SEC-1622: Classloading in SecurityContextHolder#initialize() fails if spring-security JAR is located in ${catalina.home}/shared/lib and class to be loaded is located in webapps/<app>/WEB-INF/classes #1863

Closed
spring-issuemaster opened this Issue Nov 10, 2010 · 2 comments

1 participant

@spring-issuemaster

Tobias (Migrated from SEC-1622) said:

Note: I'm reporting this issue against the latest GIT "master" branch.

When using the current thread's context classloader (see change below) the class loading works. Maybe the code should be changed to check the context classloader if Class.forName() fails (and yes, I'm aware that this change might have security implications).


private static void initialize() {
    if ((strategyName == null) || "".equals(strategyName)) {
        // Set default
        strategyName = MODE_THREADLOCAL;
    }

    if (strategyName.equals(MODE_THREADLOCAL)) {
        strategy = new ThreadLocalSecurityContextHolderStrategy();
    } else if (strategyName.equals(MODE_INHERITABLETHREADLOCAL)) {
        strategy = new InheritableThreadLocalSecurityContextHolderStrategy();
    } else if (strategyName.equals(MODE_GLOBAL)) {
        strategy = new GlobalSecurityContextHolderStrategy();
    } else {
        // Try to load a custom strategy
        try {
            // Class clazz = Class.forName(strategyName);
            Class clazz = Thread.currentThread().getContextClassLoader().loadClass(strategyName);
            Constructor customStrategy = clazz.getConstructor(new Class[] {});
            strategy = (SecurityContextHolderStrategy) customStrategy.newInstance(new Object[] {});
        } catch (Exception ex) {
            ReflectionUtils.handleReflectionException(ex);
        }
    }

    initializeCount++;
}
@spring-issuemaster

Luke Taylor said:

Does it work if you move the strategy class into the Tomcat shared/lib directory? If so, is there a pressing reason why the class shouldn't also be in this directory? If you have the security class in the container classloader then it doesn't really make sense for the context strategy to be pointing to an instance of a class from an individual web application. For one thing, this will probably prevent the application classloader from being garbage collected if the app is redeployed. It may also cause problems if you have more than one application using Spring Security.

@spring-issuemaster

Luke Taylor said:

No response, so closing.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment