[
https://issues.apache.org/struts/browse/WW-2902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sitaram Reddy updated WW-2902:
------------------------------
Description:
I have looked into the source code and found the reason. In
TokenInterceptor.doIntercept(...), there is this code:
Map session = ActionContext.getContext().getSession();
synchronized (session) {
if (!TokenHelper.validToken()) {
return handleInvalidToken(invocation);
}
return handleValidToken(invocation);
}
This block is essentially not synchronized! I found that the session Map is not
a unique object across requests within an user session - in contrast with the
HttpSession object provided by the Servlet API. Perhaps that should be
considered the real bug?
A previous bug WW-1786 also points out that the above block is not synchronized
- that fix would be redundant once this issue is resolved.
was:
I have looked into the source code and found the reason. In
TokenInterceptor.doIntercept(...), there is this code:
Map session = ActionContext.getContext().getSession();
synchronized (session) {
if (!TokenHelper.validToken()) {
return handleInvalidToken(invocation);
}
return handleValidToken(invocation);
}
I found that the session Map is thread dependant and so the above block is
essentially not synchronized! An previous bug WW-1786 also points out that the
block is not synchronized - that fix would be redundant once this issue is
resolved.
> Session token usage error: java.lang.IllegalStateException: Context has not
> been prepared for next connection
> -------------------------------------------------------------------------------------------------------------
>
> Key: WW-2902
> URL: https://issues.apache.org/struts/browse/WW-2902
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.1.2
> Reporter: Sitaram Reddy
>
> I have looked into the source code and found the reason. In
> TokenInterceptor.doIntercept(...), there is this code:
> Map session = ActionContext.getContext().getSession();
> synchronized (session) {
> if (!TokenHelper.validToken()) {
> return handleInvalidToken(invocation);
> }
> return handleValidToken(invocation);
> }
> This block is essentially not synchronized! I found that the session Map is
> not a unique object across requests within an user session - in contrast with
> the HttpSession object provided by the Servlet API. Perhaps that should be
> considered the real bug?
> A previous bug WW-1786 also points out that the above block is not
> synchronized - that fix would be redundant once this issue is resolved.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
