Okay, Stephen. I'm hoping I have this figured out. After you sent me a private email with your ESAPI.properties file, I confirmed that your setting for ESAPI.Logger appears to be set correctly:. That is, it was set to:
ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
(It's correct assuming that you wanted to use JUL for logging, that is). Regardless, that is not what is causing your problem.
So, after I saw you had a correct setting for ESAPI.Logger and ruled that out as the root cause, I went back and looked at your exception stack trace in more detail and started crawling through our ESAPI 2.5.0.0 code base. Here are my conclusions.
Let's start the explanation with a trimmed version of your stack trace:
First off, the first highlighted line marked '==>' is right before ESAPI.validator() is called. Note that it is <clinit>, which is class initialization, so I'm guessing line 36 of your SecurityUtils.java file, it has something like
private Validator validator = ESAPI.validator();
(or maybe it was in a static initializer) and that's the reason why it popped up as an ExceptionInInitializerError instead of just a ConfigurationException.
From there, the last 'Caused by:' chunk in the second highlighted line tells us everything we need to know. I'm not going to describe this line by line, but based on the error message and what's on the call stack for the exception stack trace, I will just try to summarize the root cause. You can use the filenames and line #s in the stack trace to crawl through the code if you want more detail.
So, here's the TL;DR scoop:
As near as I can tell, it looks as though you have the system property
org.owasp.esapi.opsteam
set to
/opt/git/this/that/src/test/java/com/foo/common/security/resources
That system property (org.owasp.esapi.opsteam) is intended to be a file name containing only the ESAPI properties that you want controlled by your Operations Team. There's another property (org.owasp.esapi.devteam) for ESAPI properties (generally, all the rest of the ESAPI properties) that are intended to be under the control of your Development teams. This is to allow the Operations teams to set properties which take precedence so you can prevent your Dev teams from overriding them. An example might be something like:
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
Encryptor.EncryptionKeyLength=256
that would be set in the file corresponding to the property 'org.owasp.esapi.opstream' because that is your corporate security policy requires and you don't want Devs to be able to change it to something like:
Encryptor.CipherTransformation=DESede/CBC/PKCS5Padding
Encryptor.EncryptionKeyLength=112
Then you'd specify the rest of the ESAPI properties in the file corresponding to 'org.owasp.esapi.devteam'.
Note that most ESAPI users just leave both of those system properties unset because they don't use this ESAPI feature, which is why this particular error didn't jump out at me. It's not a commonly used feature.
Anyhow, when either the org.owasp.esapi.opsteam or org.owasp.esapi.devteam system properties are set, they should be set to the full path name of a .properties or .xml file, and not just a directory name. That is you have to specify the file name along with a '.properties' or '.xml' suffix. E.g., it would be expecting something like:
/opt/git/this/that/src/test/java/com/foo/common/security/resources/ESAPI-OperationsTeam.properties
or
/opt/git/this/that/src/test/java/com/foo/common/security/resources/ESAPI-OperationsTeam.xml
But that's why I think you are getting a ConfigurationException thrown. Admittedly, the exception message could be a lot better. Ideally the exception message should say something like:
System property 'org.owasp.esapi.opsteam' set to '<value-of-System-property>', but has an unsupported file suffix. Expecting either '.properties' or '.xml' file suffix for the specified path name.
I plan on creating a GitHub issue for a better exception message and clean up the code a bit in a future release so it's more intuitive as to what went wrong.
Lastly, as long as you do NOT have the system property 'org.owasp.esapi.logSpecial.discard' set to "true", you will get some (hopefully) useful messages logged to stdout while ESAPI is searching for your ESAPI.properties and other ESAPI configuration files. (It's a bootstrap thing, since until we find ESAPI.properties, we aren't sure what logger to use until we find your ESAPI.properties file and parse the ESAPI.Logger property.) You didn't mention anything about its log output to stdout so perhaps you had it disabled, but it might have been helpful in this case. Just thought I would mention that.
Anyway, if this answer describes what your problem was caused by, please do let us know on this mailing list and I'll provide an answer to your question on Stack Overflow so others looking there can benefit. (I will probably just provide a link back to this email thread.) And if I've misdiagnosed it, perhaps you can provide a small JUnit test case to help use we duplicate the issue.
Hope that helps,
-kevin