We are facing a weird issue in production. Ours is a web application deployed in Tomcat 7. We are using Antisamy-1.5.3.jar for XSS prevention.Each user request is intercepted by a filter which scans the requests for any malicious content. This setup was all fine in Tomcat 6 for more than a year. We migrated to Tomcat 7. Users get NoClassDefFoundError on and off when they open the app(not consistent) but when Tomcat is restarted it works fine.
Below is the flow where exception is thrown
User request is intercepted by AntiSamyFilter and scan method on owasp.validator.html.AntiSamy class(AntiSamy internal class) is called.
Below is the code for scan method
public CleanResults scan(String taintedHTML, Policy policy) throws ScanException, PolicyException { return new AntiSamyDOMScanner(policy).scan(taintedHTML); }When AnitSamyDOMScanner class is referenced in the code above, static init block of super class of AntiSamyDOMScanner – AbstractAntiSamyScanner is called which is as below
private static ResourceBundle getResourceBundle() { try { return ResourceBundle.getBundle("AntiSamy", Locale.getDefault()); } catch (MissingResourceException mre) { } return ResourceBundle.getBundle("AntiSamy", new Locale("en", "US")); }
This is where the exception is thrown because, tomcat for some reason can’t load resource bundle – AntiSamy_en_US.properties file present inside the jar file at the root level. Since this is error in static block, ExceptionInInitializer is thrown ultimately leading to NoClassDefFoundError.
Below are the two exception when looked at together – we can see that NoClassDefFoundError is caused due to exception in static init block of AbstractAntiSamyScanner.
SEVERE: Servlet.service() for servlet [jsp] in context with path [/app] threw exception [javax.servlet.ServletException: java.lang.NoClassDefFoundError: Could not initialize class org.owasp.validator.html.scan.AntiSamyDOMScanner] with root cause
java.lang.NoClassDefFoundError: Could not initialize class org.owasp.validator.html.scan.AntiSamyDOMScanner
at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:93)
at org.apache.jsp.index_jsp._jspService(index_jsp.java:124)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
java.lang.NoClassDefFoundError: Could not initialize class org.owasp.validator.html.scan.AntiSamyDOMScanner StackTrace: javax.servlet.ServletException: java.lang.NoClassDefFoundError: Could not initialize class org.owasp.validator.html.scan.AntiSamyDOMScanner at
WE have tried copying the Antisamy.properties under Tomcat lib and also WEB-INF/classes but it didnt work. Any thoughts on what could cause the AbstractAntiSamyScanner not find the resource bundle within the jar?