Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
4.1.3
Description
Executing multiple request using the same http context as recommended mixes authenticated connections among different users.
If we execute two request usign the same context, the first request adds the user token to the http context as well as to the connection properties. The second request fins already a user token in the http context but if a new connection will be created (no free connection in the pool) this new connection is never assigned to an user token and is used independent of any user context!
see DefaultRequestDirector:
// See if we have a user token bound to the execution context
Object userToken = context.getAttribute(ClientContext.USER_TOKEN);
...
if (managedConn != null && userToken == null) {
userToken = userTokenHandler.getUserToken(context);
context.setAttribute(ClientContext.USER_TOKEN, userToken);
if (userToken != null)
}
and RouteSpecificPool:
public BasicPoolEntry allocEntry(final Object state) {
if (!freeEntries.isEmpty()) {
ListIterator<BasicPoolEntry> it = freeEntries.listIterator(freeEntries.size());
while (it.hasPrevious()) {
BasicPoolEntry entry = it.previous();
if (entry.getState() == null || LangUtils.equals(state, entry.getState()))