Closed exabrial closed 1 month ago
Thanks for the kind words! BootsFaces is a leisure time project, so a little "thumbs up!" means a lot to us!
These days I'm mostly occupied with another open source project of mine, but I must admit your bug looks interesting. I'm not sure I can reproduce it quickly. Would you mind to send us a reproducer? I.e. a small, minimal program showing the bug without requiring any configuration? In particular, no database?
Thanks in advance, Stephan
You're welcome :)
I forgot to mention the scenario why this is important: If you want to use bootsfaces on a page that's unauthenticated (like a login page), an attacker can run your server out of resources easy[ier] by creating millions of sessions. It's best to not let a public facing page modify the state of the server.
I'll get a reproducer to you tomorrow or wed, it's pretty easy to reproduce. Cheers, -Jonathan
Digging a little further Reading the Javadoc, I do think TomEE/MyFaces/OpenWebBeans is behaving correctly.
https://docs.oracle.com/javaee/7/api/javax/faces/component/UIViewRoot.html#getViewMap--
For reasons made clear in ViewScoped, this map must ultimately be stored in the session. For this reason, a true value for the create argument will force the session to be created with a call to ExternalContext.getSession(boolean)
So essentially, NavBar is forcing a session object to be created with this call:
https://github.com/exabrial/bootsfaces-session-bug Here's a demo that shows session is always created on the stateless view
As far as I can tell without running the program, you've delivered an awesome analysis, complete with a solution, and even a reproducer. We don't see that often. In return, I've put your issue + PR on the top of my "to do" list. Actually, I wanted to do it this evening, but I didn't manage to find enough spare time.
Regarding the reproducer: which application server to I need? Currently, I've installed a Liberty server and a Wildfly 17. Can I run the reproducer on one of them?
It's a one stop shop. Simply clone it, then run mvn clean package tomee:run
. After it starts visit: http://localhost:8080/bootsfaces-session-bug/index.jsf
If you want to run it on another application server, you can mvn clean package
then install the war in OpenLiberty or Wildfly or Glassfish.
Hello, I have used your example project @exabrial and take also a look for a solution. I think to store data in a static property of a Listener is not the best way for an enterprise application.
if I use root. attributes I can also switch off the session use but if I switch on the session in a bean, the Listener does not recognize this
@stephanrauh do we need to store the data into root.viewMap or can we use root.attributes as allternative
or with other words 'how can you determine whether you can start a session or not'?
https://github.com/geopossachs/BootsFaces-OSP/tree/issues/1117
i have make a test - if store the data in root.attributes i has the old bug form the https://github.com/TheCoder4eu/BootsFaces-OSP/issues/1066
if i store the data into root.viewMap(true) the old bug is fixed
@geopossachs Keep in mind, in my solution data is removed at the end of the request lifecycle when the listener is actually invoked, so after the whole request is done, we should be back to our original state: https://github.com/TheCoder4eu/BootsFaces-OSP/pull/1118/files#diff-7b5232f2606e479ecdc3e610b3991d99R147
I assume by "enterprise application" you mean an environment where the session state is distributed (as in our environment). I'm not sure why this data would need to be distributed... one server can't handle half of the request lifecycle.
I thought more in the direction of the MVC pattern on which JSF is based.
with a partial AJAX update to a request scoped page, you still need a session because you want to remember which resources have already been loaded by the browser
Yikes that kinda defeats the purpose of a request scoped page
@exabrial to use JSF without a session is not so easy - you have in your example an <f:view ... transient="true"> but when I add a
Added one comment to your PR, I don't think using a form implies a session creation. Couldn't find it in the spec, and I found a few counterexamples
I'm very grateful for what you guys do and the time you spend on this project. If I can assist, please feel free to assign tasks out to me to help move this or other bugs along towards a release.
Hi,
I was just about to create a similar issue. I also get a lot of warnings about @ViewScoped beans are not supported on stateless views
, which boils down to the same problem I guess.
I debugged it so far that, this line
AddResourcesListener.addResourceToHeadButAfterJQuery(C.BSF_LIBRARY, "js/tooltip.js");
in the addResouceFiles method of Tooltip (https://github.com/TheCoder4eu/BootsFaces-OSP/blob/master/src/main/java/net/bootsfaces/render/Tooltip.java#L134) causes an (empty!) viewMap to be created, which in turn causes those warnings.
Would this be also resolved by #1123?
I'm afraid development of BootsFaces has slowed down considerably. We'll never manage to address this issue. Let's close it.
Open source work often goes unthanked, so thank you for being great stewards of BootFaces. We love the framework.
I'm not completely convinced this is a bug in BootsFaces, but I figured I'd log a bug anyway. We noticed that adding a Navbar (and likely any bootsfaces components) will cause a session to get created, even on a page with a stateless view. We're running Apache TomEE 7.0.6 which uses OpenWebBeans 1.7.6 and MyFaces 2.2.12. I grabbed a stack trace so you can see how it gets created.
It could be that
CDIManagedBeanHandlerImpl
needs to be a little smarter and not dip down into the session when on a stateless view.