[
https://issues.apache.org/jira/browse/MYFACES-4297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16890054#comment-16890054
]
Thomas Andraschko edited comment on MYFACES-4297 at 7/22/19 10:07 AM:
----------------------------------------------------------------------
No idea but currently i have a bug because of this change.
If no session creation is forced - and you use a @ViewScoped bean which is
references via EL in the render phase - it throws that no SessionContext is
active.
I can fix it, so that our @ViewScoped context will force a session creation but
it leads to this error:
Caused by: java.lang.IllegalStateException: Response is committed
at org.eclipse.jetty.server.Request.getSession (Request.java:1565)
at org.apache.myfaces.context.servlet.ServletExternalContextImpl.getSession
(ServletExternalContextImpl.java:160)
at org.apache.myfaces.cdi.view.ViewScopeContextImpl.get
(ViewScopeContextImpl.java:152)
The same works in Mojarra. Maybe the buffer the whole response, i will need to
check it.
This is also related: https://issues.apache.org/jira/browse/OWB-1295
was (Author: tandraschko):
No idea but currently i have a bug because of this change.
If no session creation is forced - and you use a @ViewScoped bean which is
references via EL in the render phase - it throws that no SessionContext is
active.
I can fix it that our @ViewScoped context will force a session creation but it
leads to this error:
Caused by: java.lang.IllegalStateException: Response is committed
at org.eclipse.jetty.server.Request.getSession (Request.java:1565)
at org.apache.myfaces.context.servlet.ServletExternalContextImpl.getSession
(ServletExternalContextImpl.java:160)
at org.apache.myfaces.cdi.view.ViewScopeContextImpl.get
(ViewScopeContextImpl.java:152)
The same works in Mojarra. Maybe the buffer the whole response, i will need to
check it.
This is also related: https://issues.apache.org/jira/browse/OWB-1295
> Client Side state / stateless views should not force session creation
> ---------------------------------------------------------------------
>
> Key: MYFACES-4297
> URL: https://issues.apache.org/jira/browse/MYFACES-4297
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 2.2.12, 2.3.4
> Environment: Debian 8.4, Debian 9.9
> Tomcat 7.0.42 + JDK 1.7.0_71 (myfaces 2.2.12)
> TomEE 7.1.1 + JDK 1.8.0_212 (myfaces 2.3.4)
> Reporter: NCister
> Assignee: Thomas Andraschko
> Priority: Major
> Fix For: 2.2.13, 3.0.0-SNAPSHOT, 2.3.5
>
>
> Hi.
> It seems to be +no way+ to have stateless behavior in myfaces.
> I'm using javax.faces.STATE_SAVING_METHOD = *client* in web.xml (... as also
> described in this post:
> [https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map|https://stackoverflow.com/questions/36650846/when-does-jsf-creates-a-session-what-does-it-puts-in-a-session-map)])
> but myfaces always create a session to transfer the FacesContext encoding (
> why ?)
> I've noticed that it happens in *FaceletViewDeclarationLanguage*
> getResponseEncoding method.
> I've already tested my code in mojarra (2.2 and 2.3) and it works fine (it
> don't creates any session if not +explicitly+ requested through a
> SessionScope or ViewScope Bean)
> This is a big problem because any, simple, JSF (myfaces) page is virtually
> exposed to DOS or flooding attacks generating zombie sessions)
> Does in myfaces exists a way (that I don't know) to manage stateless pages?
> Thanks.
> NC
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
