Details

      Description

      Executing multiple request using the same http context as recommended mixes authenticated connections among different users.

      If we execute two request usign the same context, the first request adds the user token to the http context as well as to the connection properties. The second request fins already a user token in the http context but if a new connection will be created (no free connection in the pool) this new connection is never assigned to an user token and is used independent of any user context!

      see DefaultRequestDirector:

      // See if we have a user token bound to the execution context
      Object userToken = context.getAttribute(ClientContext.USER_TOKEN);
      ...
      if (managedConn != null && userToken == null) {
      userToken = userTokenHandler.getUserToken(context);
      context.setAttribute(ClientContext.USER_TOKEN, userToken);
      if (userToken != null)

      { managedConn.setState(userToken); }

      }

      and RouteSpecificPool:

      public BasicPoolEntry allocEntry(final Object state) {
      if (!freeEntries.isEmpty()) {
      ListIterator<BasicPoolEntry> it = freeEntries.listIterator(freeEntries.size());
      while (it.hasPrevious()) {
      BasicPoolEntry entry = it.previous();
      if (entry.getState() == null || LangUtils.equals(state, entry.getState()))

      { it.remove(); return entry; }

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ralf.poehlmann Ralf Pöhlmann
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: