ThreadLocal sharing data?
By all means I know the following is not possible, but it is occurring in one of our production environments:
SETUP
- ESAPI 2.01
Main servlet filter setting and removing a current request thread local object:
try { ESAPI.httpUtilities().setCurrentHTTP(request, response); // filter logic ... } catch (Exception e) { LOG.error(Logger.SECURITY_FAILURE, "Error in ESAPI " + "security filter: " + e.getMessage(), e); request.setAttribute("message", e.getMessage()); } finally { ESAPI.clearCurrent(); }
all requests pass through this filter, and ESAPI.currentRequest() is used throughout the system.
- Path A (
http://server/path_a/)- goes through until it reaches
method_a, this method is not accessible frompath_b
- goes through until it reaches
- Path B (
http://server/path_b)- goes through until it reaches
method_b, not accessible frompath_a
- goes through until it reaches
Both of these paths go through the servlet filter (mapping "/*")
One of our error mails that I received suggests that path_a is throwing an error, which in turn initiates the error mail, in the mail code, the current request (via ESAPI.currentRequest()) is enumerated for request info.
PROBLEM
In the error mail, request info from path_a correlates with stacktrace info from method_b, to me this seems impossible as both run in separate threads.
QUESTION
How is this possible? I cannot re-create this locally, are their certain precautions I have to take other than setting and clearing the ThreadLocal? Can this be a problem with tomcat setup? I'm lost.
PS: code from the question has been simplified as the code base is to large for an example
Reading ESAPI code https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java there are some questionable practices regarding thread local.
The biggest problem I'd say is it uses InheritableThreadLocal. If thread A spawns a thread B, B will inherit A's thread local value; however, when A then clears the thread local, it doesn't affect B, so B's inherited value will stay. ESAPI probably shouldn't use InheritableThreadLocal.
I can't say how this may produce the problem you see, without knowing more about threads in your app.
- How do I find where JDK is installed on my windows machine?
- CORS in Spring Security (Spring Boot 3)
- Illegal base64url character: ' ' when getting claims/decode from token Java JWT Spring Boot
- Java example of using ExecutorService and PipedReader/PipedWriter (or PipedInputStream/PipedOutputStream) for consumer-producer
- Why Joda DateTime gives different result than Java Date?
- Why am I getting "time limit exceeded" error in binary tree level order traversal problem in leetcode?
- do while loop to for each or for loop
- Switch Between 3 Tabs Using Selenium WebDriver with Java
- Lombok added but getters and setters not recognized in Intellij IDEA
- How do I avoid checking for nulls in Java?
- How to get all week dates for given date java
- IntelliJ IDEA stucks at "collecting data" while debug
- Disconnected from the target VM, address: '127.0.0.1:51928', transport: 'socket'
- UnsupportedOperationException when upgrading from Java 17 to Java 21
- Is there a way to get user's UID on Linux machine using java?
- Environment variable to control java.io.tmpdir?
- Why does my file have race conditions, even though I used StandardOpenOption.SYNC?
- JRuby-1.7.19 UDPSocket "initialize: name or service not known" while scanning IP range
- how to debug spring application with gradle
- Could not resolve all files for configuration ':app:androidJdkImage
- I do not understand why the value of smallCountLoopCount changes from 0 to 1 in the code provided. I expect it to remain at 0
- How can I emulate non-blocking i/o in Java using threads
- H2 in Tomcat SqlException locked by another process when embedded mode
- checking java date with postgresql timestamp without timezone
- Read in different data types from file
- Java, sorting analysis. Heapsort, Quicksort1, Quicksort2, Mergesort, given a blackbox
- How to get the YEAR for week of year for a date?
- What's the difference between Instant and LocalDateTime?
- Problems when a non-generic method overrides a generic method
- Binary search for first occurrence of k