struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donat Iszak (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WW-3957) Multiple concurrent AJAX requests can collide
Date Mon, 07 Jan 2013 12:12:14 GMT

     [ https://issues.apache.org/jira/browse/WW-3957?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Donat Iszak updated WW-3957:
----------------------------

    Description: 
If there are multiple AJAX request in the same time (and same HTTP Session) they can somehow
overwrite the concurrent thread's data (for example the result location).

Update:
There is no conflict when we use resource URL, but when we use the action URL the struts2
portlet plugin executes the interceptor stack twice:
- First in Action phase: This runs normally the action, and saves the full stack and response
location to the http session. The PortletStateInterceptor saves the stack, the PortletResult
saves the location.
- Second in Render phase: This phase restores the value stack and runs a dummy action (DirectRenderFromEventAction)
which does noting but returns the previously saved response location from the session.

The problem is that key for the http session objects is a constant (Location: RENDER_DIRECT_LOCATION,
Valuestack: STACK_FROM_EVENT_PHASE).

Let's see an example, when there are two concurrent thread A,B:
1. A action phase  (saves locationA to session(RENDER_DIRECT_LOCATION), saves stackA to session(STACK_FROM_EVENT_PHASE))
2. B action phase (saves locationB to session(RENDER_DIRECT_LOCATION), saves stackB to session(STACK_FROM_EVENT_PHASE),
so it overwrites locationA, stackA!)
3. A render phase (loads stackB, locationB from session. Returns/forwards to locationB) So
it returns the response of the B thread too!
4. B render phase (loads stackB, locationB from session. Returns/forwards to locationB)


Possible solution is to add the threadId to the session key (RENDER_DIRECT_LOCATION + ThreadId).
This could cause a massive load to the session so some clever clean up needed.


  was:
If there are multiple AJAX request in the same time (and same HTTP Session) they can somehow
overwrite the concurrent thread's data (for example the result location).

There is no conflict when we use resource URL, but when we use the action URL the struts2
portlet plugin executes the interceptor stack twice:
- First in Action phase: This runs normally the action, and saves the full stack and response
location to the http session. The PortletStateInterceptor saves the stack, the PortletResult
saves the location.
- Second in Render phase: This phase restores the value stack and runs a dummy action (DirectRenderFromEventAction)
which does noting but returns the previously saved response location from the session.

The problem is that key for the http session objects is a constant (Location: RENDER_DIRECT_LOCATION,
Valuestack: STACK_FROM_EVENT_PHASE).

Let's see an example, when there are two concurrent thread A,B:
1. A action phase  (saves locationA to session(RENDER_DIRECT_LOCATION), saves stackA to session(STACK_FROM_EVENT_PHASE))
2. B action phase (saves locationB to session(RENDER_DIRECT_LOCATION), saves stackB to session(STACK_FROM_EVENT_PHASE),
so it overwrites locationA, stackA!)
3. A render phase (loads stackB, locationB from session. Returns/forwards to locationB) So
it returns the response of the B thread too!
4. B render phase (loads stackB, locationB from session. Returns/forwards to locationB)


Possible solution is to add the threadId to the session key (RENDER_DIRECT_LOCATION + ThreadId).
This could cause a massive load to the session so some clever clean up needed.


    
> Multiple concurrent AJAX requests can collide
> ---------------------------------------------
>
>                 Key: WW-3957
>                 URL: https://issues.apache.org/jira/browse/WW-3957
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Portlet
>    Affects Versions: 2.3.8
>         Environment: Liferay/Tomcat
>            Reporter: Donat Iszak
>             Fix For: 2.3.x
>
>
> If there are multiple AJAX request in the same time (and same HTTP Session) they can
somehow overwrite the concurrent thread's data (for example the result location).
> Update:
> There is no conflict when we use resource URL, but when we use the action URL the struts2
portlet plugin executes the interceptor stack twice:
> - First in Action phase: This runs normally the action, and saves the full stack and
response location to the http session. The PortletStateInterceptor saves the stack, the PortletResult
saves the location.
> - Second in Render phase: This phase restores the value stack and runs a dummy action
(DirectRenderFromEventAction) which does noting but returns the previously saved response
location from the session.
> The problem is that key for the http session objects is a constant (Location: RENDER_DIRECT_LOCATION,
Valuestack: STACK_FROM_EVENT_PHASE).
> Let's see an example, when there are two concurrent thread A,B:
> 1. A action phase  (saves locationA to session(RENDER_DIRECT_LOCATION), saves stackA
to session(STACK_FROM_EVENT_PHASE))
> 2. B action phase (saves locationB to session(RENDER_DIRECT_LOCATION), saves stackB to
session(STACK_FROM_EVENT_PHASE), so it overwrites locationA, stackA!)
> 3. A render phase (loads stackB, locationB from session. Returns/forwards to locationB)
So it returns the response of the B thread too!
> 4. B render phase (loads stackB, locationB from session. Returns/forwards to locationB)
> Possible solution is to add the threadId to the session key (RENDER_DIRECT_LOCATION +
ThreadId). This could cause a massive load to the session so some clever clean up needed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message