2

As seen from the title I am getting a class cast exception when trying to replace my log4j/slf4j logging with ESAPI logging in my code. Specifically, it happens in the following method:

    private Logger log()
    {
        return ESAPI.getLogger(getClass());
    }

The following are the imports specific to the logger:

    import org.owasp.esapi.ESAPI;
    import org.owasp.esapi.Logger;

What makes this mind boggling to me is that there is ESAPI logging in place in other classes which works just fine. From my understanding, I thought if log4j loggers were in place and working then that it would be a simple matter of swapping it out for ESAPI since it's an extension of it. My log4j properties file also has the loggerFactory defined --

    log4j.loggerFactory=org.owasp.esapi.reference.Log4JLoggerFactory

Any ideas as to what might be going on? This is just a simple java/struts/spring app.

Improve this question
4
  • If you don't want to use log4j why is it in your project? Just delete all imports and everything and use esapi instead. Commented Aug 31, 2015 at 14:49
  • What is the full type (including namespace) of the Logger in your first method? It has to be org.owasp.esapi.Logger. Commented Aug 31, 2015 at 14:52
  • Even with using org.owasp.esapi.Logger as the return type of the method I get the same exception. As for being able to just not use log4j, I unfortunately don't get to make that call. Seeing as how ESAPI works in other sections of the project I'm at a loss as to why I can't swap it in here. Commented Aug 31, 2015 at 15:05
  • 1
    @Zar ESAPI's logging system has a hard dependency on log4j. Its unfortunate, but its reality. @SchwarzePete: It sounds to me like a race with the esapi logger... perhaps a ClassLoader issue where an abstract class declares the log4j.Logger before esapi.Logger? Commented Sep 1, 2015 at 12:39

1 Answer 1

Reset to default
1

Even though you are using the ESAPI Log4jLoggerFactory and under the hood, that uses the log4j Logger, that does not mean that org.owasp.esapi.Logger ISA org.apache.log4j.Logger. Not even related for that matter. ESAPI's logger was not done that way because it was also designed to support java.util.logging.Logger. As a result of that design decision, org.owasp.esapi.Logger is an interface and thus you cannot cast it to anything. (That is, it extends neither org.apache.log4j.Logger or java.util.logging.Logger. Rather the implementation is more done as a wrapper.)

Of course, that doesn't solve your problem. If you really wanted to use it, you'd have to write a fair portion of code to extend ESAPI's logger and make the underlying implementation class available, which somewhat defeats the point of information hiding.

That said, I'm not defending the design decision. It is what it is and those crucial design decisions were made well before I got involved in the project.

-kevin

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.