Use of ThreadLocals is not good for webapps

[GoogleCodeExporter]

AntiSamy 1.5 introduced a number of ThreadLocals. Unfortunately, using 
ThreadLocals in a web app is problematic. The issue is that web app containers 
use a shared thread pool that survives webapp redeploys. So suppose I deploy my 
webapp, and use AntiSamy 1.5. One of the container's worker threads now 
contains a reference to objects in the current class loader. If I undeploy my 
webapp, that thread survives, and it still references the object, which in turn 
holds onto the entire class loader. So each time the webapp is undeployed and 
redeployed, we would experience a leak of an entire ClassLoader, which can be a 
significant amount of memory.

I know that many applications don't care about this; if you have a single 
webapp in your container, you are probably free to restart the entire 
container, thereby avoiding the problem. But in some kinds of enterprise 
deployments, it's important to be able to stop, start, undeploy, and redeploy 
individual webapps while leaving the container running.

Based on the emails on Owasp-antisamy@lists.owasp.org, it sounds like Kristian 
and Arshan have some ideas on how to address this.

Original issue reported on code.google.com by danr...@gmail.com on 7 Feb 2013 at 10:01

[GoogleCodeExporter]

Fixed in  83be4896d0a1f23e3d297cbf97b65db9aa8ea2e0
and d5c4e2c8c46a9952585aedf90361d1279863d424

Thanks for the report !

Original comment by kristian...@gmail.com on 14 Feb 2013 at 5:34

• Changed state: Fixed