How do I make sure my java servlets web application is thread safe? What do I need to do in regards to session variables, static variables of a class, or anything else that could be a thread-safety problem?
Using Atomic Variable Using an atomic variable is another way to achieve thread-safety in java. When variables are shared by multiple threads, the atomic variable ensures that threads don't crash into each other.
To test if the combination of two methods, a and b, is thread-safe, call them from two different threads. Put the complete test in a while loop iterating over all thread interleavings with the help from the class AllInterleavings from vmlens. Test if the result is either an after b or b after a.
To make a servlet or a block within a servlet thread-safe, do one of the following: Synchronize write access to all instance variables, as in public synchronized void method() (whole method) or synchronized(this) {...} (block only).
Fact: there's only 1 instance of a servlet in webapp's lifetime. It get created on webapp's startup and it get destroyed on webapp's shutdown. Also see this answer for a rough interpretation.
Thus, it's been shared among all requests (threads). If you assign request or session scoped data as instance (or even worse, as static
) variable, then it is definitely not threadsafe, because it's then been shared among all requests (threads) from all users (sessions) applicationwide. You just need to assign them as method local variables to keep them threadsafe. So:
public class MyServlet extends HttpServlet {
private Object thisIsNOTThreadSafe;
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Object thisIsThreadSafe;
thisIsNOTThreadSafe = request.getParameter("foo"); // BAD!! Shared among all requests!
thisIsThreadSafe = request.getParameter("foo"); // OK, this is thread safe.
}
}
That's basically all you need to take into account when developing servlets with threadsafety in mind.
Then there are session (HttpSession
) attributes which can be shared among multiple requests from the same user, but in real world you actually don't need to worry about synchronizing session access. You normally put only user-specific data there, such as the logged-in user, user-specific preferences, the shopping basket, etcetera. You just need to ensure that you don't put pure request scoped data in the session scope. It would get reflected in multiple browser windows/tabs inside the same session.
Then there are application (ServletContext
) attributes which are shared among all users applicationwide, but you normally put only constants and other static data there, like the webapp configuration, DAO factory, dropdownlist contents, etcetera. This all can by the way be done with a ServletContextListener
, also see this answer for a basic example. You just need to ensure that you don't put pure request- or session scoped data in the application scope.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With