Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

[Juri Berlanda]

Hello again,

we released the patched 2.3.8 version yesterday and log flood is gone. I 
wasn't able to find the relevant piece of code in master branch though, 
so no PR for that for now.

I created an issue (https://issues.apache.org/jira/browse/MYFACES-4382) 
and PRs for the individual branches (see the issue for links to them).

Cheers,

Juri

On 3/8/21 1:08 PM, Thomas Andraschko wrote:
Yep exactly.
If that works, please create a issue and some PRs (2.2, 2.3, 3.0 and
2.3-next)

Am Mo., 8. März 2021 um 12:37 Uhr schrieb Juri Berlanda <
juri.berla...@tuwien.ac.at>:

Hello again,

thanks for the quick answer.

Unfortunately, I cannot downgrade to find out if 2.3.7 caused the issue
because - as mentioned - we only see the behavior in production, and I
can't risk having known unpatched vulnerabilities in production.

For the "test on your side if it works" part, I need to check with
operations, but assuming it is a one-liner I can put on top a clean
2.3.8 I should get the waiver to have it in production.

Did you think something like:

diff --git
a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java


b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
index 66d7cf639..17ee05b4e 100644
---

a/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
+++

b/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java
@@ -106,7 +106,7 @@ public class CDIManagedBeanHandlerImpl extends
ViewScopeProvider
           FacesContext facesContext = FacesContext.getCurrentInstance();
           if (facesContext != null)
           {
-            if (facesContext.getExternalContext().getSession(false) !=
null)
+            if (facesContext.getExternalContext().getSession(false) !=
null && CDIUtils.isSessionScopeActive(beanManager))
               {
                   if (isViewScopeBeanHolderCreated(facesContext))

Cheers,

Juri

On 3/5/21 2:54 PM, Thomas Andraschko wrote:
this is also explained here:

https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187
in think the CDIManagedBeanHandlerImpl.java#
<
https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
onSessionDestroyed
should check if SessionScoped exists before getting the bean holders.
A PR would be great and a test on your side if it works.

Am Fr., 5. März 2021 um 14:45 Uhr schrieb Thomas Andraschko <
andraschko.tho...@gmail.com>:

the problem and described is actually here:

https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113
on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the
other hand we manually invoke the
getViewScopeBeanHolder().destroyBeans();
but the ViewScopeBeanHolder is SessionScoped, which doesnt exist in
MyFaces
HttpSessionListener#onSessionDestroyed.
i think thats just a bug.

Am Fr., 5. März 2021 um 14:21 Uhr schrieb Thomas Andraschko <
andraschko.tho...@gmail.com>:

This could be the reason:
https://issues.apache.org/jira/browse/MYFACES-4353

Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko <
andraschko.tho...@gmail.com>:

Can you try to find the version which introduced it?

Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda <
juri.berla...@tuwien.ac.at>:

Hello,

we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability
reported here late February. We were on 2.3.4 before. Since then we
see
an insane amount (i.e. 100000+ per day) of "SessionScope does not
exist
within current thread" in our logs, like:

15:46:41.421 ERROR

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/events]
- Session event listener threw exception
javax.enterprise.context.ContextNotActiveException: WebBeans context
with scope type annotation @SessionScoped does not exist within
current
thread
           at

org.apache.webbeans.container.BeanManagerImpl.getContext(BeanManagerImpl.java:329)
~[openwebbeans-impl.jar:2.0.12]
           at

org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.getContextualInstance(NormalScopedBeanInterceptorHandler.java:89)
~[openwebbeans-impl.jar:2.0.12]
           at

org.apache.webbeans.intercept.SessionScopedBeanInterceptorHandler.getContextualInstance(SessionScopedBeanInterceptorHandler.java:76)
~[openwebbeans-impl.jar:2.0.12]
           at

org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.get(NormalScopedBeanInterceptorHandler.java:71)
~[openwebbeans-impl.jar:2.0.12]
           at

org.apache.myfaces.cdi.view.ViewScopeBeanHolder$$OwbNormalScopeProxy2.destroyBeans(org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java)
~[?:2.3.8]
           at

org.apache.myfaces.cdi.impl.CDIManagedBeanHandlerImpl.onSessionDestroyed(CDIManagedBeanHandlerImpl.java:113)
~[myfaces-impl.jar:2.3.8]
           at

org.apache.myfaces.webapp.ManagedBeanDestroyerListener.sessionDestroyed(ManagedBeanDestroyerListener.java:201)
~[myfaces-impl.jar:2.3.8]
           at

org.apache.catalina.session.StandardSession.expire(StandardSession.java:801)
[catalina.jar:9.0.22]
           at

org.apache.catalina.session.StandardSession.isValid(StandardSession.java:659)
[catalina.jar:9.0.22]
           at

org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:573)
[catalina.jar:9.0.22]
           at

org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:558)
[catalina.jar:9.0.22]
           at

org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5536)
[catalina.jar:9.0.22]
           at

org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
[catalina.jar:9.0.22]
           at

org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
[catalina.jar:9.0.22]
           at

org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
[catalina.jar:9.0.22]
           at

org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
[catalina.jar:9.0.22]
           at

java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[?:?]
           at
java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
[?:?]
           at

java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
[?:?]
           at

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[?:?]
           at

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[?:?]
           at

org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:9.0.22]
           at java.lang.Thread.run(Thread.java:834) [?:?]

We also upgraded Tomcat to 9.0.46 and OpenWebBeans to 2.0.21 trying
to
fix the problem - without success. We are not  sure what causes the
issue. We assume it has something to do with expired cookies being
sent
to the server, but we are not sure that would sum up to the amount we
see. Also, we can't seem to be able to reproduce it on anything but
production system.

JSF stack:

    * Tomcat 9.0.46
    * OpenWebBeans 2.0.21
    * MyFaces 2.3.8
    * DeltaSpike 1.9.3 (not sure if relevant)

Any hint, help, or suggestion on debugging and narrowing down the
issue
is very much appreciated. If more information is needed, feel free to
ask. I'm not sure what's relevant, so I don't really know what to add
here.

Cheers,

Juri