I have implemented a rest controller using Spring Boot 2.2.6.RELEASE
At the start of day, many applications on the network make requests to a single running instance of my controller.
I believe I am seeing parameters from multiple applications being combined in a single call to the controller
For example, the business logic in my controller throws an exception when it receives the following URL which I log as soon as the controller is called:
2021-02-19 06:31:05.551 [http-nio-9000-exec-6] [ERROR] [RefDataServerController]: http://tbaquaappc-u2:9000/refdata/exec/text/getParticipantBitCross?instance=LINEDATA&cert=0dk7lc0vyeVEPptGwVyUXc%3DNbc0FW3IujbPTF7e&cert=Hzj%2Fqu9tIw865CMmsEP076N9mgLI3J6oFwovyt1
In this URL there are 2 '&cert' parameters which no application sends.
Two distinct applications send the following independent requests (at about the same time)
http://tbaquaappc-u2:9000/refdata/exec/text/getParticipantBitCross?instance=LINEDATA&cert=Hzj%2Fqu9tIw865CMmsEP076N9mgLI3J6oFwovyt1
http://tbaquaappc-u2:9000/refdata/exec/text/getParticipantBitCross?instance=JOHN2&cert=0dk7lc0vyeVEPptGwVyUXc%3DNbc0FW3IujbPTF7e
It looks like the &cert from the second call is getting mingled with the first call.
Thanks to "Roddy of the Frozen Peas", the problem seems to have indeed been a web proxy which sits in between the Spring Boot app and caller. The proxy listens for custom protocol requests from a caller on a raw server socket (an unfortunate legacy) and channels them into JAX-RS requests to the app. The proxy listener is standard Java ServerSocket code which block/waits for a request and then calls an input processor on a new thread which forwards the request to the app. Inside the input processor, I had a class member instance of org.apache.cxf.jaxrs.client.WebClient which simply did a reset() before each call inside the run() method. I removed the shared instance and replaced it by having each thread create a new instance of WebClient inside the run() method before using it to forward http requests to the app. That seems to have fixed the issue. Probably WebClient is not thread safe.