From 7212e02a9b4eb02759f7b2195187a6e6db6bfb33 Mon Sep 17 00:00:00 2001 From: Johannes Dahlström Date: Mon, 5 Aug 2013 15:47:16 +0300 Subject: Fix race in VaadinService.lockSession() (#12282) The session might be invalidated before lockSession() acquires the lock. Check if the session is still valid after locking and ensure SessionExpiredException is thrown if not. Change-Id: Iad716332a65b7c198427fce5198f6808140c140c --- server/src/com/vaadin/server/VaadinService.java | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/server/src/com/vaadin/server/VaadinService.java b/server/src/com/vaadin/server/VaadinService.java index 17bce7ad15..c9a5f0974a 100644 --- a/server/src/com/vaadin/server/VaadinService.java +++ b/server/src/com/vaadin/server/VaadinService.java @@ -564,6 +564,9 @@ public abstract class VaadinService implements Serializable { * * @param wrappedSession * The session to lock + * + * @throws IllegalStateException + * if the session is invalidated before it can be locked */ protected void lockSession(WrappedSession wrappedSession) { Lock lock = getSessionLock(wrappedSession); @@ -584,6 +587,17 @@ public abstract class VaadinService implements Serializable { } } lock.lock(); + + try { + // Someone might have invalidated the session between fetching the + // lock and acquiring it. Guard for this by calling a method that's + // specified to throw IllegalStateException if invalidated + // (#12282) + wrappedSession.getAttribute(getLockAttributeName()); + } catch (IllegalStateException e) { + lock.unlock(); + throw e; + } } /** @@ -607,7 +621,12 @@ public abstract class VaadinService implements Serializable { WrappedSession wrappedSession = getWrappedSession(request, requestCanCreateSession); - lockSession(wrappedSession); + try { + lockSession(wrappedSession); + } catch (IllegalStateException e) { + throw new SessionExpiredException(); + } + try { return doFindOrCreateVaadinSession(request, requestCanCreateSession); } finally { -- cgit v1.2.3