Uploaded image for project: 'Kuali Rice Development'
  1. Kuali Rice Development
  2. KULRICE-5002

clear GlobalVariables after request is processed

    Details

    • Type: Bug Fix
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
    • Rice Module:
      KNS
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required

      Description

      The KualiRequestProcessor calls GlobalVariables.setUserSession(..) and clears the rest of the variables. The point where these appear to be unset is in KualiHttpSessionListener.sessionDestroyed(..). This can cause a leak of data between users if GlobalVariables is used anywhere other than below the KualiRequestProcessor (for example, accessing /portal.jsp, a DWR service, etc.)

      Example: User A is logged in, and access a Struts action on request processing thread 1. User B comes along, logs in, and has GlobalVariables established on request processing thread 2. User B's page calls a DWR service; servlet engine uses request processing thread 1 to handle call. DWR service calls GlobalVariables.getUserSession() which returns user A.

      I would recommend the following change of code, or alternatively deciding that GlobalVariables should only be used in Struts actions and updating the Javadoc respectively.

      public void process(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
          try {
      ... existing code in process(..)
          } finally {
              GlobalVariables.setUserSession(null);
              GlobalVariables.clear();
          }
      }
      

        Attachments

          Activity

          Error rendering 'com.atlassian.jira.jira-view-issue-plugin:activitymodule'. Please contact your JIRA administrators.

            People

            • Assignee:
              Unassigned
              Reporter:
              kgeis Ken Geis
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: