Could a Striped lock not be used? If done, machinery would need to be introduced which would quickly go beyond s2's prerogative. For instance an interceptor could have this magic locking service injected and then say: For User X, is token Y in use? Or for any user is token Y in use? But then this brings up user management, which is outside of S2 and then security quickly follows...
So keeping is simple, S2 offers a reasonable solution but I think you could develop a more narrow locking scheme that locks on the value of the token stored in a Striped lock: http://docs.guava-libraries.googlecode.com/git/javadoc/com/google/common/util/concurrent/Striped.html On Mon, Jul 13, 2015 at 5:26 AM, Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2015-07-10 20:37 GMT+02:00 rgm <str...@rgm.nu>: > > Using Struts 2.3.20.1. > > > > We have a long-running token-protected (for CSRF) action that can take up > > to about 30 seconds sometimes. When this action is running on behalf of > > "Alice", the "List Users" page for all other people on the system such as > > Bob and Charlie is hung, because the List Users page is trying to show > > whether or not "Alice" is logged in by accessing properties of her HTTP > > session. > > > > Is it necessary for TokenInterceptor to hold onto the session lock for > the > > entire action invocation? > > It is. It's the only way to be sure that we do not have duplicated > submits for the same token > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >