Hello,
we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
reported here late February. We were on 2.3.4 before. Since then we see
an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
within current thread" in our logs, like:
15:46:41.421 ERROR
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
- Session event listener threw exception
javax.enterprise.context.ContextNotActiveException: WebBeans context
with scope type annotation @SessionScoped does not exist within current
thread
at
org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
~[?:2.3.8]
at
org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
~[myfaces-impl.jar:2.3.8]
at
org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
~[myfaces-impl.jar:2.3.8]
at
org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
[catalina.jar:9.0.22]
at
org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
[catalina.jar:9.0.22]
at
org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
[catalina.jar:9.0.22]
at
org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
[catalina.jar:9.0.22]
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[?:?]
at
java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
[?:?]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[?:?]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[?:?]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:9.0.22]
at java.lang.Thread.run(Thread.java:834) [?:?]
We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
fix the problem - without success. We are not sure what causes the
issue. We assume it has something to do with expired cookies being sent
to the server, but we are not sure that would sum up to the amount we
see. Also, we can't seem to be able to reproduce it on anything but
production system.
JSF stack:
* Tomcat 9.0.46
* OpenWebBeans 2.0.21
* MyFaces 2.3.8
* DeltaSpike 1.9.3 (not sure if relevant)
Any hint, help, or suggestion on debugging and narrowing down the issue
is very much appreciated. If more information is needed, feel free to
ask. I'm not sure what's relevant, so I don't really know what to add here.
Cheers,
Juri