Servlet and JSP thread security issues

When compiling Servlet and JSP, the thread security issue is easily ignored. If you ignore this issue, your program may have potential risks.

1. servlet Lifecycle
The servlet lifecycle is the responsibility of the Web Container. When the client requests the servlet for the first time, the container initializes the servlet, that is, instantiates the servlet class. in the future, this instance will be responsible for client requests. Generally, other Servlet classes will not be instantiated, that is, multiple threads are using this instance. servlet is more efficient than CGI because servlet is multi-threaded. if the servlet is declared as a single-threaded model, the container will maintain an instance pool and there will be multiple instances.

2. servlet thread security
The servlet specification has declared that servlet is NOT thread-safe, so you should note this issue when developing servlet. A realistic model is used to describe the problem. First, a servlet class is defined, and then a smulatemultithread class and webcontainer class are defined.
Import javax. servlet. http. httpservlet;
Import javax. servlet. servletexception;
Import javax. servlet. http. httpservletrequest;
Import javax. servlet. http. httpservletresponse;
Import java. Io. ioexception;

// This class simulates the multi-thread servlet situation
Public class smulatemultithread implements runnable {
Public smulatemultithread (){
}
Public static void main (string [] ARGs ){
// Process 100 requests
For (INT I = 0; I <100; I ++)
{
New thread (New smulatemultithread (). Start ();
}
}
Public void run (){
Httpservletrequest request = NULL;
Httpservletresponse response = NULL;
Try {
Webcontainer. getservlet (). doget (request, response );
}
Catch (ioexception ex ){
}
Catch (servletexception ex ){
}
}
}
// This is a servlet class
Class unsafeservlet extends httpservlet {
Private string unsafe;
Public void Init () throws servletexception {
}
// Process the http get request
Public void doget (httpservletrequest request, httpservletresponse response) throws servletexception, ioexception {
Unsafe = thread. currentthread (). getname ();
System. Out. println (unsafe );
}
}
// This is the container class
Class webcontainer {
Private Static unsafeservlet US = new unsafeservlet ();
Public static unsafeservlet getservlet (){
Return us;
}
}
Output 100 different thread names. If 100 requests are processed by this servlet at the same time, unsafe may have 100 types of de-value, and the client will get an error value. for example, the thread name requested by client 1 is thread-1, but the returned value may be thread-20. in reality, the user name I log on to is user1, Which is changed to user2.
So how can we ensure servlet security? If multiple threads can be shared, don't use it (instance variables + class variables). It's that simple. you can also use the synchronized synchronization method, but the efficiency is not high. You can also use a single-threaded model, which is less efficient. When 100 requests come at the same time, you need to instantiate 100 instances.
The temporary variables in the method do not affect thread security because they allocate space on the stack and each thread has its own private stack space.

3. thread security in JSP
The essence of JSP is servlet. All JSP security problems can be easily understood as long as they understand servlet security issues. <%! %> The declared variables are servlet instance variables, not thread-safe. Others are thread-safe.
<%! String unsafevar; %> // NOT thread-safe
<% String safevar; %> // thread-safe

Conclusion: thread security issues are mainly caused by instance variables. Do not use instance variables in servlet, JSP, or struts actions. Do not use instance variables in any method, your program is thread-safe.