Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OWASP-ESAPI logger help needed

In my current project I am using Maven and Spring. I am currently using SLF4J logger for logging services. In place of that I want to use OWASP-ESAPI logger. I don't want to use OWASP-ESAPI security, just the log services. Can anybody please guide me how to use OWASP-ESAPI logger by replacing slf4j logger with minimum efforts ? I tried a lot of google search but nothing helps. I will really appreciate some links to gain knowledge about OWASP-ESAPI logger as well.

like image 619
Amit Avatar asked Jun 25 '14 06:06

Amit


People also ask

What is Owasp Esapi logger?

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.

Does Esapi use Log4J?

(ESAPI has no dependency on Log4J 2.) The reason for this is we need to support backwards compatibility for our clients. There is a possibility that you could use ESAPI in a manner that makes it vulnerable to the multiple Log4J 2 CVEs if you configure ESAPI to use SLF4J along with an unpatched version of Log4J 2.

How do I add Esapi to my project?

To include ESAPI in all run configurations: in Preferences > Java > Installed JREs > Edit, add: - Dorg. owasp. esapi. resources="/path/to/.

What is the use of Esapi properties?

You can use the ESAPI. properties file to configure properties for the OWASP Enterprise Security API. This file contains validation patterns that have Validator.


2 Answers

Refactoring your code to remove slf4j is a horrific solution, because then you lose the ability to capture JUL, JCL, LOG4J traffic into a common log funnel. The prior response is bad advice.

  1. You can enable ESAPI to use JUL Logging, and then, by using JUL over SLF4J, recapture that log traffic and route to other loggers (i.e. log4j or logback). To do so, in ESAPI.properties: ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory

  2. Another option would be to build an SLF4J logger proxy over the ESAPI Logger Interface. I think you lose more functionality than you gain in this case.

like image 51
Jim Doyle Avatar answered Oct 27 '22 20:10

Jim Doyle


The key thing to note is that ESAPI is only build for log4j or commons java.util logging. I'm assuming log4j.

Step 1: Remove the slf4j library from your classpath. If you're using an IDE, this should "christmas-tree" your application and tell you everything you have to change.

Step 2: Add esapi to the classpath

Step 3: Manually convert all of your slf4j logging calls to their new ESAPI counterpart. You'll grab a reference to the esapi logger like this:

Logger logger = ESAPI.getLogger("my.foo.class.Foo");

With the information provided, this is pretty straightforward.

NOTE: Log4j doesn't support some of the formatting calls that slfj supports. This will result in you either manually re-creating the input OR holding off on all those instances until later and then still using slf4j but just using the [MessageFormatter][1] to pass in the log input.

like image 25
avgvstvs Avatar answered Oct 27 '22 19:10

avgvstvs