Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1750: AbstractSecurityInterceptor should replace the SecurityContext when doing RunAs replacement, rather than just the Authentication within the context #1984

Closed
spring-projects-issues opened this issue May 20, 2011 · 1 comment

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented May 20, 2011

Luke Taylor (Migrated from SEC-1750) said:

Since the SecurityContext may be shared between different threads, there is a limited possibility of escalating permissions when a RunAsManager is used to modify the context.

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Aug 19, 2011

Luke Taylor said:

Default RunAsManager now creates an empty security context to hold the runas authentication token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant