OneSpan Java SDK thread safety
Thursday, April 15, 2021 at 10:29amCustomer wanted to confirm if the class com.silanis.esl.sdk.EslClient is supposed to be thread safe?
So far, going by the examples they were assuming that it is indeed thread safe and thus creating a single instance of EslClient throughout the application. If it is to be used in such a way, then we found that it is not thread safe.
Their findings below:
Below is the snippet of the code from AccountApiClient within the esign sdk:
public Sender getSender(String senderId) {
String path = template.urlFor(UrlTemplate.ACCOUNT_MEMBER_ID_PATH)
.replace("{senderUid}", senderId)
.build();
try {
String stringResponse = restClient.get(path);
return Serialization.fromJson(stringResponse, Sender.class);
} catch (RequestException e) {
throw new EslServerException("Unable to get member from account.", e);
} catch (Exception e) {
throw new EslException("Unable to get member from account.", e);
}
}
Here if you notice template is class level variable.
Below is the snippet of code for UrlTemplate
public UrlTemplate urlFor(String path) {
this.path = path;
return this;
}
public UrlTemplate replace(String pathParams, String value) {
path = path.replace(pathParams, value);
return this;
}
Since the template is class level variable, it is possible that one thread calls replace while the other thread calls urlFor method, and what it ends up with is, the path may or may not be correct.
Can you please let us know the correct usage of com.silanis.esl.sdk.EslClient and / or fix the SDK to make it thread safe?
Reply to: OneSpan Java SDK thread safety
Thursday, April 15, 2021 at 02:24pmHi there,
It's internally confirmed that the SDK is not designed, tested, and therefore not supported in a multithreaded environment. One of the known limitation is exactly like the customer has mentioned - XxxApiClient (let's say AccountApiClient) is a singleton within an EslClient object, which hosts a class member UrlTemplate and refers to the singleton url path (for example "/packages/{packageId}"). When two calls using the same api client invoking methods almost at the same time, it's possible to cause data race that the later call reads the wrong url overriden by the first call.
Due to this reason, they need to create a new EslClient object for each thread. And of course, we could raise an ER asking for the support of SDK multithreading.
Duo