struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken McWilliams <ken.mcwilli...@gmail.com>
Subject Re: TokenInterceptor locking HTTP session for entire action invocation?
Date Mon, 13 Jul 2015 23:52:01 GMT
Could a Striped lock not be used? If done, machinery would need to be
introduced which would quickly go beyond s2's prerogative. For instance an
interceptor could have this magic locking service injected and then say:
For User X, is token Y in use? Or for any user is token Y in use? But then
this brings up user management, which is outside of S2 and then security
quickly follows...

So keeping is simple, S2 offers a reasonable solution but I think you could
develop a more narrow locking scheme that locks on the value of the token
stored in a Striped lock:
http://docs.guava-libraries.googlecode.com/git/javadoc/com/google/common/util/concurrent/Striped.html




On Mon, Jul 13, 2015 at 5:26 AM, Lukasz Lenart <lukaszlenart@apache.org>
wrote:

> 2015-07-10 20:37 GMT+02:00 rgm <struts@rgm.nu>:
> > Using Struts 2.3.20.1.
> >
> > We have a long-running token-protected (for CSRF) action that can take up
> > to about 30 seconds sometimes.  When this action is running on behalf of
> > "Alice", the "List Users" page for all other people on the system such as
> > Bob and Charlie is hung, because the List Users page is trying to show
> > whether or not "Alice" is logged in by accessing properties of her HTTP
> > session.
> >
> > Is it necessary for TokenInterceptor to hold onto the session lock for
> the
> > entire action invocation?
>
> It is. It's the only way to be sure that we do not have duplicated
> submits for the same token
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message