Yep exactly. If that works, please create a issue and some PRs (2.2, 2.3, 3.0 and 2.3-next)
Am Mo., 8. März 2021 um 12:37 Uhr schrieb Juri Berlanda < juri.berla...@tuwien.ac.at>: > Hello again, > > thanks for the quick answer. > > Unfortunately, I cannot downgrade to find out if 2.3.7 caused the issue > because - as mentioned - we only see the behavior in production, and I > can't risk having known unpatched vulnerabilities in production. > > For the "test on your side if it works" part, I need to check with > operations, but assuming it is a one-liner I can put on top a clean > 2.3.8 I should get the waiver to have it in production. > > Did you think something like: > > diff --git > a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java > > > b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java > index 66d7cf639..17ee05b4e 100644 > --- > > a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java > +++ > > b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java > @@ -106,7 +106,7 @@ public class CDIManagedBeanHandlerImpl extends > ViewScopeProvider > FacesContext facesContext = FacesContext.getCurrentInstance(); > if (facesContext != null) > { > - if (facesContext.getExternalContext().getSession(false) != > null) > + if (facesContext.getExternalContext().getSession(false) != > null && CDIUtils.isSessionScopeActive(beanManager)) > { > if (isViewScopeBeanHolderCreated(facesContext)) > > Cheers, > > Juri > > On 3/5/21 2:54 PM, Thomas Andraschko wrote: > > this is also explained here: > > > https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187 > > > > in think the CDIManagedBeanHandlerImpl.java# > > < > https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113 > >onSessionDestroyed > > should check if SessionScoped exists before getting the bean holders. > > A PR would be great and a test on your side if it works. > > > > Am Fr., 5. März 2021 um 14:45 Uhr schrieb Thomas Andraschko < > > andraschko.tho...@gmail.com>: > > > >> the problem and described is actually here: > >> > https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113 > >> > >> on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the > >> other hand we manually invoke the > getViewScopeBeanHolder().destroyBeans(); > >> but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in > MyFaces > >> HttpSessionListener#onSessionDestroyed. > >> i think thats just a bug. > >> > >> Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko < > >> andraschko.tho...@gmail.com>: > >> > >>> This could be the reason: > >>> https://issues.apache.org/jira/browse/MYFACES-4353 > >>> > >>> Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko < > >>> andraschko.tho...@gmail.com>: > >>> > >>>> Can you try to find the version which introduced it? > >>>> > >>>> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda < > >>>> juri.berla...@tuwien.ac.at>: > >>>> > >>>>> Hello, > >>>>> > >>>>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability > >>>>> reported here late February. We were on 2.3.4 before. Since then we > see > >>>>> an insane amount (i.e. 100000+ per day) of "SessionScope does not > exist > >>>>> within current thread" in our logs, like: > >>>>> > >>>>> 15:46:41.421 ERROR > >>>>> > org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events] > >>>>> - Session event listener threw exception > >>>>> javax.enterprise.context.ContextNotActiveException: WebBeans context > >>>>> with scope type annotation @SessionScoped does not exist within > current > >>>>> thread > >>>>> at > >>>>> > org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329) > >>>>> > >>>>> ~[openwebbeans-impl.jar:2.0.12] > >>>>> at > >>>>> > org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89) > >>>>> > >>>>> ~[openwebbeans-impl.jar:2.0.12] > >>>>> at > >>>>> > org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76) > >>>>> > >>>>> ~[openwebbeans-impl.jar:2.0.12] > >>>>> at > >>>>> > org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71) > >>>>> > >>>>> ~[openwebbeans-impl.jar:2.0.12] > >>>>> at > >>>>> > org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java) > >>>>> > >>>>> ~[?:2.3.8] > >>>>> at > >>>>> > org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113) > >>>>> > >>>>> ~[myfaces-impl.jar:2.3.8] > >>>>> at > >>>>> > org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201) > >>>>> > >>>>> ~[myfaces-impl.jar:2.3.8] > >>>>> at > >>>>> > org.apache.catalina.session.StandardSession.expire(StandardSession.java:801) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335) > >>>>> > >>>>> [catalina.jar:9.0.22] > >>>>> at > >>>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) > >>>>> [?:?] > >>>>> at > >>>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) > [?:?] > >>>>> at > >>>>> > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) > >>>>> > >>>>> [?:?] > >>>>> at > >>>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > >>>>> > >>>>> [?:?] > >>>>> at > >>>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > >>>>> > >>>>> [?:?] > >>>>> at > >>>>> > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > >>>>> > >>>>> [tomcat-util.jar:9.0.22] > >>>>> at java.lang.Thread.run(Thread.java:834) [?:?] > >>>>> > >>>>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying > to > >>>>> fix the problem - without success. We are not sure what causes the > >>>>> issue. We assume it has something to do with expired cookies being > sent > >>>>> to the server, but we are not sure that would sum up to the amount we > >>>>> see. Also, we can't seem to be able to reproduce it on anything but > >>>>> production system. > >>>>> > >>>>> JSF stack: > >>>>> > >>>>> * Tomcat 9.0.46 > >>>>> * OpenWebBeans 2.0.21 > >>>>> * MyFaces 2.3.8 > >>>>> * DeltaSpike 1.9.3 (not sure if relevant) > >>>>> > >>>>> Any hint, help, or suggestion on debugging and narrowing down the > issue > >>>>> is very much appreciated. If more information is needed, feel free to > >>>>> ask. I'm not sure what's relevant, so I don't really know what to add > >>>>> here. > >>>>> > >>>>> Cheers, > >>>>> > >>>>> Juri > >>>>> > >>>>> >