-
Notifications
You must be signed in to change notification settings - Fork 365
Using ESAPI with SLF4J
[Special note: We generally do not keep various library versions mentioned here up-to-date with the latest release version, but as part of good general security and program hygiene, we advise you to always use the latest supported version whenever feasible.]
As of ESAPI 2.2.0.0, ESAPI has supported, although some minor bugs may have kept it from being trivially usable if you wish to use SLF4J with ESAPI, we would recommend at least 2.2.1.0 and ideally the latest official version of ESAPI.
This wiki page describes 2 configurations:
- SLF4J using Logback
- SLF4J using Log4J 2.x
The remainder of this page assumes you will be using ESAPI 2.2.1.1 and that you already know how to use and configure ESAPI.
Download the the latest esapi-version-configuration.jar from the latest ESAPI release, but note if you are using an older version it needs to at least be relese 2.2.1.0 or later. Unjar the configuration file you downloaded to extract the ESAPI.properties file.
Place the ESAPI.properties file in a place where it will be picked up by ESAPI. Set the ESAPI property as follows to use SLF4J for logging:
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
This ESAPI property setting is needed regardless of what logger you wish to use with SLF4J. Also review the section denoted as "ESAPI Logging" (properties all which start with "Logger.") so configure the logger to your liking as to what information gets logged besides the log message itself.
This section is under development; until then see GitHub issue #569 for details.
Since ESAPI (as of 2.2.1.1) is currently using SLF4J 1.7.30, you will need to include the dependency log4j-slf4j-impl in Maven or Gradle or whatever your build mechanism is. You will also need to include all the usual Log4J 2.x dependencies as well. For example, for Maven, this might look something like:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.16.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.16.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.16.0</version>
</dependency>
The SLF4J binding provided in log4j-slf4j-impl will cause all the SLF4J APIs to be routed to Log4J 2. This should allow the standard SLF4J and Log4J 2 configurations as normally used with SL4JF and Log4J 2.x to work with ESAPI as well.