From rkarak...@gmail.com on February 23, 2014 07:30:41
We are using log4j as logger implementation.
Our log4j libraries resides in application server's lib folder. On the other hand, ESAPI jar file has to be under the web app's folder (WEB-INF/lib) since the different web app modules needs different authenticator.
When the module containing the ESAPI jar is redeployed, a ClassCastException is thrown because the log4j's LogManager was loaded by the top level class loader. Second LogManager.getLogger invocation returns the instance of org.owasp.esapi.Logger that it's class was loaded by the previous class loader.
In other words, the current ESAP architecture requires both log4j dependencies and esapi itself to be loaded by the SAME class loader.
We should move the esapi logging classes to another jar file and make esapi jar dependent on this jar.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=319