Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-10 Thread Juri Berlanda
Hello again, we released the patched 2.3.8 version yesterday and log flood is gone. I wasn't able to find the relevant piece of code in master branch though, so no PR for that for now. I created an issue (https://issues.apache.org/jira/browse/MYFACES-4382) and PRs for the individual branches

Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-08 Thread Thomas Andraschko
Yep exactly. If that works, please create a issue and some PRs (2.2, 2.3, 3.0 and 2.3-next) Am Mo., 8. März 2021 um 12:37 Uhr schrieb Juri Berlanda < juri.berla...@tuwien.ac.at>: > Hello again, > > thanks for the quick answer. > > Unfortunately, I cannot downgrade to find out if 2.3.7 caused the

Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-08 Thread Juri Berlanda
Hello again, thanks for the quick answer. Unfortunately, I cannot downgrade to find out if 2.3.7 caused the issue because - as mentioned - we only see the behavior in production, and I can't risk having known unpatched vulnerabilities in production. For the "test on your side if it works" pa

Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-05 Thread Thomas Andraschko
this is also explained here: https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/view/ViewScopeBeanHolder.java#L187 in think the CDIManagedBeanHandlerImpl.java#

Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-05 Thread Thomas Andraschko
the problem and described is actually here: https://github.com/apache/myfaces/blob/2.3.x/impl/src/main/java/org/apache/myfaces/cdi/impl/CDIManagedBeanHandlerImpl.java#L113 on the one hand, we rely on @PreDestroy on ViewScopeBeanHolder, on the other hand we manually invoke the getViewScopeBeanHolde

Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-05 Thread Thomas Andraschko
This could be the reason: https://issues.apache.org/jira/browse/MYFACES-4353 Am Fr., 5. März 2021 um 14:19 Uhr schrieb Thomas Andraschko < andraschko.tho...@gmail.com>: > Can you try to find the version which introduced it? > > Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda < > juri.berl

Re: Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-05 Thread Thomas Andraschko
Can you try to find the version which introduced it? Am Fr., 5. März 2021 um 13:57 Uhr schrieb Juri Berlanda < juri.berla...@tuwien.ac.at>: > Hello, > > we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability > reported here late February. We were on 2.3.4 before. Since then we see >

Huge amount of "SessionScope not active" since upgrade to 2.3.8

2021-03-05 Thread Juri Berlanda
Hello, we recently upgraded to MyFaces 2.3.8 due to the CSRF vulnerability reported here late February. We were on 2.3.4 before. Since then we see an insane amount (i.e. 10+ per day) of "SessionScope does not exist within current thread" in our logs, like: 15:46:41.421 ERROR org.apache.