[KULRICE-5002] clear GlobalVariables after request is processed Created: 24/Feb/11  Updated: 16/Jan/15

Status: Open
Project: Kuali Rice Development
Component/s: Development
Affects Version/s: None
Fix Version/s: Backlog
Security Level: Public (Public: Anyone can view)

Type: Bug Fix Priority: Major
Reporter: Ken Geis Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: Old
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Similar issues:
KULRICE-9996Clear form call after closing lightbox throws an exception
KULRICE-3833Add a parm to clear FYIs after a certain number of days
KULRICE-1823KualiHttpSessionListener sessionDestroyed method does not have valid UserSession in GlobalVariables
KULRICE-7009Profile the view process (complete request/response) for bottlenecks
KULRICE-14210KualiHttpSessionListener releases wrong locks
KULRICE-3658Extension attributes on new objects are deleted by workflow processing
KULRICE-13813Review and revise release doc process
KULRICE-6444Create values on lookup should not clear readonly field values that were passed on the request
KULRICE-3908Approve fails to clear out saved ad hoc route requests...
KULRICE-13706Review and revise license check process
Rice Module:
KNS
KAI Review Status: Not Required
KTI Review Status: Not Required

 Description   

The KualiRequestProcessor calls GlobalVariables.setUserSession(..) and clears the rest of the variables. The point where these appear to be unset is in KualiHttpSessionListener.sessionDestroyed(..). This can cause a leak of data between users if GlobalVariables is used anywhere other than below the KualiRequestProcessor (for example, accessing /portal.jsp, a DWR service, etc.)

Example: User A is logged in, and access a Struts action on request processing thread 1. User B comes along, logs in, and has GlobalVariables established on request processing thread 2. User B's page calls a DWR service; servlet engine uses request processing thread 1 to handle call. DWR service calls GlobalVariables.getUserSession() which returns user A.

I would recommend the following change of code, or alternatively deciding that GlobalVariables should only be used in Struts actions and updating the Javadoc respectively.

public void process(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    try {
... existing code in process(..)
    } finally {
        GlobalVariables.setUserSession(null);
        GlobalVariables.clear();
    }
}

Generated at Sun Jul 12 10:43:34 CDT 2020 using JIRA 6.1.5#6160-sha1:a61a0fc278117a0da0ec9b89167b8f29b6afdab2.