is there an issue with the owasp extension and tomcat this g cfml #lucee

is there an issue with the owasp extension and tom...

thisOldDave

04/25/2022, 2:17 PM

is there an issue with the owasp extension and tomcat? this gist on try cf works fine https://trycf.com/gist/a976d64c9209b55ca074ae79215c1c14/lucee5?theme=monokai but on my local tomcat see thread

thisOldDave

04/25/2022, 2:18 PM

I get

thisOldDave

04/25/2022, 2:20 PM

the bottom of the stack is

Copy code

Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.lucee.extension.esapi.log.LogFactoryImpl not found by org.lucee.esapi [54] LogFactory class (org.lucee.extension.esapi.log.LogFactoryImpl) must be in class path.

that is with the same versions as trycf lucee5.3.8.206 and owasp 2.2.0.1

thisOldDave

04/25/2022, 2:22 PM

if I update owasp to 2.2.4.5 i get a bit further

thisOldDave

04/25/2022, 2:23 PM

so it works once but the member function fails with the same error as before

Copy code

Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: Unable to load class 'org.lucee.extension.esapi.log.LogFactoryImpl' because the bundle wiring for org.lucee.esapi is no longer valid. LogFactory class (org.lucee.extension.esapi.log.LogFactoryImpl) must be in class path.
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108)
    at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137)
    at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:153)
    at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:83)
    at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:67)
    ... 67 more
Caused by: java.lang.ClassNotFoundException: Unable to load class 'org.lucee.extension.esapi.log.LogFactoryImpl' because the bundle wiring for org.lucee.esapi is no longer valid.
    at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1562)
    at org.apache.felix.framework.BundleWiringImpl.access$300(BundleWiringImpl.java:79)
    at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1982)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:264)
    at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158)
    at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81)
    ... 71 more

thisOldDave

04/25/2022, 2:24 PM

anyone else come accross this?

thisOldDave

04/25/2022, 3:02 PM

Jedihomer Townend

04/25/2022, 3:57 PM

Might be way off base, could this be to do with log4j being upgraded in the yet-to-be-released version of Lucee... I'm sure Zac mentioned all extensions needed to be latest for that to work... could it be your using a too new version of ESAPI with the version of Lucee...

thisOldDave

04/25/2022, 3:58 PM

I have extracted ESAPI.properties from the 2.2.4.5 bundle and placed it in WEB-INF/lib and that seems to have got thing working.

Jedihomer Townend

04/25/2022, 3:59 PM

I think this is ssort-of what I was trying to say... https://dev.lucee.org/t/5-3-9-80-release-candidate-1/9672

👍 1

thisOldDave

04/25/2022, 3:59 PM

@Jedihomer Townend I hope not the owasp extension is available from the lucee admin you would hope that wouldnt be the case if it were incompatable

Jedihomer Townend

04/25/2022, 4:00 PM

Yes I'd hope so too... it was just that it was complaining about LogFactory and that got the little grey cells running

thisOldDave

04/25/2022, 4:03 PM

from Zacs post it should be version=2.2.3.1-2-SNAPSHOT smaller than 2.2.4.5 but not available from the admin

Jedihomer Townend

04/25/2022, 4:03 PM

Then I've no idea 😉

bhartsfield

04/25/2022, 4:13 PM

You can still download the extension and install it manually in the same extensions UI (or, if you are using commandbox, add it to the dependencies in box.json)

thisOldDave

04/25/2022, 4:16 PM

I don't think the version is the problem the error gets better when I move from 2.2.0.1 to 2.2.4.5 in that only the member function fails but it still fails unless I work round OSGI and place the ESAPI.properties on the class path

thisOldDave

04/25/2022, 4:22 PM

you can see an imediate issue if you open the bundle

thisOldDave

04/25/2022, 4:22 PM

2.2.0.1 doesnt have the log package

bhartsfield

04/25/2022, 4:34 PM

The app I deal with this most in used to run CFESAPI and still contains a mix as we move CFESAPI out of it in favor of the Lucee extension ...so we also still have the properties file in the class path. Now you have me scared that the world will implode when I eventually remove that. heh

thisOldDave

04/25/2022, 4:37 PM

I have just updated my pom I already download the lex as our installs are often on air tight servers, so the pom now extracts the properties from the lex sticks them on the classpath and caries on there is a large comment to review at a future date 😁

bhartsfield

04/25/2022, 4:38 PM

my TODO Tree plugin has a custom "KICKCAN" type too 😉

2 Views

Open in Slack

Previous Next