SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy #2177
Labels
in: web
An issue in web modules (web, webmvc)
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Milestone
Rob Winch (Migrated from SEC-1950) said:
In situations where applications try to obtain the SecurityContext globally it may cause a memory leak if the application uses security=none and the SecurityContextHolder is even read from. A similar situation can occur if users manually create the filter chain and do not properly add the SecurityContextPersistenceFilter to the FilterChainProxy. In order to be defensive about memory leaks, it would be good to call SecurityContextHolder.clearContext() in the FilterChainProxy itself.
The text was updated successfully, but these errors were encountered: