I'm seeing some customers complain about the fact that WebSphere doesn't have a consistent ThreadLocal story. Depending on the version of WebSphere, we may or may not clear thread local when a thread is returned to the pool.
This is causing problems as it appears open source software assume that they can use ThreadLocal and this is just not true in a managed environment. ThreadLocal and thread pools just don't mix. You may get away with using ThreadLocal on a thread but as soon as you return and give that thread back to the application server then you can't assume:
- You'll get called again on the same thread.
- Even if you do get the same thread, it may have different threadlocal values as it may have been used by other applications.
Besides, it's a huge security risk. Suppose an application stores sensitive information on an object held in ThreadLocal. Another customer might send a request which gets processed on a thread just used by a different customer and then one can see the information for the other customer.
So, in a nut shell, don't use ThreadLocal if your code can be used in a managed environment. It appears a lot of open source software in wide use does use it, examples would be Spring and Xerces apparently. If you know of open source software that does then lobby to get it fixed. I can't see application server vendors supporting this type of programming in a managed environment.
When customers use async beans in WebSphere for threading, we recommend keeping the Thread state in the Runnable object rather than ThreadLocal because that'll work always. But, regardless, care has to be taken to make sure that security problems etc are not caused by naive use of ThreadLocal type mechanisms whether in the JDK or using an application specific mechanism.
UPDATE
Juergen in a comment below makes the comment that Spring only uses ThreadLocal during a synchronous call, i.e. it's ok if this state is discarded once the application returns. This will work BUT when Java 2 security is enabled then these APIs are likely to be APIs which are forbidden. Now, developers will need to argue with administrators to exclude spring.jar from these security rules and the result, as always, will be optimizing around the beaureacy, i.e. use software without this hassle.
Hello Billy,
Here is a question about websphere thread pool arithmetic. I wonder wether it works as below:
I set the min.(MIN) and max.(MAX) number of thread pool of a server.
When a request comes, the server will check wether there is still alive thread in pool, if yes, it will return one, if not, it will create a new thread and return it.
When a response complete, the thread is return to the server, then the server will check the pool's size, if it already bigger than MAX, then it just destory the thread, otherwise, it will return it into the pool.
Another question is if I set the thread timeout for server, how the server deal with the thread which has reached its timeout?
Thank you.
Posted by: | December 06, 2005 at 03:23 PM
Hello Billy,
Here is a question about websphere thread pool arithmetic. I wonder wether it works as below:
I set the min.(MIN) and max.(MAX) number of thread pool of a server.
When a request comes, the server will check wether there is still alive thread in pool, if yes, it will return one, if not, it will create a new thread and return it.
When a response complete, the thread is return to the server, then the server will check the pool's size, if it already bigger than MAX, then it just destory the thread, otherwise, it will return it into the pool.
Another question is if I set the thread timeout for server, how the server deal with the thread which has reached its timeout?
Thank you.
Posted by: DAI Jun | December 06, 2005 at 03:25 PM
Hi Billy
Is Work Area Service of WAS 6.0 a safer way to implement what Threadlocal does?? Are we safe from Threads not being cleared after it is returned to the Thread pool. Are there any cautions we need to take care while using Work Area Service if my requirement is simply to maintain thread state just like Threadlocal minus the hassle.
Posted by: Ranjit Aneesh | January 09, 2007 at 07:11 AM
Tramadol is a Pain killer abused by many, Huraaa for being a pharmacy student.an effective pain reliever (analgesic). Its mode of action resembles that of narcotics, but it has significantly less potential for abuse and addiction than the narcotics.
http://tramadolcom.info
Tramadol is a Pain killer abused by many, Huraaa for being a pharmacy student.
Posted by: woretes | June 02, 2007 at 07:49 AM
[url=http://www.spbgu.ru/blog33831#8]female domination video[/url]
[url=http://www.spbgu.ru/blog33832#3]amp domination submission[/url]
[url=http://www.spbgu.ru/blog33833#6]male foot fetish[/url]
[url=http://www.spbgu.ru/blog33834#8]my friends hot mom mrs vette[/url]
Posted by: derndecc | June 03, 2007 at 05:45 PM
Tramadol will not fix your ThreadLocal problems.
Posted by: Jim Manico | August 07, 2008 at 03:18 PM
no one has given an example of where this could be a problem. here is one:
two web application deployed in the same EAR (or even seperate EAR depending upon your class loader configuration and deployment) - both set a thread local which is a map of properties. one, in a given case, processing a web request doesnt set a property in the map and calls a service which reads that unset property. that unset property could contain a value from the other application.
fix: ensure you clear up your thread locals before your are finished with the thread. initialise ALL thread locals before using them - dont assume the threads you get from a pool are like a new thread.
Posted by: maxant | September 25, 2008 at 11:07 AM
ive summarised the things i have found about this topic under:
http://blog.maxant.co.uk/pebble/2008/09/23/1222200780000.html
Posted by: maxant | September 25, 2008 at 12:22 PM
Hi All,
One of my Customer is having problem with websphere. It is goes down suddenly then restart it , again it works fine.
Could some one please give suggestions on this ...
Thanks for your help in advance!
Thanks & Regards,
Raghu.
Posted by: Raghu | November 05, 2008 at 06:49 PM
http://searchitusa.com/search.php?q=Ambien - [color=red - [size=16 - To Buy Ambien Online[/size - [/color - http://searchitusa.com/search.php?q=Ambien - http://top2top.info/img/pharmacy1.jpg http://searchitusa.com/search.php?q=Ambien - [color=red - [size=15 - ENTER HERE[/size - [/color - Ambien cod accepted Cheap ambien cash on delivery Buy ambien without prescription Affect ambien side Order generic ambien online
Posted by: brendenr | February 19, 2009 at 04:57 PM