OWASP-ESAPI logger help needed

logging owasp esapi
18,357

Solution 1

Refactoring your code to remove slf4j is a horrific solution, because then you lose the ability to capture JUL, JCL, LOG4J traffic into a common log funnel. The prior response is bad advice.

  1. You can enable ESAPI to use JUL Logging, and then, by using JUL over SLF4J, recapture that log traffic and route to other loggers (i.e. log4j or logback). To do so, in ESAPI.properties: ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory

  2. Another option would be to build an SLF4J logger proxy over the ESAPI Logger Interface. I think you lose more functionality than you gain in this case.

Solution 2

The key thing to note is that ESAPI is only build for log4j or commons java.util logging. I'm assuming log4j.

Step 1: Remove the slf4j library from your classpath. If you're using an IDE, this should "christmas-tree" your application and tell you everything you have to change.

Step 2: Add esapi to the classpath

Step 3: Manually convert all of your slf4j logging calls to their new ESAPI counterpart. You'll grab a reference to the esapi logger like this:

Logger logger = ESAPI.getLogger("my.foo.class.Foo");

With the information provided, this is pretty straightforward.

NOTE: Log4j doesn't support some of the formatting calls that slfj supports. This will result in you either manually re-creating the input OR holding off on all those instances until later and then still using slf4j but just using the [MessageFormatter][1] to pass in the log input.

Share:
18,357
Amit
Author by

Amit

Updated on June 14, 2022

Comments

  • Amit
    Amit almost 2 years

    In my current project I am using Maven and Spring. I am currently using SLF4J logger for logging services. In place of that I want to use OWASP-ESAPI logger. I don't want to use OWASP-ESAPI security, just the log services. Can anybody please guide me how to use OWASP-ESAPI logger by replacing slf4j logger with minimum efforts ? I tried a lot of google search but nothing helps. I will really appreciate some links to gain knowledge about OWASP-ESAPI logger as well.

  • Amit
    Amit over 8 years
    thanks for the response, we dropped OWASP ESAPI logger a long ago
  • avgvstvs
    avgvstvs over 8 years
    Bad advice depending on the application. The project I was working on back when I wrote this was primarily log4j with a little slf4j. So converting everything over to ESAPI logging just made sense. We had no need for a common log funnel. I like your first option.
  • David M. Karr
    David M. Karr over 4 years
    If someone is still reading this, I want to understand the first option here. I understand it. Will it allow us to use the default slf4j interface, but filter log output through the esapi html filter? I need specifics.
  • Ritesh
    Ritesh about 3 years
    I am using ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in ESAPI.properties. I use ESAPI logger where security flags are raised (for example, by static analysis tools) - usually in authentication and authorization modules. I use slf4j logger in rest of the application.
  • avgvstvs
    avgvstvs over 2 years
    As a side note, as of 2020 ESAPI quit using log4j as its default logging setup and defaults to JUL. This answer maybe has some historical relevance, but it fully supports slf4j in its more recent versions so I would give none of this advice today.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to use Encode.forHtml() in a javascript file?
OWASP ESAPI simpleTest in a Maven Java EE project
Where is the ESAPI documentation located?
Error when using Esapi validation
ClasscastException - org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger - log4j to log4j2
Howto sanitize inputs
How to fix Veracode CWE 117 (Improper Output Neutralization for Logs)
Where can I find ESAPI.properties?
Access Riverpod 1 methods outside widget classes
How to print() to logs in the release mode in Flutter?