Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1750: AbstractSecurityInterceptor should replace the SecurityContext when doing RunAs replacement, rather than just the Authentication within the context #1984

spring-issuemaster opened this Issue May 20, 2011 · 1 comment


None yet
1 participant

Luke Taylor (Migrated from SEC-1750) said:

Since the SecurityContext may be shared between different threads, there is a limited possibility of escalating permissions when a RunAsManager is used to modify the context.

Luke Taylor said:

Default RunAsManager now creates an empty security context to hold the runas authentication token.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment