We're using Spring 3.0.2 / Spring MVC for a web application on Tomcat 6.0.26 (on Linux) which stores search results in the user's HttpSession. The central configuration (dispatcher-servlet.xml) looks like this:
We do not have a HttpSessionMutexListener defined, so the AnnotationMethodHandlerAdapter will fallback on the HttpSession itself for synchronization.
<context:component-scan base-package="com.example.web" />
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" p:synchronizeOnSession="true" />
However, the API docs for AnnotationMethodHandlerAdapter and HttpSessionMutexListener state that "In many cases, the HttpSession reference itself is a safe mutex as well, since it will always be the same object reference for the same active logical session. However, this is not guaranteed across different servlet containers; the only 100% safe way is a session mutex." (cited from the latter link).
Since we are experiencing some non-deterministic issues which seem to be related to session mismatch / mixups, especially during high load scenarios, e. g. when running a load test, I am currently trying to see if this might be the root cause for these problems.
In detail, we had a (virtual) user A perform a search on the web app using search term 'a' and a concurrent user B using the term 'b' for his query. The user A got the results for the query with term 'b' - which is obviously the wrong result and a potential security issue, too.
Do you have any experience using MVC's annotation config with AnnotationMethodHandlerAdapter and the synchronizeOnSession flag? What might be the cause and are there other options than trying to introduce a HttpSessionMutexListener in web.xml and see if the problem disappears?
Thanks for any help and ideas.