Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-5002

clear GlobalVariables after request is processed


    • Type: Bug Fix Bug Fix
    • Status: Open Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
    • Similar issues:
      KULRICE-9996Clear form call after closing lightbox throws an exception
      KULRICE-3833Add a parm to clear FYIs after a certain number of days
      KULRICE-1823KualiHttpSessionListener sessionDestroyed method does not have valid UserSession in GlobalVariables
      KULRICE-7009Profile the view process (complete request/response) for bottlenecks
      KULRICE-14210KualiHttpSessionListener releases wrong locks
      KULRICE-3658Extension attributes on new objects are deleted by workflow processing
      KULRICE-13813Review and revise release doc process
      KULRICE-6444Create values on lookup should not clear readonly field values that were passed on the request
      KULRICE-3908Approve fails to clear out saved ad hoc route requests...
      KULRICE-13706Review and revise license check process
    • Rice Module:
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required


      The KualiRequestProcessor calls GlobalVariables.setUserSession(..) and clears the rest of the variables. The point where these appear to be unset is in KualiHttpSessionListener.sessionDestroyed(..). This can cause a leak of data between users if GlobalVariables is used anywhere other than below the KualiRequestProcessor (for example, accessing /portal.jsp, a DWR service, etc.)

      Example: User A is logged in, and access a Struts action on request processing thread 1. User B comes along, logs in, and has GlobalVariables established on request processing thread 2. User B's page calls a DWR service; servlet engine uses request processing thread 1 to handle call. DWR service calls GlobalVariables.getUserSession() which returns user A.

      I would recommend the following change of code, or alternatively deciding that GlobalVariables should only be used in Struts actions and updating the Javadoc respectively.

      public void process(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
          try {
      ... existing code in process(..)
          } finally {


        Jessica Coltrin (Inactive) made changes -
        Field Original Value New Value
        Fix Version/s 1.0.4? [ 16014 ]
        Scott Gibson (Inactive) made changes -
        Security User [ 10014 ] Public [ 10015 ]
        Jessica Coltrin (Inactive) made changes -
        Fix Version/s 2.x-backlog [ 15811 ]
        Fix Version/s 1.x-backlog [ 16014 ]
        Jessica Coltrin (Inactive) made changes -
        Start Date
        Fix Date [ set to sprint end date ]
        Shem Patterson (Inactive) made changes -
        Workflow custom [ 90793 ] Copy of custom for rice [ 207022 ]
        Shem Patterson (Inactive) made changes -
        Workflow Copy of custom for rice [ 207022 ] custom [ 216770 ]
        Shem Patterson (Inactive) made changes -
        Workflow custom [ 216770 ] Rice Workflow [ 226518 ]
        Kristina Taylor (Inactive) made changes -
        Fix Version/s Middleware Backlog [ 17860 ]
        Fix Version/s Backlog [ 15811 ]
        Kristina Taylor (Inactive) made changes -
        Fix Version/s Backlog [ 15811 ]
        Fix Version/s Middleware Backlog [ 17860 ]
        Kristina Taylor (Inactive) made changes -
        Rank Ranked higher
        Kristina Taylor (Inactive) made changes -
        Rank Ranked higher
        Eric Westfall made changes -
        Labels Old


          • Assignee:
            Ken Geis
          • Votes:
            0 Vote for this issue
            0 Start watching this issue


            • Created:

              Structure Helper Panel