9 Replies Latest reply on Aug 22, 2014 11:06 AM by negora

Why the exceptions occurred in JSPs are not logged?

negora Jun 19, 2014 6:10 AM

Hello:

In Wildfly 8.1.0 I've detected that the exceptions thrown during the execution of a JSP file are not logged in production mode. However, if I enable the development mode in the file $WILDFLY/standalone/configuration/standalone.xml, they're:

<jsp-config development="true"/>

When this parameter is set to TRUE, the exceptions are logged in the file $WILDFLY/standalone/log/sever.log. Is it the expected behaviour or is it a bug? If it's the former, What's the reason not to log such a critical thing as an exception, even although it happens in a JSP file?

Thank you.

1. Re: Why the exceptions occurred in JSPs are not logged?

jaikiran Jun 20, 2014 12:40 AM (in response to negora)

Are you sure the stacktrace isn't even logged in the server log file? I can understand if it's not written out to the browser page, in production mode, but I would expect it to be at least logged in the server log. What exact page do you see when a JSP error occurs?
Actions
2. Re: Why the exceptions occurred in JSPs are not logged?

ctomc Jun 20, 2014 11:17 AM (in response to negora)

This is by design and configurable.
as showing stack trace in production environments can pose security risks.

in undertow subsystem under servlet-container config you have option stack-trace-on-error
which defaults to "local-only" which means it will show stacktrace only when accessed from localhost.

<servlet-container name="default" default-buffer-cache="default" stack-trace-on-error="local-only" >

you can change this value to "none", "all" or "local-only"

what you are probably looking for is "all" configuration.
Actions
3. Re: Why the exceptions occurred in JSPs are not logged?

ctomc Jun 20, 2014 11:19 AM (in response to ctomc)

Ah i misread your question.

it is the log file you are talking about not in response on web page.

That looks fishy, can you create jira for this. so we can track it an fix it.
1 of 1 people found this helpful
Actions
4. Re: Why the exceptions occurred in JSPs are not logged?

negora Jul 2, 2014 1:19 PM (in response to negora)

I'm sorry for the delay, but I've been on holidays. The page that is returned is a very simple HTML response. It only says "Internal Server Error". The title of the page is "Error". It outputs that content only. Nothing else.

Checking the error today, I've discovered that it only happens when I throw a specific type of exception. It's the java.io.IOException. If I throw this one or other class that inherits from it, such as java.net.SocketException, the exception seems to be "swallowed" by the server, in production mode.

To test it, you only need to write the following JSP file:

   if (true) {
      throw new java.io.IOException ("");
   }

I'm going to wait for your answer before opening a JIRA, just in case that it's the right behaviour of Wildfly.

Thank you for your help!
Actions
5. Re: Why the exceptions occurred in JSPs are not logged?

jaikiran Jul 25, 2014 10:49 AM (in response to negora)

Can you post your web.xml contents? Just want to make sure you haven't configured any error-pages which might be interfering in this.
Actions
6. Re: Why the exceptions occurred in JSPs are not logged?

negora Aug 1, 2014 10:27 AM (in response to jaikiran)

Hello Jaikiran:

In the simplest test that I've done, I've not used a "web.xml" file at all. I've created a simple WAR (as a directory), without deployment descriptor, and with a single JSP inside. But it hasn't logged the exception either. Even in a clean install of Wildfly. You can try to reproduce it yourself following these steps:

unzip wildfly-8.1.0.Final.zip
cd wildfly-8.1.0.Final/standalone/deployments/
mkdir -p test.war/WEB-INF/
vim test.war/index.jsp
(Write a JSP that throws an IOException)
../../bin/standalone.sh

Then, in the browser, enter "http://localhost:8080/test". The page output shows the stack trace, but it isn't written neither in the console nor the log file :/ . However, if you enable the JSP development mode, it's.

PS: By the way, I forgot to clarify one thing. The page that simply returned the message "Internal Server Error" was accessed in a non-local IP. That's why it didn't show the stack trace. I've accessed it in the IP 127.0.0.1 just now, and it effectively prints the stack trace. So it has no relation with the error that I've been commenting.
Actions
7. Re: Why the exceptions occurred in JSPs are not logged?

jaikiran Aug 8, 2014 3:34 AM (in response to negora)

It looks like a bug. IOException and some other exception seem to be handled in a different manner as can be seen in this code jastow/JspServletWrapper.java at master · undertow-io/jastow · GitHub and it looks like no where in the calling chain, the exception gets logged to the log file/appender for these specific exceptions. You might want to open a JIRA for this here WildFly - JBoss Issue Tracker (or maybe in Undertow JIRA).
1 of 1 people found this helpful
Actions
8. Re: Why the exceptions occurred in JSPs are not logged?

negora Aug 11, 2014 4:44 AM (in response to jaikiran)

Hello:

Thank you for clarifying this issue . I've opened a ticket here, in the Undertow JIRA: https://issues.jboss.org/browse/UNDERTOW-296 . I hope to have done it correctly.
Actions
9. Re: Why the exceptions occurred in JSPs are not logged?

negora Aug 22, 2014 11:06 AM (in response to negora)

Stuart Douglas has responded to my JIRA ticket. He has said that it's intentional, to prevent DoS attacks. It seems that it's easy for an attacker to cause IOExceptions, so these are silenced in production mode. However one can enable its logging by setting the log category "io.undertow.request.io" to level DEBUG.

Thank you for the help!
Actions

Go to original post