Web 应用程序中的静态 ThreadLocal 变量 - 是否存在任何安全/性能问题?
我正在我的 Java Web 应用程序中研究和试验 ThreadLocal 变量。我使用 ThreadLocal 变量在请求之前存储用户名(从会话中收集),然后在请求之后将其删除。我通过调用 ServletFilter 中的静态实用程序方法来完成此操作。我不简单地从会话中检索用户名的原因是因为我继承了一个具有长时间运行进程的系统,这些进程有时运行时间比会话超时允许的时间更长。我的想法是在处理请求之前获取用户名并将其存储在 ThreadLocal 变量中,这样我就可以在整个请求期间访问用户名,即使需要的时间超过 15 分钟。
我的问题是:
这种设计是否存在任何安全/性能问题?如果有,更好的解决方案是什么?即使不存在任何安全和/或性能问题,也欢迎更好的想法。我的解决方案的片段如下所示:
这是我的实用程序类,它将在我的过滤器以及我需要用户名的任何地方调用。
public abstract class UserUtil {
private static final ThreadLocal<String> threadUser = new ThreadLocal<String>();
public static String getUserId(){
return threadUser.get();
}
public static void setUserId(String userId){
threadUser.set(userId);
}
public static void removeUserId(){
threadUser.remove();
}
}
这是我的 servlet 过滤器,用于在请求之前设置用户名(并在请求之后通过 finally 块清除它)。
public class UserFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
try {
HttpServletRequest request = (HttpServletRequest) servletRequest;
UserBean userBean = (UserBean) ((HttpServletRequest) servletRequest).getSession().getAttribute("userBean");
UserUtil.setUserId(userBean.getUserId());
filterChain.doFilter(servletRequest, servletResponse);
} finally{
UserUtil.removeUserId();
}
}
}
这是我的 web.xml 配置:
<!--web.xml-->
<web-app>
...
...
...
<filter>
<filter-name>UserFilter</filter-name>
<filter-class>filter.UserFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UserFilter</filter-name>
<url-pattern>*.jsf</url-pattern>
</filter-mapping>
非常感谢任何想法:)
I am researching and experimenting with a ThreadLocal variable in my Java Web Application. I am using the ThreadLocal variable to store a username (collected from the session) before a request, and then removing it after the request. I have done this by calling a static utility method in a ServletFilter. The reason I do not simply retrieve the username from the session is because I have inherited a system with long-running processes that sometimes take longer to run than the session timeout would allow. My idea is to grab the username before the request is processed and store it in a ThreadLocal variable, thus giving me access to the username throughout the duration of the request even if it takes longer than 15 minutes.
My question is:
Are there any security/performance concerns with this design, and if so, what would be a better solution? Even if there aren't any security and/or performance issues, better ideas are welcome. Snippets from my solution are shown below:
Here is my utility class that would be called in my filter and anywhere that I would need the username.
public abstract class UserUtil {
private static final ThreadLocal<String> threadUser = new ThreadLocal<String>();
public static String getUserId(){
return threadUser.get();
}
public static void setUserId(String userId){
threadUser.set(userId);
}
public static void removeUserId(){
threadUser.remove();
}
}
Here is my servlet filter used to set the username before the request (and clear it via the finally block after the request).
public class UserFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
try {
HttpServletRequest request = (HttpServletRequest) servletRequest;
UserBean userBean = (UserBean) ((HttpServletRequest) servletRequest).getSession().getAttribute("userBean");
UserUtil.setUserId(userBean.getUserId());
filterChain.doFilter(servletRequest, servletResponse);
} finally{
UserUtil.removeUserId();
}
}
}
Here's my web.xml configuration:
<!--web.xml-->
<web-app>
...
...
...
<filter>
<filter-name>UserFilter</filter-name>
<filter-class>filter.UserFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UserFilter</filter-name>
<url-pattern>*.jsf</url-pattern>
</filter-mapping>
Any ideas are much appreciated :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这实际上是将安全信息附加到执行线程(或任何其他执行相关信息)的相当常见的方法。
它在 Java EE 服务器内部以及第三方代码/实用程序(如 Spring)中使用。
它会工作得很好。
This is actually a fairly common approach for attaching security information to the thread of execution (or any other execution related information).
It is used in Java EE servers internally and by 3rd party code/utils like Spring as well.
It will work just fine.