[cas-dev] SingleSignOutFilter is not thread-safe
Manfred Duchrow
manfred.duchrow at md-cs.de
Wed Jul 9 02:27:29 EDT 2008
SingleSignOutFilter uses a HashMapBackedSessionMappingStorage which internally
handles two HashMaps. Nothing is synchronized, but many concurrent threads can
cause get(), put() and remove() calls on these HashMaps.
For exampel this can cause NullPointerException if a HashMap grows in one thread
and another thread tries to get a particular entry of that HashMap.
An easy way to solve this would be creating a subclass of SingleSignOutFilter
and set another (i.e. thread-safe) SessionMappingStorage implementation
via setSessionMappingStorage() call in the init() method.
But due to the strict 'final' policy of CAS it is not possible to extend
SingleSignOutFilter.
So you end up writing your own SingleSignOutFilter.
Or might it by ok for the CAS developers to remove this 'final'?
Another option would be to make HashMapBackedSessionMappingStorage thread-safe.
This refers to CAS Client 3.1.3
Cheers,
Manfred
More information about the cas-dev
mailing list