Peter Kharchenko wrote:
We're working on a large web application, which among other things, relies on thread pools shared across multiple servlet sessions. This appears to present a problem since the same thread may be used to serve different users.
At the start of each HTTP request, HttpSessionContextIntegrationFilter will retrieve the SecurityContext from the HttpSession, and then put in into the SecurityContextHolder. At the end of the HTTP request, HttpSessionContextIntegrationFilter will copy the changed SecurityContext from the SecurityContextHolder and put it back into the HttpSession ready for next request. It will also set the SecurityContextHolder to null, so it is safe and ready for next request.
Because the same thread is used for the duration of the HTTP request, and the thread has security information removed from it at the end of each request, there should not be any problem in a large web application. You may like to confirm this yourself by using a stress testing tool such as Grinder.
Best regards Ben ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
