[
https://issues.apache.org/struts/browse/WW-2902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45107#action_45107
]
Musachy Barroso commented on WW-2902:
-------------------------------------
It doesn't matter because the remove/add/get will try to sync on the real
session, which is wrapped in the SessionMap, and that reference will be locked
already. We should change it to user
ServletActionContext.getRequest().getSession() just for consistency.
> Session token usage error: java.lang.IllegalStateException: Context has not
> been prepared for next connection
> -------------------------------------------------------------------------------------------------------------
>
> Key: WW-2902
> URL: https://issues.apache.org/struts/browse/WW-2902
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
> Affects Versions: 2.1.2
> Reporter: Sitaram Reddy
> Fix For: 2.1.3
>
>
> I have looked into the source code and found the reason. In
> TokenInterceptor.doIntercept(...), there is this code:
> Map session = ActionContext.getContext().getSession();
> synchronized (session) {
> if (!TokenHelper.validToken()) {
> return handleInvalidToken(invocation);
> }
> return handleValidToken(invocation);
> }
> This block is essentially not synchronized! I found that the session Map is
> not a unique object across requests within an user session - in contrast with
> the HttpSession object provided by the Servlet API. Perhaps that should be
> considered the real bug?
> A previous bug WW-1786 also points out that the above block is not
> synchronized - that fix would be redundant once this issue is resolved.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
