...
The main suspect is your own web application keeping a reference to Request / Response objects outside of their life cycle. (*)
- Set the following system property in Tomcat configuration:
org.apache.catalina.connector.RECYCLE_FACADES=true
When flag is set, Tomcat recycles facades to its internal objects when request processing completes. This makes it easier to spot illegal access when it happens, instead of waiting until side effects of such access become visible.
This flag is also mentioned on the Security Considerations page. The flag is true
when Tomcat runs with enabled Java Security Manager.
2. Read about Java ImageIO issue.
(*) Note
...
Info |
---|
The lifetime of the Response object is documented in the Servlet specification. Quoting from section "5.8 Lifetime of the Response Object" of Servlet 4.0 specification: "Each response object is valid only within the scope of a servlet’s service method, or within the scope of a filter’s doFilter method, unless the associated request object has asynchronous processing enabled for the component. If asynchronous processing on the associated request is started, then the response object remains valid until complete method on AsyncContext is called." In case of asynchronous processing, when an error occurs Tomcat notifies all registered Also see sections "2.3.3.4 Thread Safety" and "3.13 Lifetime of the Request Object" of the same specification. |
To troubleshoot the issue:
- Set the following system property in Tomcat configuration:
org.apache.catalina.connector.RECYCLE_FACADES=true
When the above flag is set, Tomcat recycles facades to its internal objects when request processing completes. This makes it easier to spot illegal access when it happens, instead of waiting until side effects of such access become visible.
This flag is also mentioned on the Security Considerations page.
The flag is true
when Tomcat runs with enabled Java Security Manager.
2. Read about Java ImageIO issue.
...