Subscribe with Bloglines
Get Firefox!

Friday, June 24, 2005

 

ThreadLocal rocks and don't let 'em tell you different

IBM developer Billy Newport, whose picture reminds me of a serial killer mug-shot, warns us not to use ThreadLocal in a managed environment (read J2EE container, read IBM Websphere). Why? Here is what he says:
ThreadLocal and thread pools just don't mix. You may get away with using ThreadLocal on a thread but as soon as you return and give that thread back to the application server then you can't assume:
  1. You'll get called again on the same thread.
  2. Even if you do get the same thread, it may have different threadlocal values as it may have been used by other applications.

Besides, it's a huge security risk. Suppose an application stores sensitive information on an object held in ThreadLocal. Another customer might send a request which gets processed on a thread just used by a different customer and then one can see the information for the other customer.

He then continues to chide the open-source community for using it. Now technically, his statements are true. There are caveats you need to understand about threads and ThreadLocal. But I might as well say "don't use threads because you can't assume your code will be safe". We don't throw out an extremely useful tool because it requires knowledge to use it.

Instead, he should have offered the solution that anyone who writes J2EE apps and who has discovered the greatness of ThreadLocal knows...use a servlet filter.

Try this: 

public final class MyFilter implements Filter
{

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
            throws IOException, ServletException
{

    String myAttr = request.getSession().getAttribute("myAttr");
    MyThreadLocal.set(myAttr);
    chain.doFilter(request, response);
    MyThreadLocal.set(null);
}
}

Of course, you do need to null out the value at the end, as I've done above. Hey, now that I think of it, wouldn't it be nice if the container did this when the thread was returned to the pool? Maybe the security risk is on the side of Websphere! Now if only there was a Websphere developer around.

BTW- For a good article on ThreadLocal, see this one by Brian Goetz. If you want to know why you should use ThreadLocal, just think about all the methods in your application which take a parameter "User user" and how much more elegant your code would be if you got rid of them all.


# posted by Boruch @ 1:54 PM
Comments:
OK, here's a question for you on a subject that you might actually know something about. What do you think of BEA's recent announcement of their new ESB platform (AquaLogic), which will not be based on J2EE ? Do you think this marks the beginning of the end of J2EE being anything more than plumbing beneath the covers?
# posted by Anonymous Anonymous : 9:38 AM
 
Is J2EE anything more than plumbing beneath the covers today? Should a messaging layer be either? Does anyone now or have they ever cared what BEA did?

If AquaLogic helps use realize the goal of transparent, modularized, and business-focused applications, then it will be a good thing.

But IMHO, today's challenges to scalable, interoperable components are less in the containers and the buses than in what we put in and on them.
# posted by Blogger Boruch : 12:39 PM
 
Gut gezokt. I agree with you. Its not a technology problem. I'm sick of all this SOA / Web Services hype. Its barely going to help. The real challenge is in building generic/reusable services. Thats a very difficult design problem, and has not much to do with technology.
# posted by Anonymous Anonymous : 9:35 PM
 
Astonishing! Shalom al yisroel. There is hope for you yet, paduan.
# posted by Blogger Boruch : 1:22 AM
 
The author asked why appservers such as Websphere don't null out all the threadlocals before returning threads to the pool. They would if they could.

Unfortunately, appservers can't, since the appserver has no mechanism to discover all the threadlocals attached to a given thread. It can only null out the ones it knows about. Until the Java language provides something like Thread.removeThreadLocalVars(), users are responsible for nulling out their own threadlocals before returning control to the appserver.
# posted by Anonymous Anonymous : 11:44 PM
 
absolutely true. And it would be great is Sun gave us some some way to find all those things.

But is that a reason to avoid them completely? Might as well say, dont ever use C because you might forget to deallocate memory. That's just plain silly.
# posted by Blogger Boruch : 1:15 PM
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?