this is also explained here: https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187
in think the CDIManagedBeanHandlerImpl.java# <https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113>onSessionDestroyed should check if SessionScoped exists before getting the bean holders. A PR would be great and a test on your side if it works. Am Fr., 5. März 2021 um 14:45 Uhr schrieb Thomas Andraschko < andraschko.tho...@gmail.com>: > the problem and described is actually here: > https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113 > > on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the > other hand we manually invoke the getViewScopeBeanHolder().destroyBeans(); > but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in MyFaces > HttpSessionListener#onSessionDestroyed. > i think thats just a bug. > > Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko < > andraschko.tho...@gmail.com>: > >> This could be the reason: >> https://issues.apache.org/jira/browse/MYFACES-4353 >> >> Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko < >> andraschko.tho...@gmail.com>: >> >>> Can you try to find the version which introduced it? >>> >>> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda < >>> juri.berla...@tuwien.ac.at>: >>> >>>> Hello, >>>> >>>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability >>>> reported here late February. We were on 2.3.4 before. Since then we see >>>> an insane amount (i.e. 100000+ per day) of "SessionScope does not exist >>>> within current thread" in our logs, like: >>>> >>>> 15:46:41.421 ERROR >>>> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events] >>>> - Session event listener threw exception >>>> javax.enterprise.context.ContextNotActiveException: WebBeans context >>>> with scope type annotation @SessionScoped does not exist within current >>>> thread >>>> at >>>> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329) >>>> >>>> ~[openwebbeans-impl.jar:2.0.12] >>>> at >>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89) >>>> >>>> ~[openwebbeans-impl.jar:2.0.12] >>>> at >>>> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76) >>>> >>>> ~[openwebbeans-impl.jar:2.0.12] >>>> at >>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71) >>>> >>>> ~[openwebbeans-impl.jar:2.0.12] >>>> at >>>> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java) >>>> >>>> ~[?:2.3.8] >>>> at >>>> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113) >>>> >>>> ~[myfaces-impl.jar:2.3.8] >>>> at >>>> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201) >>>> >>>> ~[myfaces-impl.jar:2.3.8] >>>> at >>>> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335) >>>> >>>> [catalina.jar:9.0.22] >>>> at >>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) >>>> [?:?] >>>> at >>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?] >>>> at >>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) >>>> >>>> [?:?] >>>> at >>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) >>>> >>>> [?:?] >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) >>>> >>>> [?:?] >>>> at >>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>> >>>> [tomcat-util.jar:9.0.22] >>>> at java.lang.Thread.run(Thread.java:834) [?:?] >>>> >>>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to >>>> fix the problem - without success. We are not sure what causes the >>>> issue. We assume it has something to do with expired cookies being sent >>>> to the server, but we are not sure that would sum up to the amount we >>>> see. Also, we can't seem to be able to reproduce it on anything but >>>> production system. >>>> >>>> JSF stack: >>>> >>>> * Tomcat 9.0.46 >>>> * OpenWebBeans 2.0.21 >>>> * MyFaces 2.3.8 >>>> * DeltaSpike 1.9.3 (not sure if relevant) >>>> >>>> Any hint, help, or suggestion on debugging and narrowing down the issue >>>> is very much appreciated. If more information is needed, feel free to >>>> ask. I'm not sure what's relevant, so I don't really know what to add >>>> here. >>>> >>>> Cheers, >>>> >>>> Juri >>>> >>>>
