Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Lucee 6.2.0.321 Error (org.owasp.esapi.errors.ConfigurationException)

Description

When I click on a logfile in Monitoring/Logs, e.g.
http://pc-hkl/lucee/admin/web.cfm?action=debugging.logs&action2=detail&id=9653B5416C9E5999A6C99A412749C076
I get this error:

Lucee 6.2.0.321 Error (org.owasp.esapi.errors.ConfigurationException)

Message

java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.

AI (Experimental)

For AI-driven exception analysis setup, see AI Setup Guide.

Stacktrace

The Error Occurred in
/admin/debugging.logs.detail.cfm: line 72
called from /admin/debugging.logs.cfm: line 169
called from /admin/web.cfm: line 521
called from /admin/web.cfm: line 515

Java Stacktrace

lucee.runtime.exp.NativeException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
 at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
 at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:185)
 at org.owasp.esapi.ESAPI.encoder(ESAPI.java:101)
 at org.lucee.extension.esapi.functions.ESAPIEncode.encode(ESAPIEncode.java:64)
 at org.lucee.extension.esapi.functions.ESAPIEncode.encode(ESAPIEncode.java:57)
 at org.lucee.extension.esapi.functions.EncodeForHTMLAttribute.call(EncodeForHTMLAttribute.java:29)
 at org.lucee.extension.esapi.functions.EncodeForHTMLAttribute.call(EncodeForHTMLAttribute.java:33)
 at org.lucee.extension.esapi.functions.EncodeForHTMLAttribute.invoke(EncodeForHTMLAttribute.java:37)
 at lucee.runtime.functions.FunctionHandlerPool.invoke(FunctionHandlerPool.java:40)
 at debugging_logs_detail_cfm1150$cf.call(/admin/debugging.logs.detail.cfm:72)
 at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1063)
 at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:987)
 at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:968)
 at debugging_logs_cfm460$cf.call(/admin/debugging.logs.cfm:169)
 at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1063)
 at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:987)
 at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:968)
 at web_cfm$cf.call_000007(/admin/web.cfm:521)
 at web_cfm$cf.call(/admin/web.cfm:515)
 at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1063)
 at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:987)
 at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:213)
 at lucee.runtime.listener.ModernAppListener.onRequest(ModernAppListener.java:100)
 at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2785)
 at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2772)
 at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2743)
 at lucee.runtime.engine.Request.exe(Request.java:45)
 at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1099)
 at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1056)
 at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
 at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
 at java.base/java.lang.reflect.Method.invoke(Method.java:580)
 at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:134)
 at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doNext(FusionReactorRequestHandler.java:698)
 at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doHttpServletRequest(FusionReactorRequestHandler.java:256)
 at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doFusionRequest(FusionReactorRequestHandler.java:119)
 at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.handle(FusionReactorRequestHandler.java:736)
 at com.intergral.fusionreactor.j2ee.filter.FusionReactorCoreFilter.doFilter(FusionReactorCoreFilter.java:36)
 at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
 at java.base/java.lang.reflect.Method.invoke(Method.java:580)
 at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:71)
 at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
 at java.base/java.lang.reflect.Method.invoke(Method.java:580)
 at com.intergral.fusionreactor.agent.filter.FusionReactorStaticFilter.doFilter(FusionReactorStaticFilter.java:54)
 at com.intergral.fusionreactor.agent.pointcuts.NewFilterChainPointCut$1.invoke(NewFilterChainPointCut.java:50)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
 at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
 at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
 at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
 at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1587)
 at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
 ... 69 more
Caused by: java.lang.reflect.InvocationTargetException
 at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:118)
 at java.base/java.lang.reflect.Method.invoke(Method.java:580)
 at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
 ... 68 more
Caused by: org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
 at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:610)
 at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:387)
 at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:420)
 at org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:88)
 at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
 ... 70 more
Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
 at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:866)
 at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:607)
 ... 74 more

Environment

Lucee 6.2.0.321

Loader Version

5.3.3.62

Servlet Container

Apache Tomcat/9.0.24

Java

21.0.3 (Oracle Corporation) 64bit

OS

Windows 11 (10.0) 64bit

Architecture

64bit

ESAPI Extension

Installed version

2.6.0.0-SNAPSHOT

Attachments

1
  • 01 Apr 2025, 04:28 pm

Activity

Show:

Zac Spitzer 4 days ago

Harry Klein 4 days ago

Thanks, the Tomcat 11 update is working now!

Regarding the ESAPI error, I found and deleted some old versions in the bundles folder.
So far the error hasn’t appeared yet - so I hope this was the solution.

Zac Spitzer 5 days ago

nah, no ticket plz, once you are logged on the front page, there’s a plus button in the bottom right corner

FYI going to delete these posts once you’ve posted

image-20250401-162808.png

Harry Klein 5 days ago

tbh I don’t know how to post a new topic to https://dev.lucee.org/
Should I create a Jira ticket?

Zac Spitzer 5 days ago

can you repost this on the mailing list plz? it’s good to keep tickets narrowly focussed

Unresolved

Details

Assignee

Reporter

Priority

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Parent

Created last month
Updated 4 days ago

Flag notifications