struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: TokenInterceptor locking HTTP session for entire action invocation?
Date Tue, 14 Jul 2015 05:33:45 GMT
Hmm.... looks interesting :) There is issue opened for 2.3.x so could
you post your comment there as well? I will try to investigate how to
use Striped (maybe not directly) with Token interceptor

https://issues.apache.org/jira/browse/WW-4409


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2015-07-14 1:52 GMT+02:00 Ken McWilliams <ken.mcwilliams@gmail.com>:
> Could a Striped lock not be used? If done, machinery would need to be
> introduced which would quickly go beyond s2's prerogative. For instance an
> interceptor could have this magic locking service injected and then say:
> For User X, is token Y in use? Or for any user is token Y in use? But then
> this brings up user management, which is outside of S2 and then security
> quickly follows...
>
> So keeping is simple, S2 offers a reasonable solution but I think you could
> develop a more narrow locking scheme that locks on the value of the token
> stored in a Striped lock:
> http://docs.guava-libraries.googlecode.com/git/javadoc/com/google/common/util/concurrent/Striped.html
>
>
>
>
> On Mon, Jul 13, 2015 at 5:26 AM, Lukasz Lenart <lukaszlenart@apache.org>
> wrote:
>
>> 2015-07-10 20:37 GMT+02:00 rgm <struts@rgm.nu>:
>> > Using Struts 2.3.20.1.
>> >
>> > We have a long-running token-protected (for CSRF) action that can take up
>> > to about 30 seconds sometimes.  When this action is running on behalf of
>> > "Alice", the "List Users" page for all other people on the system such as
>> > Bob and Charlie is hung, because the List Users page is trying to show
>> > whether or not "Alice" is logged in by accessing properties of her HTTP
>> > session.
>> >
>> > Is it necessary for TokenInterceptor to hold onto the session lock for
>> the
>> > entire action invocation?
>>
>> It is. It's the only way to be sure that we do not have duplicated
>> submits for the same token
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message