-1 to just activate it per default as i said, each request from a bot to e.g. a secured page will lead to a new session. This is not what we want.
Mojarra behaves the same like MyFaces currently, i think we are ok. Maybe we just should improve our docs. Am Mi., 18. Jan. 2023 um 20:17 Uhr schrieb Volodymyr Siedlecki < [email protected]>: > Hello, > > In our automated build suite, we encountered a problem in creating a session > after the response was committed. > > Our application has a session-scoped bean, and after the response is > committed, the WeldELResolver tries to resolve this bean which forces a > session. Here's a snippet of the stack trace: > > ... > SessionHolder.getSession(HttpServletRequest, boolean) line: 61 > LazySessionBeanStore.getSession(boolean) line: 84 > LazySessionBeanStore(AbstractSessionBeanStore).getLockStore() line: 120 > LazySessionBeanStore(AttributeBeanStore).lock(BeanIdentifier) line: 256 > HttpSessionContextImpl(AbstractContext).get(Contextual<T>, > CreationalContext<T>) line: 90 > PassivatingContextWrapper$WeldAlterableContextWrapper(PassivatingContextWrapper$AbstractPassivatingContextWrapper<C>).get(Contextual<T>, > CreationalContext<T>) line: 84 > ContextualInstanceStrategy$CachingContextualInstanceStrategy<T>(ContextualInstanceStrategy$DefaultContextualInstanceStrategy<T>).get(Bean<T>, > BeanManagerImpl, CreationalContext<?>) line: 100 > ContextualInstanceStrategy$CachingContextualInstanceStrategy<T>.get(Bean<T>, > BeanManagerImpl, CreationalContext<?>) line: 177 > ContextualInstance.get(Bean<T>, BeanManagerImpl, CreationalContext<?>) line: > 50 > BeanManagerImpl.getReference(Bean<?>, Type, CreationalContext<?>, boolean) > line: 680 > WeldELResolver(AbstractWeldELResolver).lookup(BeanManagerImpl, ELContext, > String) line: 107 > WeldELResolver(AbstractWeldELResolver).getValue(ELContext, Object, Object) > line: 90 > CompositeELResolver.getValue(ELContext, Object, Object) line: 62 > AstIdentifier.getValue(EvaluationContext) line: 94 > AstValue.getTarget(EvaluationContext) line: 70 > AstValue.getType(EvaluationContext) line: 58 > ValueExpressionImpl.getType(ELContext) line: 173 > ContextAwareTagValueExpression.getType(ELContext) line: 83 > RendererUtils.findUIOutputConverter(FacesContext, UIOutput) line: 401 > HtmlRendererUtils.findUIOutputConverterFailSafe(FacesContext, UIComponent) > line: 570 > HtmlMenuRenderer(HtmlMenuRendererBase).getConverter(FacesContext, > UIComponent) line: 171 > HtmlMenuRenderer(HtmlMenuRendererBase).encodeEnd(FacesContext, UIComponent) > line: 75 > HtmlSelectOneMenu(UIComponentBase).encodeEnd(FacesContext) line: 634 > HtmlSelectOneMenu(UIComponentBase).encodeAll(FacesContext) line: 523 > HtmlGridRenderer(HtmlGridRendererBase).renderChildren(FacesContext, > ResponseWriter, UIComponent, int) line: 375 > HtmlGridRenderer(HtmlGridRendererBase).encodeEnd(FacesContext, UIComponent) > line: 190 > HtmlPanelGrid(UIComponentBase).encodeEnd(FacesContext) line: 634 > HtmlPanelGrid(UIComponentBase).encodeAll(FacesContext) line: 523 > HtmlForm(UIComponentBase).encodeAll(FacesContext) line: 519 > HtmlBody(UIComponentBase).encodeAll(FacesContext) line: 519 > UIViewRoot(UIComponentBase).encodeAll(FacesContext) line: 519 > FaceletViewDeclarationLanguage.renderView(FacesContext, UIViewRoot) line: > 1783 > ViewHandlerImpl.renderView(FacesContext, UIViewRoot) line: 316 > ... > > My investigation lead to JIRA: > https://issues.apache.org/jira/projects/MYFACES/issues/MYFACES-4309 > > For MYFACES-4309, a new parameter was created, ALWAYS_FORCE_SESSION_CREATION, > which would create a session at the start of the render response phase. > > Currently, 2.2, 2.3, and 3.0 have the default as true. However, 4.0 has it as > false. > > When discussing defaults in MYFACES-4309, Thomas said: > "About the default of the new config... I would like to see it as "false" as > currently each request of a possible/public/stateless view will create a > session. > But it also understands that its a possible error source, so for me, it's > also ok to make it true - and false only in 3.0" ( Note: it ended up being > true in 3.0 and false for 4.0) > > So, I would like to ask the community for some consensus on whether we should > keep it as false for 4.0, or change it to true as with all our other versions. > Otherwise, the only workaround available is to increase the buffer size via > *jakarta.faces.FACELETS_BUFFER_SIZE* so that a session is created before the > response commit call. > > Code: > https://github.com/apache/myfaces/blob/93a47f3c78716f0ff3c01227ee1cd5972aeb965b/impl/src/main/java/org/apache/myfaces/config/webparameters/MyfacesConfig.java#L770 > https://github.com/apache/myfaces/blob/93a47f3c78716f0ff3c01227ee1cd5972aeb965b/impl/src/main/java/org/apache/myfaces/lifecycle/RenderResponseExecutor.java#L167-L193 > > Thanks, > > Volodymyr > >
