ClasscastException - org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger - log4j to log4j2

esapi logger slf4j
owasp esapi logger spring boot
log4j2 esapi
log4j2 log forging
esapi logging configuration
owasp esapi logger c
esapi logger classcastexception
esapi java web application example

I am working on upgrading log4j to log4j2. In that process I am getting a Logger Class cast exception. Below is the error.

Caused by: java.lang.ClassCastException: org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger
    at org.owasp.esapi.reference.Log4JLogFactory.getLogger(
    at org.owasp.esapi.ESAPI.getLogger(
    at org.owasp.esapi.reference.DefaultEncoder.<init>(
    at org.owasp.esapi.reference.DefaultValidator.<clinit>(
    ... 45 more

In my old code( log4j properties file) I see a reference to this Logger. Below is the code that we have in our old code.


Now in log4j2 I am using log4j2.xml file and I didn't find any tag equivalent to that line. Could any please suggest me how to proceed? Note: I am running my application in JBoss EAP 7

This problem is solvable, but it is not a nice solution and it is situational.

I've had the same problem as ATK. I ended up using the same bridge-api as ATK for the other packages, but for ESAPI there is a nasty workaround.

My situation: I have only tested this on Jetty and Tomcat application servers. I have my own logging library wrapping around log4j2 and I use Scala, not Java.

First off, the class that creates the ClassCastException is org.owasp.esapi.reference.Log4JLogFactory.

I ended up creating the package org.owasp.esapi.reference and created my own Scala object named Log4JLogFactory. This object extends my own logging framework (named "Logging" in the upcoming example) and implements the org.owasp.esapi.LogFactory interface. To implement these methods, I just pass on the logging message to my own logging framework. So the log.error(...) method calls comes from my own logger, and to implement this solution you will need your own.

object Log4JLogFactory extends Logging with org.owasp.esapi.LogFactory {
  private[reference] lazy val factory = new Log4JLoggerFactory
  def getInstance = {

  private val logger = new org.owasp.esapi.Logger {
    override def error(`type`: Logger.EventType, message: String) = log.error(message)

    override def error(`type`: Logger.EventType, message: String, throwable: Throwable) = log.error(message, throwable)

    // implement the rest of the methods that is needed...

  override def getLogger(clazz: Class[_]) = logger

  override def getLogger(moduleName: String) = logger

NB! This solution works on Jetty and Tomcat. Application servers that doesn't load your own classes before library classes will not work with this solution.

ClassCastException when using ESAPI logger � Issue #305 � ESAPI , ClasscastException - org.apache.log4j.Logger cannot be cast to org.owasp.esapi .Logger - log4j to log4j2 - logging. As a result of that design decision, org.owasp.esapi.Logger is an interface and thus you cannot cast it to anything. (That is, it extends neither org.apache.log4j.Logger or java.util.logging.Logger. Rather the implementation is more done as a wrapper.) Of course, that doesn't solve your problem.

This problem isn't solvable.

ESAPI has a hard dependency on Log4J 1.x and doesn't at present support Log4j2.

There is an open enhancement to use slf4j which might support Log4j2 indirectly, but at present this isn't being worked.

Log4JLogFactory (ESAPI 2.0.1 API), ClassCastException: org.apache.log4j.Logger cannot be cast to org.owasp.esapi .Logger at org.owasp.esapi.reference.Log4JLogFactory. We use ESAPI-framework which is included in coldfusion. After migration from log4j1 to log4j2 we get a class cast exception error. ClassCastException: org.apache.log4j.Logger cannot be cast to org.owasp.esapi.Logger After analyzing this error, it seems that the class LogManager ignores the loggerFactory.

I solved a similar problem by adding this to log4j.xml

<loggerFactory class="org.owasp.esapi.reference.Log4JLoggerFactory"/>

[#LOG4J2-902] Log4j-2-Bridge incompatible to OWSAP ESAPI , Please see for more Log4JLoggerFactory or log4j.xml: <loggerFactory class="org.owasp.esapi. reference. Hence the logger created is a org.apache.log4j.Logger and this is added to the HashTable of logger definitions. Then when the ESAPI.getLogger() is initialised in MyClass, the Heirarchy.getLogger() method returns the one in the HashTable, hence the class cast exception.

You can switch the logger factory away from the Log4j1 factory in the file to something else in order to avoid this error. I haven't tried but I imagine you could create a custom logging factory that uses Log4j2.

The following example will configure ESAPI to use JUL logging, which avoids the ClassCastException:


log4j class cast exception when running report, After migration from log4j1 to log4j2 we get a class cast exception error. Logger cannot be cast to org.owasp.esapi.Logger After analyzing� Log4j 2; LOG4J2-460; java.lang.ClassCastException: org.apache.logging.log4j.simple.SimpleLoggerContext cannot be cast to org.apache.logging.log4j.core.LoggerContext

logging - ClasscastException, ClassCastException: org.apache.log4j.Logger cannot be cast to org.owasp.esapi .Logger. at org.owasp.esapi.reference.Log4JLogFactory. Hi, I integrated the log4j with my Android application and did the initial config. It works fine. I have a menu item in "Settings" screen where I can change the log levels in my application.

Caused By: java.lang.NoClassDefFoundError: org/apache/log4j , Ich habe meine eigene Logging-Bibliothek um log4j2 und Ich benutze Scala, nicht Ich landete das Paket org.owasp.esapi.reference zu schaffen und mein� Atlassian Jira Project Management Software (v8.3.4#803005-sha1:1f96e09); About Jira; Report a problem; Powered by a free Atlassian Jira open source license for Apache Software Foundation.

ClasscastException, NoClassDefFoundError: org/apache/log4j/Logger error in your Java If you are using log4j 2 e.g. for asynchronous logging then you can download log4j2.jar� Log4j 2; LOG4J2-1618; ClassCastException at shutdown with JUL: casting SimpleLogger to Logger LOG4J2-1222 is causing a new issue when log4j logging.log4j

  • Thanks for providing your solution henninglh. I will try to use this solutions in my Java code. I am using Jboss EAP 7 server. I am not sure whether this class can load before library classes or not. I have to research. Please let me know if you have any idea. Thanks.
  • Hi Henninglh, Thanks a lot. This approach is working. Thanks for sharing.
  • Thanks for your reply. I am using log4j bridge jar(log4j-1.2-api-2.8.2.jar) Does this works?
  • This comment is gold. Thank you! Totally solved my problem.