You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Juri Berlanda <ju...@tuwien.ac.at> on 2021/03/05 12:57:29 UTC
Huge amount of "SessionScope not active" since upgrade to 2.3.8
Hello,
we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
reported here late February. We were on 2.3.4 before. Since then we see
an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
within current thread" in our logs, like:
15:46:41.421 ERROR
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
- Session event listener threw exception
javax.enterprise.context.ContextNotActiveException: WebBeans context
with scope type annotation @SessionScoped does not exist within current
thread
at
org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
~[openwebbeans-impl.jar:2.0.12]
at
org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
~[?:2.3.8]
at
org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
~[myfaces-impl.jar:2.3.8]
at
org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
~[myfaces-impl.jar:2.3.8]
at
org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
[catalina.jar:9.0.22]
at
org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
[catalina.jar:9.0.22]
at
org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
[catalina.jar:9.0.22]
at
org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
[catalina.jar:9.0.22]
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
[catalina.jar:9.0.22]
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[?:?]
at
java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
[?:?]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[?:?]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[?:?]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:9.0.22]
at java.lang.Thread.run(Thread.java:834) [?:?]
We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
fix the problem - without success. We are not sure what causes the
issue. We assume it has something to do with expired cookies being sent
to the server, but we are not sure that would sum up to the amount we
see. Also, we can't seem to be able to reproduce it on anything but
production system.
JSF stack:
* Tomcat 9.0.46
* OpenWebBeans 2.0.21
* MyFaces 2.3.8
* DeltaSpike 1.9.3 (not sure if relevant)
Any hint, help, or suggestion on debugging and narrowing down the issue
is very much appreciated. If more information is needed, feel free to
ask. I'm not sure what's relevant, so I don't really know what to add here.
Cheers,
Juri
Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8
Posted by Juri Berlanda <ju...@tuwien.ac.at>.
Hello again,
we released the patched 2.3.8 version yesterday and log flood is gone. I
wasn't able to find the relevant piece of code in master branch though,
so no PR for that for now.
I created an issue (https://issues.apache.org/jira/browse/MYFACES-4382)
and PRs for the individual branches (see the issue for links to them).
Cheers,
Juri
On 3/8/21 1:08 PM, Thomas Andraschko wrote:
> Yep exactly.
> If that works, please create a issue and some PRs (2.2, 2.3, 3.0 and
> 2.3-next)
>
> Am Mo., 8. März 2021 um 12:37 Uhr schrieb Juri Berlanda <
> juri.berlanda@tuwien.ac.at>:
>
>> Hello again,
>>
>> thanks for the quick answer.
>>
>> Unfortunately, I cannot downgrade to find out if 2.3.7 caused the issue
>> because - as mentioned - we only see the behavior in production, and I
>> can't risk having known unpatched vulnerabilities in production.
>>
>> For the "test on your side if it works" part, I need to check with
>> operations, but assuming it is a one-liner I can put on top a clean
>> 2.3.8 I should get the waiver to have it in production.
>>
>> Did you think something like:
>>
>> diff --git
>> a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
>>
>>
>> b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
>> index 66d7cf639..17ee05b4e 100644
>> ---
>>
>> a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
>> +++
>>
>> b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
>> @@ -106,7 +106,7 @@ public class CDIManagedBeanHandlerImpl extends
>> ViewScopeProvider
>> FacesContext facesContext = FacesContext.getCurrentInstance();
>> if (facesContext != null)
>> {
>> - if (facesContext.getExternalContext().getSession(false) !=
>> null)
>> + if (facesContext.getExternalContext().getSession(false) !=
>> null && CDIUtils.isSessionScopeActive(beanManager))
>> {
>> if (isViewScopeBeanHolderCreated(facesContext))
>>
>> Cheers,
>>
>> Juri
>>
>> On 3/5/21 2:54 PM, Thomas Andraschko wrote:
>>> this is also explained here:
>>>
>> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187
>>> in think the CDIManagedBeanHandlerImpl.java#
>>> <
>> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
>>> onSessionDestroyed
>>> should check if SessionScoped exists before getting the bean holders.
>>> A PR would be great and a test on your side if it works.
>>>
>>> Am Fr., 5. März 2021 um 14:45 Uhr schrieb Thomas Andraschko <
>>> andraschko.thomas@gmail.com>:
>>>
>>>> the problem and described is actually here:
>>>>
>> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
>>>> on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the
>>>> other hand we manually invoke the
>> getViewScopeBeanHolder().destroyBeans();
>>>> but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in
>> MyFaces
>>>> HttpSessionListener#onSessionDestroyed.
>>>> i think thats just a bug.
>>>>
>>>> Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko <
>>>> andraschko.thomas@gmail.com>:
>>>>
>>>>> This could be the reason:
>>>>> https://issues.apache.org/jira/browse/MYFACES-4353
>>>>>
>>>>> Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko <
>>>>> andraschko.thomas@gmail.com>:
>>>>>
>>>>>> Can you try to find the version which introduced it?
>>>>>>
>>>>>> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
>>>>>> juri.berlanda@tuwien.ac.at>:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
>>>>>>> reported here late February. We were on 2.3.4 before. Since then we
>> see
>>>>>>> an insane amount (i.e. 100000+ per day) of "SessionScope does not
>> exist
>>>>>>> within current thread" in our logs, like:
>>>>>>>
>>>>>>> 15:46:41.421 ERROR
>>>>>>>
>> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
>>>>>>> - Session event listener threw exception
>>>>>>> javax.enterprise.context.ContextNotActiveException: WebBeans context
>>>>>>> with scope type annotation @SessionScoped does not exist within
>> current
>>>>>>> thread
>>>>>>> at
>>>>>>>
>> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
>>>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>>>> at
>>>>>>>
>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
>>>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>>>> at
>>>>>>>
>> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
>>>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>>>> at
>>>>>>>
>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
>>>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>>>> at
>>>>>>>
>> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
>>>>>>> ~[?:2.3.8]
>>>>>>> at
>>>>>>>
>> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
>>>>>>> ~[myfaces-impl.jar:2.3.8]
>>>>>>> at
>>>>>>>
>> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
>>>>>>> ~[myfaces-impl.jar:2.3.8]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>>>>>>> [catalina.jar:9.0.22]
>>>>>>> at
>>>>>>>
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
>>>>>>> [?:?]
>>>>>>> at
>>>>>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
>> [?:?]
>>>>>>> at
>>>>>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
>>>>>>> [?:?]
>>>>>>> at
>>>>>>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>>>>>>> [?:?]
>>>>>>> at
>>>>>>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>>>>>>> [?:?]
>>>>>>> at
>>>>>>>
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>>> [tomcat-util.jar:9.0.22]
>>>>>>> at java.lang.Thread.run(Thread.java:834) [?:?]
>>>>>>>
>>>>>>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying
>> to
>>>>>>> fix the problem - without success. We are not sure what causes the
>>>>>>> issue. We assume it has something to do with expired cookies being
>> sent
>>>>>>> to the server, but we are not sure that would sum up to the amount we
>>>>>>> see. Also, we can't seem to be able to reproduce it on anything but
>>>>>>> production system.
>>>>>>>
>>>>>>> JSF stack:
>>>>>>>
>>>>>>> * Tomcat 9.0.46
>>>>>>> * OpenWebBeans 2.0.21
>>>>>>> * MyFaces 2.3.8
>>>>>>> * DeltaSpike 1.9.3 (not sure if relevant)
>>>>>>>
>>>>>>> Any hint, help, or suggestion on debugging and narrowing down the
>> issue
>>>>>>> is very much appreciated. If more information is needed, feel free to
>>>>>>> ask. I'm not sure what's relevant, so I don't really know what to add
>>>>>>> here.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Juri
>>>>>>>
>>>>>>>
Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8
Posted by Thomas Andraschko <an...@gmail.com>.
Yep exactly.
If that works, please create a issue and some PRs (2.2, 2.3, 3.0 and
2.3-next)
Am Mo., 8. März 2021 um 12:37 Uhr schrieb Juri Berlanda <
juri.berlanda@tuwien.ac.at>:
> Hello again,
>
> thanks for the quick answer.
>
> Unfortunately, I cannot downgrade to find out if 2.3.7 caused the issue
> because - as mentioned - we only see the behavior in production, and I
> can't risk having known unpatched vulnerabilities in production.
>
> For the "test on your side if it works" part, I need to check with
> operations, but assuming it is a one-liner I can put on top a clean
> 2.3.8 I should get the waiver to have it in production.
>
> Did you think something like:
>
> diff --git
> a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
>
>
> b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
> index 66d7cf639..17ee05b4e 100644
> ---
>
> a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
> +++
>
> b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
> @@ -106,7 +106,7 @@ public class CDIManagedBeanHandlerImpl extends
> ViewScopeProvider
> FacesContext facesContext = FacesContext.getCurrentInstance();
> if (facesContext != null)
> {
> - if (facesContext.getExternalContext().getSession(false) !=
> null)
> + if (facesContext.getExternalContext().getSession(false) !=
> null && CDIUtils.isSessionScopeActive(beanManager))
> {
> if (isViewScopeBeanHolderCreated(facesContext))
>
> Cheers,
>
> Juri
>
> On 3/5/21 2:54 PM, Thomas Andraschko wrote:
> > this is also explained here:
> >
> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187
> >
> > in think the CDIManagedBeanHandlerImpl.java#
> > <
> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
> >onSessionDestroyed
> > should check if SessionScoped exists before getting the bean holders.
> > A PR would be great and a test on your side if it works.
> >
> > Am Fr., 5. März 2021 um 14:45 Uhr schrieb Thomas Andraschko <
> > andraschko.thomas@gmail.com>:
> >
> >> the problem and described is actually here:
> >>
> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
> >>
> >> on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the
> >> other hand we manually invoke the
> getViewScopeBeanHolder().destroyBeans();
> >> but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in
> MyFaces
> >> HttpSessionListener#onSessionDestroyed.
> >> i think thats just a bug.
> >>
> >> Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko <
> >> andraschko.thomas@gmail.com>:
> >>
> >>> This could be the reason:
> >>> https://issues.apache.org/jira/browse/MYFACES-4353
> >>>
> >>> Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko <
> >>> andraschko.thomas@gmail.com>:
> >>>
> >>>> Can you try to find the version which introduced it?
> >>>>
> >>>> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
> >>>> juri.berlanda@tuwien.ac.at>:
> >>>>
> >>>>> Hello,
> >>>>>
> >>>>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
> >>>>> reported here late February. We were on 2.3.4 before. Since then we
> see
> >>>>> an insane amount (i.e. 100000+ per day) of "SessionScope does not
> exist
> >>>>> within current thread" in our logs, like:
> >>>>>
> >>>>> 15:46:41.421 ERROR
> >>>>>
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
> >>>>> - Session event listener threw exception
> >>>>> javax.enterprise.context.ContextNotActiveException: WebBeans context
> >>>>> with scope type annotation @SessionScoped does not exist within
> current
> >>>>> thread
> >>>>> at
> >>>>>
> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
> >>>>>
> >>>>> ~[openwebbeans-impl.jar:2.0.12]
> >>>>> at
> >>>>>
> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
> >>>>>
> >>>>> ~[openwebbeans-impl.jar:2.0.12]
> >>>>> at
> >>>>>
> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
> >>>>>
> >>>>> ~[openwebbeans-impl.jar:2.0.12]
> >>>>> at
> >>>>>
> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
> >>>>>
> >>>>> ~[openwebbeans-impl.jar:2.0.12]
> >>>>> at
> >>>>>
> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
> >>>>>
> >>>>> ~[?:2.3.8]
> >>>>> at
> >>>>>
> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
> >>>>>
> >>>>> ~[myfaces-impl.jar:2.3.8]
> >>>>> at
> >>>>>
> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
> >>>>>
> >>>>> ~[myfaces-impl.jar:2.3.8]
> >>>>> at
> >>>>>
> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
> >>>>>
> >>>>> [catalina.jar:9.0.22]
> >>>>> at
> >>>>>
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
> >>>>> [?:?]
> >>>>> at
> >>>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
> [?:?]
> >>>>> at
> >>>>>
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
> >>>>>
> >>>>> [?:?]
> >>>>> at
> >>>>>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> >>>>>
> >>>>> [?:?]
> >>>>> at
> >>>>>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> >>>>>
> >>>>> [?:?]
> >>>>> at
> >>>>>
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> >>>>>
> >>>>> [tomcat-util.jar:9.0.22]
> >>>>> at java.lang.Thread.run(Thread.java:834) [?:?]
> >>>>>
> >>>>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying
> to
> >>>>> fix the problem - without success. We are not sure what causes the
> >>>>> issue. We assume it has something to do with expired cookies being
> sent
> >>>>> to the server, but we are not sure that would sum up to the amount we
> >>>>> see. Also, we can't seem to be able to reproduce it on anything but
> >>>>> production system.
> >>>>>
> >>>>> JSF stack:
> >>>>>
> >>>>> * Tomcat 9.0.46
> >>>>> * OpenWebBeans 2.0.21
> >>>>> * MyFaces 2.3.8
> >>>>> * DeltaSpike 1.9.3 (not sure if relevant)
> >>>>>
> >>>>> Any hint, help, or suggestion on debugging and narrowing down the
> issue
> >>>>> is very much appreciated. If more information is needed, feel free to
> >>>>> ask. I'm not sure what's relevant, so I don't really know what to add
> >>>>> here.
> >>>>>
> >>>>> Cheers,
> >>>>>
> >>>>> Juri
> >>>>>
> >>>>>
>
Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8
Posted by Juri Berlanda <ju...@tuwien.ac.at>.
Hello again,
thanks for the quick answer.
Unfortunately, I cannot downgrade to find out if 2.3.7 caused the issue
because - as mentioned - we only see the behavior in production, and I
can't risk having known unpatched vulnerabilities in production.
For the "test on your side if it works" part, I need to check with
operations, but assuming it is a one-liner I can put on top a clean
2.3.8 I should get the waiver to have it in production.
Did you think something like:
diff --git
a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
index 66d7cf639..17ee05b4e 100644
---
a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
+++
b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
@@ -106,7 +106,7 @@ public class CDIManagedBeanHandlerImpl extends
ViewScopeProvider
FacesContext facesContext = FacesContext.getCurrentInstance();
if (facesContext != null)
{
- if (facesContext.getExternalContext().getSession(false) !=
null)
+ if (facesContext.getExternalContext().getSession(false) !=
null && CDIUtils.isSessionScopeActive(beanManager))
{
if (isViewScopeBeanHolderCreated(facesContext))
Cheers,
Juri
On 3/5/21 2:54 PM, Thomas Andraschko wrote:
> this is also explained here:
> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187
>
> in think the CDIManagedBeanHandlerImpl.java#
> <https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113>onSessionDestroyed
> should check if SessionScoped exists before getting the bean holders.
> A PR would be great and a test on your side if it works.
>
> Am Fr., 5. März 2021 um 14:45 Uhr schrieb Thomas Andraschko <
> andraschko.thomas@gmail.com>:
>
>> the problem and described is actually here:
>> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
>>
>> on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the
>> other hand we manually invoke the getViewScopeBeanHolder().destroyBeans();
>> but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in MyFaces
>> HttpSessionListener#onSessionDestroyed.
>> i think thats just a bug.
>>
>> Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko <
>> andraschko.thomas@gmail.com>:
>>
>>> This could be the reason:
>>> https://issues.apache.org/jira/browse/MYFACES-4353
>>>
>>> Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko <
>>> andraschko.thomas@gmail.com>:
>>>
>>>> Can you try to find the version which introduced it?
>>>>
>>>> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
>>>> juri.berlanda@tuwien.ac.at>:
>>>>
>>>>> Hello,
>>>>>
>>>>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
>>>>> reported here late February. We were on 2.3.4 before. Since then we see
>>>>> an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
>>>>> within current thread" in our logs, like:
>>>>>
>>>>> 15:46:41.421 ERROR
>>>>> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
>>>>> - Session event listener threw exception
>>>>> javax.enterprise.context.ContextNotActiveException: WebBeans context
>>>>> with scope type annotation @SessionScoped does not exist within current
>>>>> thread
>>>>> at
>>>>> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
>>>>>
>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>> at
>>>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
>>>>>
>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>> at
>>>>> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
>>>>>
>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>> at
>>>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
>>>>>
>>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>>> at
>>>>> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
>>>>>
>>>>> ~[?:2.3.8]
>>>>> at
>>>>> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
>>>>>
>>>>> ~[myfaces-impl.jar:2.3.8]
>>>>> at
>>>>> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
>>>>>
>>>>> ~[myfaces-impl.jar:2.3.8]
>>>>> at
>>>>> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>>>>>
>>>>> [catalina.jar:9.0.22]
>>>>> at
>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
>>>>> [?:?]
>>>>> at
>>>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
>>>>> at
>>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
>>>>>
>>>>> [?:?]
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>>>>>
>>>>> [?:?]
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>>>>>
>>>>> [?:?]
>>>>> at
>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>
>>>>> [tomcat-util.jar:9.0.22]
>>>>> at java.lang.Thread.run(Thread.java:834) [?:?]
>>>>>
>>>>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
>>>>> fix the problem - without success. We are not sure what causes the
>>>>> issue. We assume it has something to do with expired cookies being sent
>>>>> to the server, but we are not sure that would sum up to the amount we
>>>>> see. Also, we can't seem to be able to reproduce it on anything but
>>>>> production system.
>>>>>
>>>>> JSF stack:
>>>>>
>>>>> * Tomcat 9.0.46
>>>>> * OpenWebBeans 2.0.21
>>>>> * MyFaces 2.3.8
>>>>> * DeltaSpike 1.9.3 (not sure if relevant)
>>>>>
>>>>> Any hint, help, or suggestion on debugging and narrowing down the issue
>>>>> is very much appreciated. If more information is needed, feel free to
>>>>> ask. I'm not sure what's relevant, so I don't really know what to add
>>>>> here.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Juri
>>>>>
>>>>>
Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8
Posted by Thomas Andraschko <an...@gmail.com>.
this is also explained here:
https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187
in think the CDIManagedBeanHandlerImpl.java#
<https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113>onSessionDestroyed
should check if SessionScoped exists before getting the bean holders.
A PR would be great and a test on your side if it works.
Am Fr., 5. März 2021 um 14:45 Uhr schrieb Thomas Andraschko <
andraschko.thomas@gmail.com>:
> the problem and described is actually here:
> https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
>
> on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the
> other hand we manually invoke the getViewScopeBeanHolder().destroyBeans();
> but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in MyFaces
> HttpSessionListener#onSessionDestroyed.
> i think thats just a bug.
>
> Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko <
> andraschko.thomas@gmail.com>:
>
>> This could be the reason:
>> https://issues.apache.org/jira/browse/MYFACES-4353
>>
>> Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko <
>> andraschko.thomas@gmail.com>:
>>
>>> Can you try to find the version which introduced it?
>>>
>>> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
>>> juri.berlanda@tuwien.ac.at>:
>>>
>>>> Hello,
>>>>
>>>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
>>>> reported here late February. We were on 2.3.4 before. Since then we see
>>>> an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
>>>> within current thread" in our logs, like:
>>>>
>>>> 15:46:41.421 ERROR
>>>> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
>>>> - Session event listener threw exception
>>>> javax.enterprise.context.ContextNotActiveException: WebBeans context
>>>> with scope type annotation @SessionScoped does not exist within current
>>>> thread
>>>> at
>>>> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
>>>>
>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>> at
>>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
>>>>
>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>> at
>>>> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
>>>>
>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>> at
>>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
>>>>
>>>> ~[openwebbeans-impl.jar:2.0.12]
>>>> at
>>>> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
>>>>
>>>> ~[?:2.3.8]
>>>> at
>>>> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
>>>>
>>>> ~[myfaces-impl.jar:2.3.8]
>>>> at
>>>> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
>>>>
>>>> ~[myfaces-impl.jar:2.3.8]
>>>> at
>>>> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>>>>
>>>> [catalina.jar:9.0.22]
>>>> at
>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
>>>> [?:?]
>>>> at
>>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
>>>> at
>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
>>>>
>>>> [?:?]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>>>>
>>>> [?:?]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>>>>
>>>> [?:?]
>>>> at
>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>
>>>> [tomcat-util.jar:9.0.22]
>>>> at java.lang.Thread.run(Thread.java:834) [?:?]
>>>>
>>>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
>>>> fix the problem - without success. We are not sure what causes the
>>>> issue. We assume it has something to do with expired cookies being sent
>>>> to the server, but we are not sure that would sum up to the amount we
>>>> see. Also, we can't seem to be able to reproduce it on anything but
>>>> production system.
>>>>
>>>> JSF stack:
>>>>
>>>> * Tomcat 9.0.46
>>>> * OpenWebBeans 2.0.21
>>>> * MyFaces 2.3.8
>>>> * DeltaSpike 1.9.3 (not sure if relevant)
>>>>
>>>> Any hint, help, or suggestion on debugging and narrowing down the issue
>>>> is very much appreciated. If more information is needed, feel free to
>>>> ask. I'm not sure what's relevant, so I don't really know what to add
>>>> here.
>>>>
>>>> Cheers,
>>>>
>>>> Juri
>>>>
>>>>
Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8
Posted by Thomas Andraschko <an...@gmail.com>.
the problem and described is actually here:
https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the
other hand we manually invoke the getViewScopeBeanHolder().destroyBeans();
but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in MyFaces
HttpSessionListener#onSessionDestroyed.
i think thats just a bug.
Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko <
andraschko.thomas@gmail.com>:
> This could be the reason:
> https://issues.apache.org/jira/browse/MYFACES-4353
>
> Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko <
> andraschko.thomas@gmail.com>:
>
>> Can you try to find the version which introduced it?
>>
>> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
>> juri.berlanda@tuwien.ac.at>:
>>
>>> Hello,
>>>
>>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
>>> reported here late February. We were on 2.3.4 before. Since then we see
>>> an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
>>> within current thread" in our logs, like:
>>>
>>> 15:46:41.421 ERROR
>>> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
>>> - Session event listener threw exception
>>> javax.enterprise.context.ContextNotActiveException: WebBeans context
>>> with scope type annotation @SessionScoped does not exist within current
>>> thread
>>> at
>>> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
>>>
>>> ~[openwebbeans-impl.jar:2.0.12]
>>> at
>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
>>>
>>> ~[openwebbeans-impl.jar:2.0.12]
>>> at
>>> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
>>>
>>> ~[openwebbeans-impl.jar:2.0.12]
>>> at
>>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
>>>
>>> ~[openwebbeans-impl.jar:2.0.12]
>>> at
>>> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
>>>
>>> ~[?:2.3.8]
>>> at
>>> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
>>>
>>> ~[myfaces-impl.jar:2.3.8]
>>> at
>>> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
>>>
>>> ~[myfaces-impl.jar:2.3.8]
>>> at
>>> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>>>
>>> [catalina.jar:9.0.22]
>>> at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
>>> [?:?]
>>> at
>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
>>> at
>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
>>>
>>> [?:?]
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>>>
>>> [?:?]
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>>>
>>> [?:?]
>>> at
>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>
>>> [tomcat-util.jar:9.0.22]
>>> at java.lang.Thread.run(Thread.java:834) [?:?]
>>>
>>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
>>> fix the problem - without success. We are not sure what causes the
>>> issue. We assume it has something to do with expired cookies being sent
>>> to the server, but we are not sure that would sum up to the amount we
>>> see. Also, we can't seem to be able to reproduce it on anything but
>>> production system.
>>>
>>> JSF stack:
>>>
>>> * Tomcat 9.0.46
>>> * OpenWebBeans 2.0.21
>>> * MyFaces 2.3.8
>>> * DeltaSpike 1.9.3 (not sure if relevant)
>>>
>>> Any hint, help, or suggestion on debugging and narrowing down the issue
>>> is very much appreciated. If more information is needed, feel free to
>>> ask. I'm not sure what's relevant, so I don't really know what to add
>>> here.
>>>
>>> Cheers,
>>>
>>> Juri
>>>
>>>
Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8
Posted by Thomas Andraschko <an...@gmail.com>.
This could be the reason: https://issues.apache.org/jira/browse/MYFACES-4353
Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko <
andraschko.thomas@gmail.com>:
> Can you try to find the version which introduced it?
>
> Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
> juri.berlanda@tuwien.ac.at>:
>
>> Hello,
>>
>> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
>> reported here late February. We were on 2.3.4 before. Since then we see
>> an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
>> within current thread" in our logs, like:
>>
>> 15:46:41.421 ERROR
>> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
>> - Session event listener threw exception
>> javax.enterprise.context.ContextNotActiveException: WebBeans context
>> with scope type annotation @SessionScoped does not exist within current
>> thread
>> at
>> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
>>
>> ~[openwebbeans-impl.jar:2.0.12]
>> at
>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
>>
>> ~[openwebbeans-impl.jar:2.0.12]
>> at
>> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
>>
>> ~[openwebbeans-impl.jar:2.0.12]
>> at
>> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
>>
>> ~[openwebbeans-impl.jar:2.0.12]
>> at
>> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
>>
>> ~[?:2.3.8]
>> at
>> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
>>
>> ~[myfaces-impl.jar:2.3.8]
>> at
>> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
>>
>> ~[myfaces-impl.jar:2.3.8]
>> at
>> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>>
>> [catalina.jar:9.0.22]
>> at
>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>>
>> [catalina.jar:9.0.22]
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
>> [?:?]
>> at
>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
>> at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
>>
>> [?:?]
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>>
>> [?:?]
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>>
>> [?:?]
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>
>> [tomcat-util.jar:9.0.22]
>> at java.lang.Thread.run(Thread.java:834) [?:?]
>>
>> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
>> fix the problem - without success. We are not sure what causes the
>> issue. We assume it has something to do with expired cookies being sent
>> to the server, but we are not sure that would sum up to the amount we
>> see. Also, we can't seem to be able to reproduce it on anything but
>> production system.
>>
>> JSF stack:
>>
>> * Tomcat 9.0.46
>> * OpenWebBeans 2.0.21
>> * MyFaces 2.3.8
>> * DeltaSpike 1.9.3 (not sure if relevant)
>>
>> Any hint, help, or suggestion on debugging and narrowing down the issue
>> is very much appreciated. If more information is needed, feel free to
>> ask. I'm not sure what's relevant, so I don't really know what to add
>> here.
>>
>> Cheers,
>>
>> Juri
>>
>>
Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8
Posted by Thomas Andraschko <an...@gmail.com>.
Can you try to find the version which introduced it?
Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
juri.berlanda@tuwien.ac.at>:
> Hello,
>
> we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
> reported here late February. We were on 2.3.4 before. Since then we see
> an insane amount (i.e. 100000+ per day) of "SessionScope does not exist
> within current thread" in our logs, like:
>
> 15:46:41.421 ERROR
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
> - Session event listener threw exception
> javax.enterprise.context.ContextNotActiveException: WebBeans context
> with scope type annotation @SessionScoped does not exist within current
> thread
> at
> org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
>
> ~[openwebbeans-impl.jar:2.0.12]
> at
> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
>
> ~[openwebbeans-impl.jar:2.0.12]
> at
> org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
>
> ~[openwebbeans-impl.jar:2.0.12]
> at
> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
>
> ~[openwebbeans-impl.jar:2.0.12]
> at
> org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
>
> ~[?:2.3.8]
> at
> org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
>
> ~[myfaces-impl.jar:2.3.8]
> at
> org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
>
> ~[myfaces-impl.jar:2.3.8]
> at
> org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
>
> [catalina.jar:9.0.22]
> at
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
>
> [catalina.jar:9.0.22]
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
> [?:?]
> at
> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
>
> [?:?]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>
> [?:?]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>
> [?:?]
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> [tomcat-util.jar:9.0.22]
> at java.lang.Thread.run(Thread.java:834) [?:?]
>
> We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying to
> fix the problem - without success. We are not sure what causes the
> issue. We assume it has something to do with expired cookies being sent
> to the server, but we are not sure that would sum up to the amount we
> see. Also, we can't seem to be able to reproduce it on anything but
> production system.
>
> JSF stack:
>
> * Tomcat 9.0.46
> * OpenWebBeans 2.0.21
> * MyFaces 2.3.8
> * DeltaSpike 1.9.3 (not sure if relevant)
>
> Any hint, help, or suggestion on debugging and narrowing down the issue
> is very much appreciated. If more information is needed, feel free to
> ask. I'm not sure what's relevant, so I don't really know what to add here.
>
> Cheers,
>
> Juri
>
>