Bug 1022390

Summary: Third party webdav-servlet library contains resource hungry log4j.xml configuration file
Product: [JBoss] JBoss Enterprise BRMS Platform 5 Reporter: Abhijit humbe <abhumbe>
Component: 3rd PartyAssignee: manstis
Status: VERIFIED --- QA Contact: Marek Winkler <mwinkler>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: BRMS 5.3.1CC: alazarot, manstis, mwinkler, nwallace, tkobayas
Target Milestone: GA   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1022758    

Description Abhijit humbe 2013-10-23 08:05:11 UTC
Description of problem:

The thirdparty webdav-servlet-2.0.jar library which is dependency of modeshape-web-jcr-webdav contains log4j.xml
which logs with TRACE level to a file with fixed path.

If log4j reads this file then application logging on such level agressively consumes CPU, IO, disk space.
This is very critical problem for production environments. This file shouldn't be bundled with libraries.

The problem was fixed by library authors
http://webdav-servlet.svn.sourceforge.net/viewvc/webdav-servlet?revision=82&view=revision
but there are no further releases containing above change.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 JBoss JIRA Server 2013-10-24 09:22:40 UTC
Randall Hauch <rhauch> updated the status of jira MODE-885 to Closed

Comment 2 Alessandro Lazarotti 2013-11-12 13:23:55 UTC
Actually it is not added to BRMS as a dependency of modeshape-web-jcr-webdav - BRMS uses WebDAV in Guvnor to allow access to JCR repository by WebDAV even when used Jackrabbit.

An upgrade to webdav-servlet-2.0.1.jar (instead of webdav-servlet-2.0.jar) fixes this issue.

Comment 5 Marek Winkler 2014-02-05 09:41:23 UTC
The jboss-brms.war/WEB-INF/lib still contains webdav-servlet-2.0.jar. 

All distributions (deployable, deployable-ee6, standalone) are affected. The manual patch (BZ-1022758.zip) does not contain the webdav-servlet-2.0.1.jar as well.

Comment 6 Marek Winkler 2014-02-05 09:43:35 UTC
The commit upgrading the webdav-servlet version in pom has been cherry-picked into the patch, probably just a rebuild is needed and patch instructions updated.

Comment 7 Marek Winkler 2014-02-07 07:12:31 UTC
Changing to MODIFIED as it reflects the current state more accurately (the problem is in the build, not in the fix).

Comment 8 Marek Winkler 2014-02-13 12:12:19 UTC
Verified that the correct version is bundled with 5.3.1.BRMS-P05.