[concurrency-interest] reusing threads and thread local state

Gregg Wonderly gergg at cox.net
Mon May 2 11:26:53 EDT 2005

Larry Riedel wrote:
> It seems to me plainly reasonable to ask to be able
> to iterate through all the ThreadLocals associated
> with a particular Thread, as well as to be able to
> clear each one found via iteration, regardless of
> whether there is a provided method which promises
> to clear all the ThreadLocals, or whether clearing
> them would (not) put the Thread in a pristine state.

This creates a security hole in applications that host multiple remotely 
downloaded codebases which utilize threadlocal data for security 
information such as password/key caching etc.  Open it up for general 
inspection and any thread from another codebase has access to stuff 
inside of another codebases security context.

I don't use threadlocals myself because it is just as easy to use a
Hashtable<Thread,Hashtable<String,?>> via a static factory which I can 
control access to and manage clearing etc on my own.

Gregg Wonderly

More information about the Concurrency-interest mailing list