[
https://issues.apache.org/struts/browse/WW-2902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45106#action_45106
]
Dave Newton commented on WW-2902:
---------------------------------
Does it matter that TokenHelper uses the getcontext().getSession() call?
> Session token usage error: java.lang.IllegalStateException: Context has not
> been prepared for next connection
> -------------------------------------------------------------------------------------------------------------
>
> Key: WW-2902
> URL: https://issues.apache.org/struts/browse/WW-2902
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.1.2
> Reporter: Sitaram Reddy
> Fix For: 2.1.3
>
>
> I have looked into the source code and found the reason. In
> TokenInterceptor.doIntercept(...), there is this code:
> Map session = ActionContext.getContext().getSession();
> synchronized (session) {
> if (!TokenHelper.validToken()) {
> return handleInvalidToken(invocation);
> }
> return handleValidToken(invocation);
> }
> This block is essentially not synchronized! I found that the session Map is
> not a unique object across requests within an user session - in contrast with
> the HttpSession object provided by the Servlet API. Perhaps that should be
> considered the real bug?
> A previous bug WW-1786 also points out that the above block is not
> synchronized - that fix would be redundant once this issue is resolved.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
