fix(dispatcher): WW-3576 make SessionMap thread-safe

Apply volatile + local variable capture + double-check locking pattern
to prevent race conditions between null checks and synchronized blocks.

Changes:
- Add volatile modifier to session field for visibility across threads
- Capture session reference in local variable before null check
- Add double-check inside synchronized block after acquiring lock
- Add concurrent test cases to verify thread-safety

Fixes https://issues.apache.org/jira/browse/WW-3576

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: lukaszlenart

core/src/main/java/org/apache/struts2/dispatcher/SessionMap.java

@@ -39,7 +39,7 @@ public class SessionMap extends AbstractMap<String, Object> implements Serializa
     @Serial
     private static final long serialVersionUID = 4678843241638046854L;
 
-    protected HttpSession session;
+    protected volatile HttpSession session;
     protected Set<Entry<String, Object>> entries;
     protected HttpServletRequest request;
 
@@ -62,11 +62,15 @@ public SessionMap(final HttpServletRequest request) {
      * Invalidate the http session.
      */
     public void invalidate() {
-        if (session == null) {
+        HttpSession localSession = session;
+        if (localSession == null) {
             return;
         }
 
-        synchronized (session.getId().intern()) {
+        synchronized (localSession.getId().intern()) {
+            if (session == null) {
+                return;
+            }
             session.invalidate();
             session = null;
             entries = null;
@@ -79,18 +83,21 @@ public void invalidate() {
      */
     @Override
     public void clear() {
-        if (session == null) {
+        HttpSession localSession = session;
+        if (localSession == null) {
             return;
         }
 
-        synchronized (session.getId().intern()) {
+        synchronized (localSession.getId().intern()) {
+            if (session == null) {
+                return;
+            }
             entries = null;
             final Enumeration<String> attributeNamesEnum = session.getAttributeNames();
             while (attributeNamesEnum.hasMoreElements()) {
                 session.removeAttribute(attributeNamesEnum.nextElement());
             }
         }
-
     }
 
     /**
@@ -100,11 +107,15 @@ public void clear() {
      */
     @Override
     public Set<Entry<String, Object>> entrySet() {
-        if (session == null) {
+        HttpSession localSession = session;
+        if (localSession == null) {
             return Collections.emptySet();
         }
 
-        synchronized (session.getId().intern()) {
+        synchronized (localSession.getId().intern()) {
+            if (session == null) {
+                return Collections.emptySet();
+            }
             if (entries == null) {
                 entries = new HashSet<>();
 
@@ -132,18 +143,22 @@ public Object setValue(final Object obj) {
      * Returns the session attribute associated with the given key or <tt>null</tt> if it doesn't exist.
      *
      * <b>Note:</b> Must use the same signature as {@link java.util.AbstractMap#get(java.lang.Object)} to ensure the
-     *   expected specialized behaviour is performed here (and not the generic ancestor behaviour).
+     * expected specialized behaviour is performed here (and not the generic ancestor behaviour).
      *
      * @param key the name of the session attribute.
      * @return the session attribute or <tt>null</tt> if it doesn't exist.
      */
     @Override
     public Object get(final Object key) {
-        if (session == null) {
+        HttpSession localSession = session;
+        if (localSession == null) {
             return null;
         }
 
-        synchronized (session.getId().intern()) {
+        synchronized (localSession.getId().intern()) {
+            if (session == null) {
+                return null;
+            }
             return session.getAttribute(key != null ? key.toString() : null);
         }
     }
@@ -157,12 +172,22 @@ public Object get(final Object key) {
      */
     @Override
     public Object put(final String key, final Object value) {
+        HttpSession localSession;
         synchronized (this) {
             if (session == null) {
                 session = request.getSession(true);
             }
+            localSession = session;
         }
-        synchronized (session.getId().intern()) {
+        synchronized (localSession.getId().intern()) {
+            if (session == null) {
+                // Session was invalidated concurrently, re-create it
+                synchronized (this) {
+                    if (session == null) {
+                        session = request.getSession(true);
+                    }
+                }
+            }
             final Object oldValue = get(key);
             entries = null;
             session.setAttribute(key, value);
@@ -174,18 +199,22 @@ public Object put(final String key, final Object value) {
      * Removes the specified session attribute.
      *
      * <b>Note:</b> Must use the same signature as {@link java.util.AbstractMap#remove(java.lang.Object)} to ensure the
-     *   expected specialized behaviour is performed here (and not the generic ancestor behaviour).
+     * expected specialized behaviour is performed here (and not the generic ancestor behaviour).
      *
      * @param key the name of the attribute to remove.
      * @return the value that was removed or <tt>null</tt> if the value was not found (and hence, not removed).
      */
     @Override
     public Object remove(final Object key) {
-        if (session == null) {
+        HttpSession localSession = session;
+        if (localSession == null) {
             return null;
         }
 
-        synchronized (session.getId().intern()) {
+        synchronized (localSession.getId().intern()) {
+            if (session == null) {
+                return null;
+            }
             entries = null;
 
             final String keyAsString = (key != null ? key.toString() : null);
@@ -201,18 +230,22 @@ public Object remove(final Object key) {
      * Checks if the specified session attribute with the given key exists.
      *
      * <b>Note:</b> Must use the same signature as {@link java.util.AbstractMap#containsKey(java.lang.Object)} to ensure the
-     *   expected specialized behaviour is performed here (and not the generic ancestor behaviour).
+     * expected specialized behaviour is performed here (and not the generic ancestor behaviour).
      *
      * @param key the name of the session attribute.
      * @return <tt>true</tt> if the session attribute exits or <tt>false</tt> if it doesn't exist.
      */
     @Override
     public boolean containsKey(final Object key) {
-        if (session == null) {
+        HttpSession localSession = session;
+        if (localSession == null) {
             return false;
         }
 
-        synchronized (session.getId().intern()) {
+        synchronized (localSession.getId().intern()) {
+            if (session == null) {
+                return false;
+            }
             final String keyAsString = (key != null ? key.toString() : null);
             return (session.getAttribute(keyAsString) != null);
         }