Skip to content

Fix SecurityContext leakage in AuthenticationProcessInterceptor #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 16, 2025
Merged

Fix SecurityContext leakage in AuthenticationProcessInterceptor #247

merged 1 commit into from
Aug 16, 2025

Conversation

@HyunSangHan
Copy link
Contributor

@HyunSangHan HyunSangHan commented Aug 15, 2025

AuthenticationProcessInterceptor was setting authentication in the SecurityContext but not clearing it after a request completed, allowing authentication state to leak between requests on the same thread.

This could let anonymous requests inherit the authentication from previous authenticated requests, potentially bypassing security checks.

The fix wraps the call listener so that the SecurityContext is always cleared when a request completes, is cancelled, or fails with an error.

Fixes #245

@HyunSangHan HyunSangHan mentioned this pull request Aug 15, 2025
Closed
@HyunSangHan
Fix SecurityContext leakage in AuthenticationProcessInterceptor
1e356a2 
Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
@HyunSangHan HyunSangHan force-pushed the security-context-cleanup branch from b7d61f3 to 1e356a2 Compare August 15, 2025 16:55
@dsyer dsyer merged commit 5e0eec8 into spring-projects:main Aug 16, 2025
5 checks passed
@HyunSangHan
Copy link
Contributor Author

HyunSangHan commented Aug 16, 2025
edited
Loading

@dsyer
Thank you for your feedback and the fast merge!
I missed adding my name to @author section.

  * @author Dave Syer
+ * @author Hyunsang Han

Can I submit this with PR? 😅

HyunSangHan added a commit to HyunSangHan/spring-grpc that referenced this pull request Aug 16, 2025
@HyunSangHan
Add missing author of spring-projects#247 PR
e5cf4bf 
Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
@HyunSangHan HyunSangHan mentioned this pull request Aug 16, 2025
Merged
dsyer pushed a commit that referenced this pull request Aug 16, 2025
@HyunSangHan @dsyer
Add missing author of #247 PR
c26e637 
Signed-off-by: Hyunsang Han <gustkd3@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Anonymous can access gRPC method protected by PreAuthorize annotation

2 participants

@HyunSangHan @dsyer