You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Now that applications can use a SecurityContextHolderStrategy bean, there's value in assisting applications with what may be a sizeable transition away from using SecurityContextHolder.
There are some cases where an application may not want to copy the SecurityContextHolderStrategy bean into SecurityContextHolder's static field:
The application may not want to risk potential memory leaks from setting a bean to a static field
The application uses more than one application context, each with a SecurityContextHolderStrategy. Given that arrangement, it is undefined which bean will be set to the static field.
The application may want to discourage the use of static lookups.
The application may otherwise need more control over deciding what goes into the static field.
Given the foundational nature of SecurityContextHolder in Spring Security, it's likely that applications for a time will want to assume the above risks. As such, this should be property-driven.
One way to do this is to introduce useSecurityContextHolder into @EnableWebSecurity. It would default to true.
If useSecurityContextHolder is true, then Spring Security will look for a SecurityContextHolderStrategy bean and call SecurityContextHolder.setSecurityContextHolderStrategy. If it's false, then no action will be taken.
The text was updated successfully, but these errors were encountered:
jzheaux
changed the title
SecurityContextHolderStrategy bean should be copied to SecurityContextHolder by default
SecurityContextHolderStrategy bean should be copied to SecurityContextHolder by default
Sep 20, 2022
Hello, any chance to have this implemented any time soon? It's open for over a year now and in my project we were also suffering from this. Finally we applied a workaround suggested in another issue, but it would be great to have it sorted out-of-the-box. BTW: we also have a shared security library, which sets reasonable security defaults, but then SecurityContextHolderStrategy is not shared between the components (filters in our case).
Now that applications can use a
SecurityContextHolderStrategy
bean, there's value in assisting applications with what may be a sizeable transition away from usingSecurityContextHolder
.There are some cases where an application may not want to copy the
SecurityContextHolderStrategy
bean intoSecurityContextHolder
's static field:SecurityContextHolderStrategy
. Given that arrangement, it is undefined which bean will be set to the static field.Given the foundational nature of
SecurityContextHolder
in Spring Security, it's likely that applications for a time will want to assume the above risks. As such, this should be property-driven.One way to do this is to introduce
useSecurityContextHolder
into@EnableWebSecurity
. It would default totrue
.If
useSecurityContextHolder
is true, then Spring Security will look for aSecurityContextHolderStrategy
bean and callSecurityContextHolder.setSecurityContextHolderStrategy
. If it's false, then no action will be taken.The text was updated successfully, but these errors were encountered: