Servlet security questions (forwarding)

1. How does the servlet container process multiple requests at the same time.

Servlet uses multiple threads to process multiple requests for simultaneous access. The servelet container maintains a thread pool to serve requests.
The thread pool is actually a set of threads waiting for code execution. The servlet container uses a scheduling thread to manage the worker thread (dispatcher thread ).

When the container receives a request to access the servlet, the dispatcher thread selects a worker thread from the thread pool, passes the request to the thread, and then the thread executes the servlet service method.
When this thread is being executed, the container receives another request. The scheduler thread selects another worker thread from the pool to serve the new request, the container does not matter whether the request accesses the same servlet or another servlet.
When the container receives multiple requests to the same servlet at the same time, the service method of this servlet will be concurrently executed in multiple threads.

2. By default, servlet containers process requests in a single-instance multi-thread manner. This reduces the cost of servlet instances and increases the response time to requests. For tomcat, you can use the <connector> element in server. XML to set the number of threads in the thread pool.

For implementation:
The scheduler's Thread class's responsibility is its name. The responsibility of this class is the scheduling thread. You only need to use your own attributes to fulfill your responsibilities. Therefore, this class assumes the responsibility, and the responsibility of this class is concentrated in a unique single object.
Other objects depend on the responsibilities of a specific object, so we need to get this specific object. This class is the implementation of a singleton mode.

3. How to develop a thread-safe Servlet
1. Variable Thread security: the variables here refer to fields and shared data (such as form parameter values ).

A. localize the parameter variables. Multithreading does not share local variables, so we should try to use local variables in servlet.
Example: String user = "";
User = request. getparameter ("user ");

B. Use the synchronous block synchronized to prevent code blocks that may be called asynchronously. This means that the thread needs to be queued for processing.
When using the same section, we should try to narrow the scope of the synchronization code as much as possible. Do not use synchronization directly in the sevice method and response method, which will seriously affect the performance.

 

2. Attribute thread security: attributes in the servletcontext, httpsession, and servletrequest objects
Servletcontext: (the thread is insecure)
Servletcontext can read/write attributes in multiple threads at the same time, and the thread is not secure. You need to synchronize read/write operations on attributes or perform in-depth clone ().
Therefore, in the servlet context, try to save as little data as possible that will be modified (written). You can use other methods to share data among multiple servlets. For example, you can use the singleton mode to process shared data.
Httpsession: (the thread is insecure)
Httpsession objects exist during user sessions and can only be accessed in the thread that processes requests from the same session. Therefore, attribute access to session objects is theoretically thread-safe.
When you open multiple browser windows of the same process and access to these windows belongs to the same session, multiple requests are sent, and multiple worker threads are required to process the requests, it may cause simultaneous multi-threaded read/write attributes.
In this case, we need to synchronize the read and write of the attribute: Use the synchronization block synchronized and the read/write tool.

Servletrequest: (the thread is secure)
Each request is executed by a worker thread and a new servletrequest object is created. Therefore, the servletrequest object can only be accessed in one thread. Servletrequest is thread-safe.
Note: The servletrequest object is valid within the scope of the service method. Do not try to save the reference of the request object after the service method ends.

3. Use the synchronous collection class:
Use Vector instead of arraylist, and use hashtable instead of hashmap.

4. Do not create your own thread in the servlet to complete a function.
The servlet itself is multi-threaded. re-creating a thread in the servlet will complicate the execution and cause multi-threaded security issues.

5. You must lock external objects (such as files) in multiple servlets for mutually exclusive access.

Iv. singlethreadmodel Interface
Javax. servlet. the singlethreadmodel interface is an identifier interface. If a servlet implements this interface, the servlet container ensures that only one thread can be executed in the service method of the given servlet instance at a time point. All other requests are queued.
The server can use multiple instances to process requests, replacing the benefits of queuing requests for a single instance. The server creates an instance pool composed of multiple servlet instances of the servlet class. The server allocates the servlet instance for Response Processing for each request, and then places it back in the instance pool to wait for this request. In this way, concurrent access is caused.
At this time, local variables (fields) are secure, but global variables and shared data are insecure and need to be synchronized. In this case, the singlethreadmodel interface cannot solve the concurrent access problem.
 
The singlethreadmodel interface has been deprecated In the servlet specification.

From: http://blog.csdn.net/qfs_v/article/details/2652097

Servlet security questions (forwarding)