New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecurityReactorContextSubscriber#LoadingMap fails to retrieve Authentication #11973
Comments
Note that #11885 may supersede this issue. That said, this seems like a problem that is going to come up more often given that Spring Security components are moving towards deferring the lookup of @ttddyy is there something that I'm missing that is unique to this scenario where we'd want to make a special context propagation accommodation? If not, I'd prefer to close this issue in favor of the above explanation. |
Yes, I think so, especially when a thread is switched. For normal runnable/callable/scheduler/executor would be ok with the Spring Security's context propagation classes. But, I don't think it supports the propagation in this case from imperative(servlet thread) to reactive(reactor thread). Also, I'm not sure
With #11885, I don't think it would resolve this case since The micrometer's context-propagation may be a suit here with I'm wondering why the auth context resolution is deferred in this case( |
It's due to #9841. On shutdown, the subscriber is exercised. Before #9841, this meant a new |
While upgrading Spring Boot from 2.6 to 2.7, one of our tests started failing.
The test verifies thread switching with
WebClient
for OAuth2 client in the servlet environment.This happens when
WebClient
usessubscribeOn
.(uses a different thread than the caller thread)The
SecurityReactorContextSubscriber
/LoadingMap
resolvesnull
forAuthentication
.I have created a minimum repro here.
This is the test case:
Root cause
The issue is introduced by this commit which added the
LoadingMap
to lazily retrieve the servlet request/response/auth.Prior to this change, the request/response/auth were resolved on the caller's thread when the
SecurityReactorContextSubscriber
is created by the lifter.However, with
LoadingMap
the callback is deferred until the webclient operations are executed.When the thread is not on the caller's thread(by
subscribeOn
), it cannot retrieve any threadlocal values and they becomenull
.I haven't tested but the
ServletOAuth2AuthorizedClientExchangeFilterFunction
, which usesSecurityReactorContextSubscriber
mechanism, should fail to resolveAuthentication
in this scenario.The text was updated successfully, but these errors were encountered: