1. Servlet Lifecycle
The Servlet lifecycle is the responsibility of the Web Container. When the client requests the Servlet for the first time, the container initializes the Servlet, that is, instantiates the Servlet class. In the future, this instance will be responsible for client requests. Generally, other Servlet classes will not be instantiated, that is, multiple threads are using this instance. Servlet is more efficient than CGI because Servlet is multi-threaded. If the Servlet is declared as a single-threaded model, the container maintains an instance pool and multiple instances exist.
2. Servlet and JSP thread security
The Servlet specification has declared that Servlet is NOT thread-safe, so you should note this issue when developing Servlet. Here we use a realistic model to illustrate the problem. First we define a Servlet class, and then a SmulateMultiThread class and WebContainer class.
- Importjavax. servlet. http. HttpServlet;
- Importjavax. servlet. ServletException;
- Importjavax. servlet. http. HttpServletRequest;
- Importjavax. servlet. http. HttpServletResponse;
- Importjava. io. IOException;
- // This class simulates the multi-thread Servlet situation
- PublicclassSmulateMultiThreadimplementsRunnable {
- PublicSmulateMultiThread ){
- }
- PublicstaticvoidmainString [] args ){
- // Process 100 requests
- ForInti=0; I<100; I ++)
- {
- NewThreadnewSmulateMultiThread )). Start );
- }
- }
- Publicvoidrun ){
- HttpServletRequestrequest=Null;
- HttpServletResponseresponse=Null;
- Try {
- WebContainer. getServlet ). DoGetrequest, response );
- } CatchIOExceptionex ){
- }
- CatchServletExceptionex ){
- }
- }
- }
- // This is a Servlet class
- ClassUnsafeServletextendsHttpServlet {
- PrivateStringunsafe;
- Publicvoidinit) throwsServletException {
- }
- // ProcesstheHTTPGetrequest
- PublicvoiddoGetHttpServletRequestrequest, HttpServletResponseresponse)
ThrowsServletException, IOException {
- Unsafe=Thread. CurrentThread ). GetName );
- System. out. printlnunsafe );
- }
- }
- // This is the container class
- ClassWebContainer {
- PrivatestaticUnsafeServletus=NewUnsafeServlet);
- PublicstaticUnsafeServletgetServlet ){
- Returnus;
- }
- }
Output 100 different thread names. If 100 requests are processed by this Servlet at the same time, unsafe may have 100 types of de-value, and the client will get an error value. For example, the thread name requested by client 1 is thread-1, but the returned value may be thread-20. in reality, the user name I log on to is user1, Which is changed to user2. so how can this be Servlet security, if multiple threads can be shared, do not use instance variables + class variables. You can also use the synchronized synchronization method, but the efficiency is not high. You can also use a single-threaded model, which is less efficient. When 100 requests come at the same time, you need to instantiate 100 instances.
The temporary variables in the method do not affect thread security because they allocate space on the stack and each thread has its own private stack space.
3. thread security in JSP
The essence of JSP is Servlet. As long as you understand the security issues of Servlet, the security issues of Servlet and JSP should be easily understood. Use <%! %> The declared variables are Servlet instance variables, not thread-safe. Others are thread-safe.
- <%! StringunsafeVar; %>// NOT thread-safe
- <% StringsafeVar; %>// Thread-safe
Summary: thread security issues are mainly caused by instance variables. Do not use instance variables in Servlet and JSP, or in Struts actions. Do not use instance variables in any method, your program is thread-safe.
- Install Servlets and JSP
- Configure the Servlet Development Environment
- Future Response Servlet features
- Detailed explanation of JSP Server Installation
- Jetty-Additional Servlet container Functions