All geek questions in one place

JBOSS + ESAPI java.lang.ClassCastException: org.jboss.logmanager.log4j.BridgeLogger could not be passed to org.owasp.esapi.Logger

I am a newbie Java developer and trying to develop some kind of site using JBOSS and ESAPI for security, I get an exception

java.lang.ClassCastException: org.jboss.logmanager.log4j.BridgeLogger cannot be cast to org.owasp.esapi.Logger

when I try to use the ESAPI package from OWASP.

My Maven project consists of two modules: oak and oak.

The Maven dependency tree is as follows:

 [INFO] --- maven-dependency-plugin:2.1:tree (default-cli) @ oak-web --- [INFO] org.me.oak:oak-web:war:0.0.1-SNAPSHOT [INFO] +- javax:javaee-api:jar:6.0:provided [INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided [INFO] +- log4j:log4j:jar:1.2.16:provided [INFO] +- org.reflections:reflections:jar:0.9.8:compile [INFO] | +- javassist:javassist:jar:3.12.1.GA:compile [INFO] | \- dom4j:dom4j:jar:1.6.1:compile [INFO] +- org.jboss:jboss-vfs:jar:3.0.1.GA:provided [INFO] | \- org.jboss.logging:jboss-logging:jar:3.0.0.CR1:provided [INFO] +- org.owasp.esapi:esapi:jar:2.0.1:compile [INFO] | +- commons-configuration:commons-configuration:jar:1.5:compile [INFO] | | +- commons-logging:commons-logging:jar:1.1.1:compile [INFO] | | | +- logkit:logkit:jar:1.0.1:compile [INFO] | | | +- avalon-framework:avalon-framework:jar:4.1.3:compile [INFO] | | | \- javax.servlet:servlet-api:jar:2.3:compile [INFO] | | \- commons-digester:commons-digester:jar:1.8:compile [INFO] | | \- commons-beanutils:commons-beanutils:jar:1.8.3:compile [INFO] | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile [INFO] | +- commons-collections:commons-collections:jar:3.2:compile [INFO] | +- xom:xom:jar:1.1:compile [INFO] | | +- xerces:xmlParserAPIs:jar:2.6.2:compile [INFO] | | +- xalan:xalan:jar:2.7.0:compile [INFO] | | \- jaxen:jaxen:jar:1.1-beta-8:compile [INFO] | | \- jdom:jdom:jar:1.0:compile [INFO] | +- org.beanshell:bsh-core:jar:2.0b4:compile [INFO] | \- org.owasp.antisamy:antisamy:jar:1.4.3:compile [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.7:compile [INFO] | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.12:compile [INFO] | \- commons-httpclient:commons-httpclient:jar:3.1:compile [INFO] | \- commons-codec:commons-codec:jar:1.7:compile [INFO] +- org.jsoup:jsoup:jar:0.2.2:compile [INFO] | \- commons-lang:commons-lang:jar:2.4:compile [INFO] +- xerces:xercesImpl:jar:2.11.0:compile [INFO] | \- xml-apis:xml-apis:jar:1.4.01:compile [INFO] +- org.apache.xmlgraphics:batik-codec:jar:1.7:compile [INFO] | +- org.apache.xmlgraphics:batik-awt-util:jar:1.7:compile [INFO] | +- org.apache.xmlgraphics:batik-bridge:jar:1.7:compile [INFO] | | +- org.apache.xmlgraphics:batik-anim:jar:1.7:compile [INFO] | | +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile [INFO] | | +- org.apache.xmlgraphics:batik-parser:jar:1.7:compile [INFO] | | \- org.apache.xmlgraphics:batik-script:jar:1.7:compile [INFO] | \- org.apache.xmlgraphics:batik-util:jar:1.7:compile [INFO] \- org.apache.xmlgraphics:batik-transcoder:jar:1.7:compile [INFO] +- org.apache.xmlgraphics:fop:jar:0.94:compile [INFO] | +- org.apache.xmlgraphics:xmlgraphics-commons:jar:1.2:compile [INFO] | +- commons-io:commons-io:jar:2.4:compile [INFO] | +- org.apache.avalon.framework:avalon-framework-api:jar:4.3.1:compile [INFO] | \- org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1:compile [INFO] +- org.apache.xmlgraphics:batik-dom:jar:1.7:compile [INFO] +- org.apache.xmlgraphics:batik-gvt:jar:1.7:compile [INFO] +- org.apache.xmlgraphics:batik-svg-dom:jar:1.7:compile [INFO] +- org.apache.xmlgraphics:batik-svggen:jar:1.7:compile [INFO] +- org.apache.xmlgraphics:batik-xml:jar:1.7:compile [INFO] \- xml-apis:xml-apis-ext:jar:1.3.04:compile

I already created jboss-deployment-structure.xml to try to exclude log4j (the file was created in oak-parent / META-INF:

 <jboss-deployment-structure> <ear-subdeployments-isolated>true</ear-subdeployments-isolated> <deployment> <exclusions> <module name="org.apache.log4j" /> <module name="org.jboss.logging" /> <module name="org.jboss.logmanager" /> <module name="org.jboss.log4j.logmanager" /> <module name="org.jboss.logmanager.log4j" /> </exclusions> </deployment> <sub-deployment name="oak-web.war"> <exclusions> <module name="org.apache.log4j" /> <module name="org.jboss.logging" /> <module name="org.jboss.logmanager" /> <module name="org.jboss.log4j.logmanager" /> <module name="org.jboss.logmanager.log4j" /> </exclusions> </sub-deployment> </jboss-deployment-structure>

but still nothing helped.

Do any of you know a solution to this problem? The JBoss class loader has changed a bit compared to jboss 5.

+4
source share
4 answers

EDIT (10/13/2014): I recommend using version 2.1.0, which fixed this problem using the log4j class loader.

Finally, I managed to resolve this. Combining several methods available on the Internet.

  • I created the oak-ear package

  • In oak ear I added src/main/application/META-INF/jboss-deployment-structure.xml :

     <?xml version='1.0' encoding='UTF-8'?> <jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.1"> <deployment> <dependencies> <module name="org.mickula.mylog" /> </dependencies> <exclusions> <module name="org.apache.log4j" /> </exclusions> </deployment> <sub-deployment name="oak-web.war"> <dependencies> <module name="org.mickula.mylog" /> </dependencies> <exclusions> <module name="org.apache.log4j" /> </exclusions> </sub-deployment> </jboss-deployment-structure>

  • Next, in the jboss directory jboss I copied org/apache/log4j/main/log4j.jar to org/mickula/mylog/main/ and created module.xml there:

     <?xml version="1.0" encoding="UTF-8"?> <module xmlns="urn:jboss:module:1.0" name="org.mickula.mylog"> <resources> <resource-root path="log4j-1.2.16.jar"/> </resources> <dependencies> <module name="javax.api"/> </dependencies> </module>

    This change allowed the creation of a custom log4j.properties file. I am also in jboss/standalone/configuration/ .

  • Finally, I pointed JBoss to the new log4j.properties file using the start script: in jboss/bin/standalone.conf at the end of the file, which I added:

    JAVA_OPTS="$JAVA_OPTS -Dlog4j.configuration=file://URL_TO_THE_JBOSS/jboss711/standalone/configuration/log4j.properties"

Now running JBoss with ESAPI. Thank you for your help.

+2
source

Place the log4j.properties file in the resource folder with the line:

 log4j.loggerFactory=org.owasp.esapi.reference.Log4JLoggerFactory
+2
source

Have you tried this exception:

 <jboss-deployment-structure> <deployment> <!-- Exclusions allow you to prevent the server from automatically adding some dependencies --> <exclusions> <module name="org.apache.log4j" /> </exclusions> </deployment> </jboss-deployment-structure>

I just found that on this site . The offer has not been verified whether it works, but you can try.

Edit:

Another way to exclude log4j is to do it on maven having:

 <exclusion> <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion>

for maven dependency on esapi . Could this make the desired effect? (I saw that you have this in the dependency tree, and I searched for it because I read this link ).

0
source

You did not mention the version of your JBoss application server, but I think its 7.X
Both interfaces: org.owasp.esapi.reference.Log4JLogger and org.jboss.logmanager.log4j. BridgeLogger extends org.apache.log4j.Logger.

This is actually a variation of the jboss problem with log4j, which is a generic solution that excludes log4j, as mico suggested.

In the dependency tree, I see that you are not getting log4j from the esapi 2.0.1 dependency, which was dependent on log4j (adding your pom would be useful). So it looks like your pom is ok.

My guess is that you are still getting log4j from somewhere in your classpath.
Try using the following option (exclude at each level).

 <jboss-deployment-structure> <deployment> <exclusions> <module name="org.apache.log4j" /> </exclusions> </deployment> <sub-deployment name="MyWeb.war"> <exclusions> <module name="org.apache.log4j" /> </exclusions> </sub-deployment> <sub-deployment name="MyBeans.jar"> <exclusions> <module name="org.apache.log4j" /> </exclusions> </sub-deployment> </jboss-deployment-structure>

See also the following answer Using the Log4J Application Configuration in JBoss 7.1.1 .

0
source

Source: https://habr.com/ru/post/1500908/

More articles:


All Articles