struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-3895) Synchronization on HttpSession object
Date Wed, 13 Aug 2014 18:54:14 GMT

    [ https://issues.apache.org/jira/browse/WW-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095926#comment-14095926
] 

Lukasz Lenart commented on WW-3895:
-----------------------------------

Looks like {{final Object lock = request.getSession().getId().intern(); }} is safe

http://www.codeinstructions.com/2009/01/busting-javalangstringintern-myths.html

> Synchronization on HttpSession object
> -------------------------------------
>
>                 Key: WW-3895
>                 URL: https://issues.apache.org/jira/browse/WW-3895
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.4.1
>            Reporter: Patrick Cavanaugh
>             Fix For: 2.3.18
>
>
> I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code), synchronization
is made based on the HttpSession object.
> According to http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html
and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed by the specification
to be the same object each time getSession() is called and so the synchronization might not
work correctly. That post suggests synchronizing on the interned session ID instead. There
are might be other places in the codebase this would have to be changed too, and not just
in the TokenSessionInterceptor discussed in WW-3865.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message