Fix race in VaadinService.lockSession() (#12282)7.1.2

The session might be invalidated before lockSession() acquires the lock. Check if the session is still valid after locking and ensure SessionExpiredException is thrown if not. Change-Id: Iad716332a65b7c198427fce5198f6808140c140c
author: Johannes Dahlström <johannesd@vaadin.com> 2013-08-05 15:47:16 +0300
committer: Vaadin Code Review <review@vaadin.com> 2013-08-06 13:14:39 +0000
commit: 7212e02a9b4eb02759f7b2195187a6e6db6bfb33 (patch)
tree: c7ba48f9e97f063240a2d59212116e58f97b7294
parent: 16d17f9824dfac7e55e3ca98444f9da3205c0336 (diff)
download: vaadin-framework-7212e02a9b4eb02759f7b2195187a6e6db6bfb33.tar.gz
vaadin-framework-7212e02a9b4eb02759f7b2195187a6e6db6bfb33.zip
1 files changed, 20 insertions, 1 deletions
diff --git a/server/src/com/vaadin/server/VaadinService.java b/server/src/com/vaadin/server/VaadinService.java
index 17bce7ad15..c9a5f0974a 100644
--- a/server/src/com/vaadin/server/VaadinService.java
+++ b/server/src/com/vaadin/server/VaadinService.java
@@ -564,6 +564,9 @@ public abstract class VaadinService implements Serializable {
      * 
      * @param wrappedSession
      *            The session to lock
+     * 
+     * @throws IllegalStateException
+     *             if the session is invalidated before it can be locked
      */
     protected void lockSession(WrappedSession wrappedSession) {
         Lock lock = getSessionLock(wrappedSession);
@@ -584,6 +587,17 @@ public abstract class VaadinService implements Serializable {
             }
         }
         lock.lock();
+
+        try {
+            // Someone might have invalidated the session between fetching the
+            // lock and acquiring it. Guard for this by calling a method that's
+            // specified to throw IllegalStateException if invalidated
+            // (#12282)
+            wrappedSession.getAttribute(getLockAttributeName());
+        } catch (IllegalStateException e) {
+            lock.unlock();
+            throw e;
+        }
     }
 
     /**
@@ -607,7 +621,12 @@ public abstract class VaadinService implements Serializable {
         WrappedSession wrappedSession = getWrappedSession(request,
                 requestCanCreateSession);
 
-        lockSession(wrappedSession);
+        try {
+            lockSession(wrappedSession);
+        } catch (IllegalStateException e) {
+            throw new SessionExpiredException();
+        }
+
         try {
             return doFindOrCreateVaadinSession(request, requestCanCreateSession);
         } finally {
author	Johannes Dahlström <johannesd@vaadin.com>	2013-08-05 15:47:16 +0300
committer	Vaadin Code Review <review@vaadin.com>	2013-08-06 13:14:39 +0000
commit	7212e02a9b4eb02759f7b2195187a6e6db6bfb33 (patch)
tree	c7ba48f9e97f063240a2d59212116e58f97b7294
parent	16d17f9824dfac7e55e3ca98444f9da3205c0336 (diff)
download	vaadin-framework-7212e02a9b4eb02759f7b2195187a6e6db6bfb33.tar.gz vaadin-framework-7212e02a9b4eb02759f7b2195187a6e6db6bfb33.zip