Could a Striped lock not be used? If done, machinery would need to be
introduced which would quickly go beyond s2's prerogative. For instance an
interceptor could have this magic locking service injected and then say:
For User X, is token Y in use? Or for any user is token Y in use? But then
this brings up user management, which is outside of S2 and then security
quickly follows...

So keeping is simple, S2 offers a reasonable solution but I think you could
develop a more narrow locking scheme that locks on the value of the token
stored in a Striped lock:

On Mon, Jul 13, 2015 at 5:26 AM, Lukasz Lenart <>

> 2015-07-10 20:37 GMT+02:00 rgm <>:
> > Using Struts
> >
> > We have a long-running token-protected (for CSRF) action that can take up
> > to about 30 seconds sometimes.  When this action is running on behalf of
> > "Alice", the "List Users" page for all other people on the system such as
> > Bob and Charlie is hung, because the List Users page is trying to show
> > whether or not "Alice" is logged in by accessing properties of her HTTP
> > session.
> >
> > Is it necessary for TokenInterceptor to hold onto the session lock for
> the
> > entire action invocation?
> It is. It's the only way to be sure that we do not have duplicated
> submits for the same token
> Regards
> --
> Ɓukasz
> + 48 606 323 122
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Reply via email to