Hi,

We noticed that Apigee includes the ESAPI library (esapi-2.1.0.jar) on the jvm classpath, and were hoping that we might be able to utilize the ESAPI logger (org.owasp.esapi.Logger) from this library within our Java call out policy to help sanitize any messages that are being logged by our code.

Has anyone tried using the ESAPI logger from a Java policy? I was unable to find an existing "ESAPI.properties" file anywhere on the file system. Nor was I able to find any log4j.properties file (I believe ESAPI uses log4j to actually perform the logging, by default...and the log4j library is also already included by Apigee).

When I try to use the ESAPI logger, the code does not appear to throw any exceptions at runtime, however the logging statements are not captured anywhere (I included a log4j.properties file within my java policy jar file to attempt to configure the logger to print to a specific file).

So far, the only way I've been able to use the ESAPI logger is by uploading a duplicate copy of the ESAPI JAR file, along with a new log4j-over-slf4j JAR file, as resources within an environment scope. I've also included the ESAPI.properties file with my policy jar file. With all of this configured, I can get the ESAPI logger to actually print to the message processor's system.log file (which occurs due to the configuration for Logback, which is the logger that Apigee is using by default). This works, but seems overly complicated and requires duplication of the ESAPI jar file. Is there a better way?