encoder-esapi is not aware of changes in esapi 2.2.1.1, making it to crash

[stefmil]

After the latest release 2.2.1.1, our project is throwing an exception when it comes to a part where it's supposed to run some code written using encoder-esapi library.
The exception is:
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory LogFactory class (org.owasp.esapi.reference.Log4JLogFactory) must be in class path.

After investigation, I found that new release 2.2.1.1 has Log4JLogFactory class in whole another package: org.owasp.esapi.logging.log4j.

It looks to me as certain changes have been introduced with this 2.2.1.1 release, and encoder-esapi 1.2 is not aware of them, which makes it to crash.
The reason is because in encoder-esapi's pom file states this dependency:

<dependency>
        <groupId>org.owasp.esapi</groupId>
        <artifactId>esapi</artifactId>
        <version>[2.0,3)</version>
</dependency>

which makes it to download latest one of 2.* major release.

[kwwall]

@stefmil - There are multiple problems here. One is that this old issue that I created (OWASP/owasp-java-encoder#31) against the encoder-esapi that was just recently closed, but shouldn't have been. I just created a PR for that (OWASP/owasp-java-encoder#37). Once they update, that should partly address your concern. However, if your application is using ESAPI 2.2.1.1, there they are VERY IMPORTANT changes that you need to be aware of in the ESAPI 2.2.1.1 release notes. Be careful to read the section "Changes Requiring Special Attention".

Note that these changes would be required even if you using ESAPI's Encoder rather than the owasp-java-encoder Encode class.

Also note that you may want to switch from JUL Ivia JavaLogFactory) to using SLF4J as your logger, especially if your application is already using SLF4J. If you wish to use SLF4J for your logging, you only have to set these Logger properties in your ESAPI.properties file:
Logger.ApplicationName
Logger.LogEncodingRequired
Logger.LogApplicationName
Logger.LogServerIP
Logger.UserInfo
Logger.ClientInfo

That said, I don't think there is anything for us to fix in ESAPI so I am going to close this. If you think that there is still a fix needed, please be specific as to what you think it is and I will reopen this issue. Thanks.

[stefmil]

Thanks @kwwall , I'll give it a try.