ESAPI - 使用 ESAPI 2.2.3.1 获取 ClassNotFoundException

【问题标题】:ESAPI - Getting ClassNotFoundException with ESAPI 2.2.3.1ESAPI - 使用 ESAPI 2.2.3.1 获取 ClassNotFoundException
【发布时间】:2021-07-08 16:47:05
【问题描述】:

我的代码使用 org.owasp.esapi 2.2.0.0,但升级到 2.2.3.1 后,我收到 ClassNotFoundException。

我的代码类似于:

  Properties esapiProps = new Properties();
  try {
     esapiProps.load( SecurityUtil.class.getResourceAsStream("/ESAPI.properties") );
     
  } catch (IOException | NullPointerException e) {
     logger.log(Level.SEVERE, "esapi Exception: ", e);
  }
  ESAPI.override( new DefaultSecurityConfiguration(esapiProps));
  // ----- Then canonicalize an input -----
  ESAPI.encoder().canonicalize(input);

我阅读了release notes 并添加了一些属性和esapi-java-logging

我的 ESAPI.properties(在类路径中)

ESAPI.printProperties=true
LogLevel=INFO
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec

ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
Logger.ApplicationName=My Test Application
Logger.LogEncodingRequired=false
Logger.LogApplicationName=true
Logger.LogServerIP=true
Logger.LogFileName=ESAPI_logging_file
Logger.MaxLogFileSize=10000000
Logger.UserInfo=true
Logger.ClientInfo=true

我的 esapi-java-logging.properties(在类路径中)

handlers= java.util.logging.ConsoleHandler
.level= INFO
java.util.logging.ConsoleHandler.level = INFO
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format=[%1$tF %1$tT] [%3$-7s] %5$s %n

但我得到了这个例外:

[ERROR   ] SRVE0315E: An exception occurred: java.lang.Throwable: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5095)
    at [internal classes]
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
    .
    .
    .
    at sun.reflect.GeneratedMethodAccessor521.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.wink.server.internal.handlers.InvokeMethodHandler.handleRequest(InvokeMethodHandler.java:63)
    ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.GeneratedMethodAccessor522.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 8 more
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
    ... 17 more
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory
    at com.ibm.ws.classloading.internal.AppClassLoader.findClassCommonLibraryClassLoaders(AppClassLoader.java:569)
    at [internal classes]
    at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
    ... 15 more

如果我更改我的 ESAPI.properties 并复制 https://raw.githubusercontent.com/ESAPI/esapi-java-legacy/develop/configuration/esapi/ESAPI.properties 中的内容,ClassNotFoundException 就会消失,我会得到 NullPointerException 异常:

[ERROR   ] SRVE0315E: An exception occurred: java.lang.Throwable: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:5095)
    at [internal classes]
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
    at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
    .
    .
    .
    at sun.reflect.GeneratedMethodAccessor522.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.wink.server.internal.handlers.InvokeMethodHandler.handleRequest(InvokeMethodHandler.java:63)
    ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.GeneratedMethodAccessor523.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
    ... 8 more
Caused by: java.lang.ExceptionInInitializerError
    ... 20 more
Caused by: java.lang.NullPointerException
    ... 22 more

【问题讨论】:

    标签: java esapi


    【解决方案1】:

    ESAPI.properties 中的记录器工厂配置存在一些拼写错误。课程在org.owasp.esapi.logging.*

    #ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
#ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory

    【讨论】:

      【解决方案2】:

      您说您阅读了发行说明。您的问题的原因是您错过了那里记录的细节。查看这些发行说明,在标记为:

      的部分中 
      *** IMPORTANT WORKAROUND for 2.2.1.0 ESAPI Logging ***

      那里,它说:

      Lastly, if you try to use the new ESAPI 2.2.1.0 logging, you will notice that you need to change ESAPI.Logger and also possibly provide some other logging properties as well. This is because the logger packages were reorganized to improve maintainability, but we failed to mention it. To use ESAPI logging in ESAPI 2.2.1.0 (and later), you MUST set the ESAPI.Logger property to one of:

   org.owasp.esapi.logging.java.JavaLogFactory     - To use the new default, java.util.logging (JUL)
   org.owasp.esapi.logging.log4j.Log4JLogFactory   - To use the end-of-life Log4J 1.x logger
   org.owasp.esapi.logging.slf4j.Slf4JLogFactory   - To use the new (to release 2.2.0.0) SLF4J logger

      在此之间并仔细阅读您的异常堆栈跟踪:

          ... deleted...
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
    ... 17 more
Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory
    ...deleted...

      我认为这应该可以解释原因。这些类被重新组织到不同的包中以适应 SLF4J 日志记录。

      【讨论】:

      • 谢谢凯文,你是对的。好像我使用了错误的 ESAPI.Logger。我改变了这一点,但这将我们带到了我上面提到的第二个例外。现在我得到 NullPointerException [class (org.owasp.esapi.reference.DefaultEncoder) CTOR throw exception]
      • 好的。我发现如果我在加载道具后添加org.owasp.esapi.Logger esapiLogger = ESAPI.getLogger("My_CLASS_NAME");,Null问题也将得到解决。
      • @BabakA。 - 我很高兴你明白了;但是,如果我没有在 ESAPI.override() 方法中指出警告,那我就大意了。有关详细信息,请参阅javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/…。如果这只是为了发布您的问题的演示目的,那很好,但绝不应该在生产中使用。 IMO,这种方法是一种 hack,它真的应该被弃用。
      猜你喜欢
      • 1970-01-01
      • 2012-09-06
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2011-12-03
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode