[concurrency-interest] reusing threads and thread local state
gergg at cox.net
Mon May 2 11:26:53 EDT 2005
Larry Riedel wrote:
> It seems to me plainly reasonable to ask to be able
> to iterate through all the ThreadLocals associated
> with a particular Thread, as well as to be able to
> clear each one found via iteration, regardless of
> whether there is a provided method which promises
> to clear all the ThreadLocals, or whether clearing
> them would (not) put the Thread in a pristine state.
This creates a security hole in applications that host multiple remotely
downloaded codebases which utilize threadlocal data for security
information such as password/key caching etc. Open it up for general
inspection and any thread from another codebase has access to stuff
inside of another codebases security context.
I don't use threadlocals myself because it is just as easy to use a
Hashtable<Thread,Hashtable<String,?>> via a static factory which I can
control access to and manage clearing etc on my own.
More information about the Concurrency-interest