Details

      Description

      Executing multiple request using the same http context as recommended mixes authenticated connections among different users.

      If we execute two request usign the same context, the first request adds the user token to the http context as well as to the connection properties. The second request fins already a user token in the http context but if a new connection will be created (no free connection in the pool) this new connection is never assigned to an user token and is used independent of any user context!

      see DefaultRequestDirector:

      // See if we have a user token bound to the execution context
      Object userToken = context.getAttribute(ClientContext.USER_TOKEN);
      ...
      if (managedConn != null && userToken == null) {
      userToken = userTokenHandler.getUserToken(context);
      context.setAttribute(ClientContext.USER_TOKEN, userToken);
      if (userToken != null)

      { managedConn.setState(userToken); }

      }

      and RouteSpecificPool:

      public BasicPoolEntry allocEntry(final Object state) {
      if (!freeEntries.isEmpty()) {
      ListIterator<BasicPoolEntry> it = freeEntries.listIterator(freeEntries.size());
      while (it.hasPrevious()) {
      BasicPoolEntry entry = it.previous();
      if (entry.getState() == null || LangUtils.equals(state, entry.getState()))

      { it.remove(); return entry; }

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Ralf Pöhlmann
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development