查阅了网上的一些帖子和spec等资料,总结多个帖子中的观点:
HttpSession和ServletContext的api doc中没有明确说明这些get/setAttribute方法是否线程安全。
Servlet 2.5 spec中提到(可以参见servlet-2_5-mrel2-spec.pdf):
Multiple servlets executing request threads may have active access to the same session object at the same time. The container must ensure that manipulation of internal data structures representing the session attributes is performed in a threadsafe manner. The Developer has the responsibility for threadsafe access to the attribute objects themselves. This will protect the attribute collection inside the HttpSession object from concurrent access, eliminating the opportunity for an application to cause that collection to become corrupted.
因此http://www.javamex.com/tutorials/servlets/session_synchronization.shtml这篇帖子中说的正确:
1. session.set/getAttribute(), application.set/getAttribute()单个调用是线程安全的。容器开发商需要保证其实现中内部所用的数据结构在一次get/set操作中线程安全。这一点查看tomcat5.5.35的源码也可以证实:
org.apache.catalina.session.StandardSession类用的是Hashtable();
org.apache.catalina.core.ApplicationContext类中用的是HashMap,但在其上的put和get操作都事先synchronize了这个hashmap object。
(但一些较早的容器实现确实存在这些方面的bug)
2. if you want to combine multiple sets/gets into an atomic operation, then you need explicit synchronization. 可以:
(1)同步session:
HttpSession sess = req.getSession(true);
synchronized (sess) {
sess.setAttribute("USERID", id);
sess.setAttribute("USERNAME", username);
...
}
(2)如果是java 5及以上,可以用一个immutable object来封装具体的数据,然后直接setAttribut(该immutable object);
(3)可以lock一个static变量:
synchronized (lock) {
sess.setAttribute("USERID", id);
sess.setAttribute("USERNAME", username);
...
}
其他地方用到这些属性的时候也要先synchronized (lock), 而如果用的是其他不相关的属性,则不需要lock。但这样做的坏处是不同的session如果操作这些属性也会互相竞争了。
其他相关的帖子链接:
http://stackoverflow.com/questions/616601/is-httpsession-thread-safe-are-set-get-attribute-thread-safe-operations
http://stackoverflow.com/questions/5232846/request-get-setattribute-vs-this-getservletcontext-get-setattribute
https://issues.apache.org/bugzilla/show_bug.cgi?id=36541
分享到:
相关推荐
Web应用安全:HTTPSession.pptx
在WebSphereApplicationServerV7集群环境中管理HTTPsession.pdf
HttpSession session=request.getSession(); session.setAttribute("bookName", this.bookName); session.setAttribute("bookPrice", this.bookPrice); session.setAttribute("bookPress", this.bookPress); ...
HttpSession session = request.getSession(); session.setAttribute("userName", name); session.setAttribute("pwd", pwd); session.setAttribute("msgList", msgList); response.sendRedirect("jspPages/...
<br>if (Name.equals("mike") && Password.equals("1234")) { session.setAttribute("Login", "OK"); response.sendRedirect("Member.jsp"); } else { out.println("登录错误,请输入正确名称...
AnyFo - Util - AnyFoAction AnyFoAction介绍 AnyFoAction是AnyFo - Util下的一个子项目,其中只包含一个类,这个类专门用来对Struts2.0中的控制器提供方便的操作。...获得ServletContext,即俗称的Application
import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.*; import java.io.IOException; import java.net.URLEncoder; import java.sql.Date; import java.util....
目录 前言 ............................... 3 其他资料 ......................................................................................................................................................
javax.servlet.ServletContext javax.servlet.ServletRequest javax.servlet.http.HttpUtils javax.servlet.ServletResponse javax.servlet.ServletException javax.servlet.http.HttpServlet javax.servlet....
servlet-api.jar 适用于import javax.servlet.http.HttpSession;异常 直接下载后直接导入 即可,
Servlet3.1规范(最终版) JavaTM Servlet 规范 版本 3.1(最终版) Shing Wai Chan Rajiv Mordani [作者] 穆茂强 张开涛 [译者] 2012年6月翻译 2013年7月修订 目录 前言 ..................................
HttpSession session = request.getSession(); session.setAttribute("name", "zhangsan"); session.setAttribute("pwd", "aaa"); String name = (String) session.getAttribute("name"); 2.cookie: //创建Cookie ...
HttpSession session=request.getSession(); session.setAttribute("bookName", this.bookName); session.setAttribute("bookPrice", this.bookPrice); session.setAttribute("bookPress", this.bookPress); ...
研究 multipart/form-data 上传协议。内附实例代码,服务端 java,客户端 c#。
public String doLogin(@RequestParam String devCode,@RequestParam String devPassword,HttpServletRequest request,HttpSession session){ logger.debug("doLogin===================================="); //...
ServletContext 1 ServletConfig.getServletContext(); 2 ServletContextEvent.getServletContext(); 3 HttpSession.getServletContext(); ------------------------------------------------ JSP Java Server...
HttpSession session ){ System.out.println(username); if(username.equals("root")&&password;.equals("1111")){ session.setAttribute("username", username); } System.out.println(username); ...
javax.servlet.ServletContext.class javax.servlet.RequestDispatcher.class javax.servlet.Servlet.class javax.servlet.ServletException.class javax.servlet.ServletRequest.class javax.servlet.Servlet...
getAttribute(String) - Method in interface javax.servlet.ServletContext Returns the servlet container attribute with the given name, or null if there is no attribute by that name. getAttribute...