In AbstractAuthorizationCodeCallbackServlet (from the google-oauth-java-client repo) I see the following code:
private final Lock lock = new ReentrantLock();
private AuthorizationCodeFlow flow;
@Override
protected final void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
StringBuffer buf = req.getRequestURL();
if (req.getQueryString() != null) {
buf.append('?').append(req.getQueryString());
}
AuthorizationCodeResponseUrl responseUrl = new AuthorizationCodeResponseUrl(buf.toString());
String code = responseUrl.getCode();
if (responseUrl.getError() != null) {
onError(req, resp, responseUrl);
} else if (code == null) {
resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
resp.getWriter().print("Missing authorization code");
} else {
lock.lock();
try {
if (flow == null) {
flow = initializeFlow();
}
String redirectUri = getRedirectUri(req);
TokenResponse response = flow.newTokenRequest(code).setRedirectUri(redirectUri).execute();
String userId = getUserId(req);
Credential credential = flow.createAndStoreCredential(response, userId);
onSuccess(req, resp, credential);
} finally {
lock.unlock();
}
}
}
I'm wondering why this code uses a lock? AuthorizationCodeFlow is supposed to be thread safe, according to the javadoc