org.opensaml.ESAPISecurityConfig.getBooleanProp exception?

[tech burgher]

Hello,

Can anyone shed light on this? I am seeing the following stack trace when our application, that utilizes SAML, first starts up:

Caused by: java.lang.AbstractMethodError: org.opensaml.ESAPISecurityConfig.getBooleanProp(Ljava/lang/String;)Ljava/lang/Boolean;
        at org.owasp.esapi.logging.java.JavaLogFactory.<clinit>(JavaLogFactory.java:73) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at java.lang.Class.forName0(Native Method) ~[?:1.8.0_332]
        at java.lang.Class.forName(Class.java:264) ~[?:1.8.0_332]
        at org.owasp.esapi.util.ObjFactory.loadClassByStringName(ObjFactory.java:158) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:81) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:85) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:109) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:68) ~[esapi-2.5.1.0.jar:2.5.1.0]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_332]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_332]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_332]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_332]
        at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86) ~[esapi-2.5.1.0.jar:2.5.1.0]

We are using version 2.6.6 of OpenSAML.

Thank you.

[Kevin W. Wall]

Not really sure what is going on there.

org.opensaml.ESAPISecurityConfig.getBooleanProp(Ljava/lang/String;)Ljava/lang/Boolean

is part of OpenSAML, not ESAPI. Looks like they may be wrapping ESAPI in some strange way.

Can you please include a small code snippet for this along with your pom.xml or build.gradle file, to reproduce this? But I think you should really probably ask the OpenSAML folks for assistance.  I don't even see a repo for them on GitHub and given that my phone is my only working (for now at least) computing device, I'm not in a position to try to troubleshoot this even if I found their repo. (Have a neighborhood power outage at the moment.)

-kevin

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/48c3d5d2-68ff-471c-9019-dad3cacfba28n%40owasp.org.

[Jeremiah Stacey]

Apologies, I contacted tech directly with a description of what's going on (included below). 

They've confirmed this assessment is accurately describing the issue encountered.

The (newer) version of ESAPI that you're using is trying to call a method from SecurityConfiguration interface that does not exist in the (older) ESAPI version being used by the OpenSAML library.

• OpenSAML has a dependency on ESAPI v2.0.1.  That version was released in 2011.
• Your baseline is using ESAPI v2.5.1, released in 2022.
• The method SecurityConfiguration.getBooleanProp did not exist in the ESAPI baseline until January of 2016.

Based on the dates of the ESAPI releases, I think that the minimum version for compatibility is 2.1.0.1 -- released February 2016

References:

•     https://mvnrepository.com/artifact/org.opensaml/opensaml/2.6.6 
  
• see the "compile dependencies" section on the page, lists ESAPI v. 2.0.1
  
•     https://github.com/ESAPI/esapi-java-legacy/blame/develop/src/main/java/org/owasp/esapi/SecurityConfiguration.java  
  
• See the commit of the getBooleanProp method on line 136  -- dated 2016
• https://mvnrepository.com/artifact/org.owasp.esapi/esapi
• Noting the release dates for the ESAPI versions

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAOPE6PhjWJBsrkAodkriO0_jG6Cjy%2BEVdCAgYynEUuEQbPar8g%40mail.gmail.com.

[Kevin W. Wall]

Okay, thanks for that update.  I guess the OpenSAML folks are not ones who care about all the complaints raised by SCA tools for unpatched vulnerabilities in direct and transitive dependencies. For a library whose purpose is to provide federated authentication, that is not a particularly good practice.

-kevin

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/06ce890e-955f-a568-7664-ac583cc2229f%40gmail.com.