Can you try to find the version which introduced it?

Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
juri.berla...@tuwien.ac.at>:

> Hello,
>
> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
> reported here late February. We were on 2.3.4 before. Since then we see
> an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
> within current thread" in our logs, like:
>
> 15:46:41.421 ERROR
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
> - Session event listener threw exception
> javax.enterprise.context.ContextNotActiveException: WebBeans context
> with scope type annotation @SessionScoped does not exist within current
> thread
>          at
> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
>
> ~[openwebbeans-impl.jar:2.0.12]
>          at
> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
>
> ~[openwebbeans-impl.jar:2.0.12]
>          at
> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
>
> ~[openwebbeans-impl.jar:2.0.12]
>          at
> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
>
> ~[openwebbeans-impl.jar:2.0.12]
>          at
> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
>
> ~[?:2.3.8]
>          at
> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
>
> ~[myfaces-impl.jar:2.3.8]
>          at
> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
>
> ~[myfaces-impl.jar:2.3.8]
>          at
> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>
> [catalina.jar:9.0.22]
>          at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>
> [catalina.jar:9.0.22]
>          at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
> [?:?]
>          at
> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
>          at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
>
> [?:?]
>          at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>
> [?:?]
>          at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>
> [?:?]
>          at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> [tomcat-util.jar:9.0.22]
>          at java.lang.Thread.run(Thread.java:834) [?:?]
>
> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
> fix the problem - without success. We are not  sure what causes the
> issue. We assume it has something to do with expired cookies being sent
> to the server, but we are not sure that would sum up to the amount we
> see. Also, we can't seem to be able to reproduce it on anything but
> production system.
>
> JSF stack:
>
>   * Tomcat 9.0.46
>   * OpenWebBeans 2.0.21
>   * MyFaces 2.3.8
>   * DeltaSpike 1.9.3 (not sure if relevant)
>
> Any hint, help, or suggestion on debugging and narrowing down the issue
> is very much appreciated. If more information is needed, feel free to
> ask. I'm not sure what's relevant, so I don't really know what to add here.
>
> Cheers,
>
> Juri
>
>

Reply via email to