0

I am using Struts 2 v 2.3.16.3 with tomcat 6.

A user will click on an action which finds an object by id and the page displays it. I have encountered a sporadic bug where the user will all of a sudden get the id of another lookup from another user on another machine. So effectively they are both calling the same action but passing different id to the request, but both end up viewing the same id.

This is obviously disastrous, and the data is totally corrupted as both users think they are editing a different record. Any ideas how make sure session/request activity is kept secure to each session?

I am also using spring and am using the @Transactional annotation in my Service layer, which returns the objects from the DAO. Is there something I need to do with this annotation to make it secure for each session ?

I am using org.springframework.orm.hibernate3.HibernateTransactionManager

Roman C
  • 49,761
  • 33
  • 66
  • 176
Spunog
  • 309
  • 3
  • 11
  • No, this annotation won't help you, passing different id won't make em secure but you should test parameters passing before you proceed to secure them. – Roman C Oct 13 '14 at 16:20

1 Answers1

1

Classic Thread-UnSafe problem.

Since you nominated Spring, my first guess is that you have not specified the right scope for your action beans in Spring xml configuration.

Be sure you are using scope="prototype" because otherwise the default scope of Spring is Singleton, and you don't want a single(ton) instance of an Action, that would not be ThreadLocal (and hence ThreadSafe) anymore.

If it is not that, it could be something on an Interceptor (that, differently from an action, is not Thread Safe), or you are using something static (in your Business / DAO layer, or in the Action itself) that should be not.

Community
  • 1
  • 1
Andrea Ligios
  • 49,480
  • 26
  • 114
  • 243
  • Thanks, I figured it was something along these lines but you homed in on the target directly. – Spunog Oct 14 '14 at 08:34