Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1750: AbstractSecurityInterceptor should replace the SecurityContext when doing RunAs replacement, rather than just the Authentication within the context #1984

spring-projects-issues opened this issue May 20, 2011 · 1 comment


Copy link

@spring-projects-issues spring-projects-issues commented May 20, 2011

Luke Taylor (Migrated from SEC-1750) said:

Since the SecurityContext may be shared between different threads, there is a limited possibility of escalating permissions when a RunAsManager is used to modify the context.

Copy link

@spring-projects-issues spring-projects-issues commented Aug 19, 2011

Luke Taylor said:

Default RunAsManager now creates an empty security context to hold the runas authentication token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant