[
https://issues.apache.org/jira/browse/WW-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13559640#comment-13559640
]
Lukasz Lenart commented on WW-3895:
-----------------------------------
Some links to follow:
http://static.springsource.org/spring/docs/current/javadoc-api//org/springframework/web/servlet/mvc/AbstractController.html#setSynchronizeOnSession%28boolean%29
http://static.springsource.org/spring/docs/2.0.x/api/org/springframework/web/util/HttpSessionMutexListener.html
and using
{code:java}
final Object lock = request.getSession().getId().intern();
synchronized(lock) {
...
}
{code}
is not a good idea as thus can lead to memory leak.
> Synchronization on HttpSession object
> -------------------------------------
>
> Key: WW-3895
> URL: https://issues.apache.org/jira/browse/WW-3895
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.4.1
> Reporter: Patrick Cavanaugh
> Fix For: 2.3.9
>
>
> I noticed that in the fix for WW-3865 (and in current 2.3.4.1 code),
> synchronization is made based on the HttpSession object.
> According to
> http://yet-another-dev.blogspot.com/2009/08/synchronizing-httpsession.html
> and http://stackoverflow.com/a/616723/631628 , HttpSession isn't guaranteed
> by the specification to be the same object each time getSession() is called
> and so the synchronization might not work correctly. That post suggests
> synchronizing on the interned session ID instead. There are might be other
> places in the codebase this would have to be changed too, and not just in the
> TokenSessionInterceptor discussed in WW-3865.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
