Thread-safe issues with servlet and JSP

Js|servlet| Safety | issues

When writing servlet and JSP, thread-safety issues can easily be overlooked, and if you ignore the problem, there are potential pitfalls in your program.

Life cycle of 1.Servlet

The lifecycle of the servlet is the responsibility of the Web container, and when the client requests the servlet for the first time, the container is responsible for initializing the servlet, that is, instantiating the Servlet class. Later this instance is responsible for the client's request and will not normally instantiate other servlet classes. That is, multiple threads are using this instance. The servlet is more efficient than CGI because the servlet is multi-threaded. If the servlet is declared as a single-threaded model, the container maintains an instance pool, and there will be multiple instances.

2.Servlet Thread-Safe

The servlet specification has declared that the servlet is not thread-safe, so take this into account when developing the servlet. Here is a realistic model to illustrate the problem, first defining a servlet class, Define a Smulatemultithread class and Webcontainer class.

Import Javax.servlet.http.HttpServlet;

Import javax.servlet.ServletException;

Import Javax.servlet.http.HttpServletRequest;

Import Javax.servlet.http.HttpServletResponse;

Import java.io.IOException;

This class simulates the situation of a multithreaded servlet

public class Smulatemultithread implements runnable{

Public Smulatemultithread () {

}

public static void Main (string[] args) {

Processing 100 Requests

for (int i=0;i<100;i++)

{

New Thread (New Smulatemultithread ()). Start ();

}

}

public void Run () {

HttpServletRequest Request=null;

HttpServletResponse Response=null;

try {

Webcontainer.getservlet (). Doget (request, response);

}

catch (IOException ex) {

}

catch (Servletexception ex) {

}

}

}

This is a servlet class

Class Unsafeservlet extends httpservlet{

Private String unsafe;

public void Init () throws Servletexception {

}

Process the HTTP GET request

public void doget (HttpServletRequest request, httpservletresponse response) throws Servletexception, IOException {

Unsafe=thread.currentthread (). GetName ();

SYSTEM.OUT.PRINTLN (unsafe);

}

}

This is a container class.

Class webcontainer{

private static Unsafeservlet us=new Unsafeservlet ();

public static Unsafeservlet Getservlet () {

return us;

}

}

100 different thread names are exported, and if 100 requests are processed by the servlet, then the unsafe may have 100 values, and the client will get the wrong value. For example, the client 1 requests a thread named Thread-1, But the return to him may be thread-20. In reality, I landed the username is user1, after landing into a user2.

So how to be a servlet security, where multiple threads can be shared do not use (instance variables + class variables), it is so simple. You can also use the synchronized synchronization method, but this is inefficient and can also use a single-threaded model, which is less efficient. 100 requests will be instantiated at the same time to instantiate 100 instances.

Temporary variables in a method do not affect thread safety because they allocate space on the stack, and each thread has its own private stack space.

3.JSP Middle-range safety

JSP is the essence of the servlet, all as long as you understand the security of the servlet, JSP security issues should be easy to understand. Using <%! The variables declared by%> are instance variables of the servlet, not thread-safe, and others are thread-safe.

<%! String Unsafevar; %>//is not thread-safe

<% String Safevar; %>//Thread-Safe

Summary: Thread safety issues are mainly caused by instance variables, whether in the servlet or JSP, or in struts action, do not use instance variables, any method does not appear in the instance variable, your program is thread-safe.