Best IT Recipes

Is the HttpSession descendant safe, is the operation / installation of attribute stream attributes set / received?

Also, should a streaming object be installed to ensure that we know what is known about the state of the object stored in the session.

In addition, I read on the Internet that some suggest using:

synchronized(session) { session.setAttribute("abc", "abc"); }

Is this an offer?

+48
java thread-safety synchronized session
Mar 05 '09 at 21:03
source share
6 answers

No, they are not thread safe, according to IBM - Java theory and practice: are all stateful web applications broken? . You need to sync.

As HttpSession is not thread safe, Java Ranch can also be useful.

+35
Mar 05 '09 at 21:07
source

Servlet 2.5 spec:

Multiple servlets that query threads can have active access to the same session object at the same time. The container must ensure that the manipulation of internal data structures representing session attributes is performed in a thread-safe manner. The developer is responsible for thread safety access to the attribute objects themselves. This will protect the collection of attributes inside the HttpSession object from concurrent access, eliminating the possibility for the application to cause it to become corrupted.

It's safe:

 // guaranteed by the spec to be safe request.getSession().setAttribute("foo", 1);

It is safe not to :

 HttpSession session = request.getSession(); Integer n = (Integer) session.getAttribute("foo"); // not thread safe // another thread might be have got stale value between get and set session.setAttribute("foo", (n == null) ? 1 : n + 1);

This is not guaranteed:

 // no guarantee that same instance will be returned, // nor that session will lock on "this" HttpSession session = request.getSession(); synchronized (session) { Integer n = (Integer) session.getAttribute("foo"); session.setAttribute("foo", (n == null) ? 1 : n + 1); }

I saw how this last approach is protected (including in J2EE books), but it is not guaranteed to work according to the Servlet specification. You can use a session id to create a mutex , but there should be a better approach.

+62
Mar 05 '09 at 21:34
source

No. And since you do not want the same client (with the session) to execute parallel requests, you must serialize these requests, for example AbstractController in Spring MVC

+4
Mar 05 '09 at 21:22
source

In some ways, it depends on the design of your client.

Do you have the opportunity in your web design for one client to have several outstanding concurrent requests using the same HTTP session? This is difficult to do if you are not associating a single HTTP session with multiple sockets. (aka, AJAX). In short, this HTTP client access will be single-threaded in relation to the server, which means that one session is effectively protected by the stream.

Synchronizing your session objects will make the application more secure with future changes that will force your web application to have multiple simultaneous requests, so this is not a bad idea. In modern Java implementations, synchronization does not have the large costs that were previously associated with it, especially when synchronization is usually not used. If your application uses AJAX, which implies that you expect multiple simultaneous requests on your web server during the flight, synchronization is mandatory.

+2
Mar 05 '09 at 21:27
source

This is not the case, but in most cases your customers will access them using only one thread.

Different clients will have different threads, and each of them will have its own session.

As Eddie notes, in one situation where you may encounter two threads accessing the same session, two ajax calls try to change the same session attribute. Otherwise, you will not have a problem.

+1
Mar 05 '09 at 21:36
source

The session is not thread safe, and none of the get not the set methods are thread guaranteed. Typically, in a servlet container, you should assume that it is in a multi-threaded environment, and no snap-in provided is safe.

This also applies to objects that you store in a session. The session itself will not manipulate the stored object, but you can get the object in another thread and try to manipulate it. It is up to you to check your own code to see if race conditions are possible.

The code sample you have provided is valid, but the problem may exist outside the limited scope of your example. It ensures that when setting up a session there are no conditions, but there is nothing that prevents another thread from overriding the set. If the code in the request depends on a constant value, you may still be in difficulty.

0
Mar 05 '09 at 21:27
source


More articles:


All Articles