batik-svggen:jar:1.7:compile
[INFO]    +- org.apache.xmlgraphics:batik-xml:jar:1.7:compile
[INFO]    \- xml-apis:xml-apis-ext:jar:1.3.04:compile

I've already created jboss-deployment-structure.xml to try to exclude log4j (file was created in oak-parent/META-INF:

<jboss-deployment-structure>
 <ear-subdeployments-isolated>true</ear-subdeployments-isolated>
  <deployment>
    <exclusions>
      <module name="org.apache.log4j" />
      <module name="org.jboss.logging" />
      <module name="org.jboss.logmanager" />
      <module name="org.jboss.log4j.logmanager" />
      <module name="org.jboss.logmanager.log4j" />
    </exclusions>
  </deployment>
  <sub-deployment name="oak-web.war">
   <exclusions>
      <module name="org.apache.log4j" />
      <module name="org.jboss.logging" />
      <module name="org.jboss.logmanager" />
      <module name="org.jboss.log4j.logmanager" />
      <module name="org.jboss.logmanager.log4j" />
    </exclusions>
  </sub-deployment>
</jboss-deployment-structure>

but still it didn't help with anything.

Do anyone of you know solution to this problem? JBoss classloader is a bit changed when comparing to jboss 5.

mic-kul
  • 989
  • 3
  • 16
  • 26

4 Answers4

2

Put log4j.properties file under resources folder with line:

log4j.loggerFactory=org.owasp.esapi.reference.Log4JLoggerFactory
Karitsa
  • 211
  • 2
  • 5
  • thanks for your reply, but will it work with the JBoss log4j? – mic-kul Oct 18 '13 at 14:56
  • 1
    Worked for me at least, had exactly same exception – Karitsa Oct 20 '13 at 10:26
  • 1
    Hmm, bounced some problems later, but fixed those same way as below mentioned, here is some official info: https://docs.jboss.org/author/display/AS71/How+To#HowTo-HowdoIuselog4j.propertiesorlog4j.xmlinsteadofusingtheloggingsubsystemconfiguration%3F – Karitsa Oct 20 '13 at 11:44
2

EDIT (13.10.2014): I recommend using version 2.1.0 which fixed this issue with log4j classloader.

Finally I've managed to resolve this. Combined several methods available on the internet.

  1. I've created oak-ear package

  2. In oak ear I've added src/main/application/META-INF/jboss-deployment-structure.xml:

    <?xml version='1.0' encoding='UTF-8'?>
<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1">
    <deployment>
        <dependencies>
            <module name="org.mickula.mylog" />
        </dependencies>
        <exclusions>
            <module name="org.apache.log4j" />
        </exclusions>
    </deployment>
    <sub-deployment name="oak-web.war">
        <dependencies>
            <module name="org.mickula.mylog" />
        </dependencies>
        <exclusions>
            <module name="org.apache.log4j" />
        </exclusions>
    </sub-deployment>
</jboss-deployment-structure>

  3. Next in jboss directory I've copied org/apache/log4j/main/log4j.jar to org/mickula/mylog/main/ and created there module.xml:

    <?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.0" name="org.mickula.mylog">
    <resources>
        <resource-root path="log4j-1.2.16.jar"/>
    </resources>
    <dependencies>
        <module name="javax.api"/>
    </dependencies>
</module>

    This change allowed me to create own log4j.properties file. So did I in the jboss/standalone/configuration/.

  4. Finally I've pointed JBoss to the new log4j.properties file via the starting script: in jboss/bin/standalone.conf at the end of the file I've added:

    JAVA_OPTS="$JAVA_OPTS -Dlog4j.configuration=file://URL_TO_THE_JBOSS/jboss711/standalone/configuration/log4j.properties"

Now running JBoss with ESAPI succeded. Thanks for your help.

Gerold Broser
  • 14,080
  • 5
  • 48
  • 107
mic-kul
  • 989
  • 3
  • 16
  • 26
0

Have you tried this exclusion:

<jboss-deployment-structure>
    <deployment>
        <!-- Exclusions allow you to prevent the server from automatically adding some dependencies -->
        <exclusions>
            <module name="org.apache.log4j" />
        </exclusions>
    </deployment>
</jboss-deployment-structure>

I just found that on this site. The suggestion is not verified there whether it works, but you can give it a try.

Edit:

Another way to exclude log4j is to make it at maven having:

<exclusion>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
</exclusion>

for the maven dependency of esapi. Could that make the desired effect? (I saw that you have it at dependency tree, and I looked for it 'cause I read this link).

Community
  • 1
  • 1
mico
  • 12,730
  • 12
  • 59
  • 99
0

You did not mentioned the version of your JBoss Application server but I guess its 7.X
Both interfaces org.owasp.esapi.reference.Log4JLogger and org.jboss.logmanager.log4j. BridgeLogger extends org.apache.log4j.Logger.

This is actually a variation on jboss issue with log4j which the common solution is excluding log4j as mico suggested.

From the dependency tree I can see that you do not get log4j from esapi 2.0.1 dependency which depended on log4j (adding your pom would be useful). So it looks like your pom is fine.

My guess that you still getting log4j from somewhere in your classpath.
Try using a variant of following (exclude on every level).

<jboss-deployment-structure>
              <deployment>
                  <exclusions>
                  <module name="org.apache.log4j" />
                  </exclusions>
              </deployment>
              <sub-deployment name="MyWeb.war">
                    <exclusions>
                    <module name="org.apache.log4j" />
                    </exclusions>
              </sub-deployment>
              <sub-deployment name="MyBeans.jar">
                <exclusions>
                  <module name="org.apache.log4j" />
                </exclusions>
              </sub-deployment>
</jboss-deployment-structure>

See also the following answer Using application's Log4J configuration under JBoss 7.1.1.

Community
  • 1
  • 1
Haim Raman
  • 11,508
  • 6
  • 44
  • 70