How to configure SLF4J in ESAPI to use log4j 2.x

[Nagish Raikwar]

HI Team,

Can you please help me to know, how to configure the latest ESAPI 2.X to use SLF4J and then to configure SLF4J to use Log4j 2.x. So that i can get ride of loh4j 1.x vulnerability.

Thanks & Regards,

Nagish Raikwar

[Kevin W. Wall]

Nagish,

I will try to see it I can get one of the other ESAPI contributors to answer your specific SLF4J question but please make sure you have read this about the Log4j 1.x vulnerability and its impact on ESAPI:

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-dev/9796bc24-c871-4d6b-914e-784c287a01a5n%40owasp.org.

[Kevin W. Wall]

Okay; Nagish (and others asking the same / similar questions), try this:

 https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J

I did not test any of this, so it may be wrong and likely incomplete, but maybe this is all you need to point you in the right direction???

Our team is considering adding additional content to this or similar wiki pages. Examples that Jeremiah has been considering that can be evaluated for later contributions are:

- A high-level explanation of what value is added to a system through the ESAPI Logging support classes.

- A breakout of the applicable values in ESAPI.properties, and samples of how the system output should be impacted.  This relates to the note of 2.2.1.0 above.

 - To support the use of either Log4J2 or Logback implementation I was going to also add links to the maven central download locations for each of the resources so readers may reference the 'latest available' versions of those support libraries.

- I had also considered adding links to the documentation on logging configuration for each Logback and SLF4J.

- Configuration Samples? The basic logging support for both Log4J2 and Logback are fairly small.  It may be possible to stub the configurations we have in this document, and refer to the configuration directory for the latest released support content.  I hadn't thought this through very much, but had a note for consideration.

- A reference to the Null Implementation (no-op) logging dependency to support local testing efforts may (or may not) be of value to some users.  Benefit here is that in testing they can focus on their output and not ours, and do not see SLF4J warnings in the output.  This should be clearly identified as something that should be exclusively for test-scope declarations. (this is just a declared test-scope dependency)

If you feel that any of this additional content is essential for using ESAPI with SLF4J, please provide feedback to this mailing list and let us know which are the most important to you.

-kevin