SEC-1750: AbstractSecurityInterceptor should replace the SecurityContext when doing RunAs replacement, rather than just the Authentication within the context #1984

Closed
spring-issuemaster opened this Issue May 20, 2011 · 1 comment

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1750) said:

Since the SecurityContext may be shared between different threads, there is a limited possibility of escalating permissions when a RunAsManager is used to modify the context.

@spring-issuemaster

Luke Taylor said:

Default RunAsManager now creates an empty security context to hold the runas authentication token.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment