我是新手 Java 开发人员,在尝试使用 JBOSS 和 ESAPI 开发一些网站以确保安全时,我遇到了异常
java.lang.ClassCastException: org.jboss.logmanager.log4j.BridgeLogger cannot be cast to org.owasp.esapi.Logger
当我尝试使用 OWASP 的 ESAPI 包时。
我的 Maven 项目由 2 个模块组成:oak-parent 和 Oak-web。
Maven依赖树如下:
[INFO] --- maven-dependency-plugin:2.1:tree (default-cli) @ oak-web ---
[INFO] org.me.oak:oak-web:war:0.0.1-SNAPSHOT
[INFO] +- javax:javaee-api:jar:6.0:provided
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- log4j:log4j:jar:1.2.16:provided
[INFO] +- org.reflections:reflections:jar:0.9.8:compile
[INFO] | +- javassist:javassist:jar:3.12.1.GA:compile
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- org.jboss:jboss-vfs:jar:3.0.1.GA:provided
[INFO] | \- org.jboss.logging:jboss-logging:jar:3.0.0.CR1:provided
[INFO] +- org.owasp.esapi:esapi:jar:2.0.1:compile
[INFO] | +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] | | | +- logkit:logkit:jar:1.0.1:compile
[INFO] | | | +- avalon-framework:avalon-framework:jar:4.1.3:compile
[INFO] | | | \- javax.servlet:servlet-api:jar:2.3:compile
[INFO] | | \- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | \- commons-beanutils:commons-beanutils:jar:1.8.3:compile
[INFO] | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2:compile
[INFO] | +- xom:xom:jar:1.1:compile
[INFO] | | +- xerces:xmlParserAPIs:jar:2.6.2:compile
[INFO] | | +- xalan:xalan:jar:2.7.0:compile
[INFO] | | \- jaxen:jaxen:jar:1.1-beta-8:compile
[INFO] | | \- jdom:jdom:jar:1.0:compile
[INFO] | +- org.beanshell:bsh-core:jar:2.0b4:compile
[INFO] | \- org.owasp.antisamy:antisamy:jar:1.4.3:compile
[INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.7:compile
[INFO] | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.12:compile
[INFO] | \- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] | \- commons-codec:commons-codec:jar:1.7:compile
[INFO] +- org.jsoup:jsoup:jar:0.2.2:compile
[INFO] | \- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- xerces:xercesImpl:jar:2.11.0:compile
[INFO] | \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- org.apache.xmlgraphics:batik-codec:jar:1.7:compile
[INFO] | +- org.apache.xmlgraphics:batik-awt-util:jar:1.7:compile
[INFO] | +- org.apache.xmlgraphics:batik-bridge:jar:1.7:compile
[INFO] | | +- org.apache.xmlgraphics:batik-anim:jar:1.7:compile
[INFO] | | +- org.apache.xmlgraphics:batik-ext:jar:1.7:compile
[INFO] | | +- org.apache.xmlgraphics:batik-parser:jar:1.7:compile
[INFO] | | \- org.apache.xmlgraphics:batik-script:jar:1.7:compile
[INFO] | \- org.apache.xmlgraphics:batik-util:jar:1.7:compile
[INFO] \- org.apache.xmlgraphics:batik-transcoder:jar:1.7:compile
[INFO] +- org.apache.xmlgraphics:fop:jar:0.94:compile
[INFO] | +- org.apache.xmlgraphics:xmlgraphics-commons:jar:1.2:compile
[INFO] | +- commons-io:commons-io:jar:2.4:compile
[INFO] | +- org.apache.avalon.framework:avalon-framework-api:jar:4.3.1:compile
[INFO] | \- org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1:compile
[INFO] +- org.apache.xmlgraphics:batik-dom:jar:1.7:compile
[INFO] +- org.apache.xmlgraphics:batik-gvt:jar:1.7:compile
[INFO] +- org.apache.xmlgraphics:batik-svg-dom:jar:1.7:compile
[INFO] +- org.apache.xmlgraphics:batik-svggen:jar:1.7:compile
[INFO] +- org.apache.xmlgraphics:batik-xml:jar:1.7:compile
[INFO] \- xml-apis:xml-apis-ext:jar:1.3.04:compile
我已经创建了 jboss-deployment-structure.xml 来尝试排除 log4j(文件是在 Oak-parent/META-INF 中创建的:
<jboss-deployment-structure>
<ear-subdeployments-isolated>true</ear-subdeployments-isolated>
<deployment>
<exclusions>
<module name="org.apache.log4j" />
<module name="org.jboss.logging" />
<module name="org.jboss.logmanager" />
<module name="org.jboss.log4j.logmanager" />
<module name="org.jboss.logmanager.log4j" />
</exclusions>
</deployment>
<sub-deployment name="oak-web.war">
<exclusions>
<module name="org.apache.log4j" />
<module name="org.jboss.logging" />
<module name="org.jboss.logmanager" />
<module name="org.jboss.log4j.logmanager" />
<module name="org.jboss.logmanager.log4j" />
</exclusions>
</sub-deployment>
</jboss-deployment-structure>
但它仍然没有任何帮助。
你们中有人知道这个问题的解决方案吗?与 jboss 5 相比,JBoss 类加载器有点变化。