SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy #2177

spring-issuemaster opened this Issue Apr 11, 2012 · 2 comments

2 participants


Rob Winch (Migrated from SEC-1950) said:

In situations where applications try to obtain the SecurityContext globally it may cause a memory leak if the application uses security=none and the SecurityContextHolder is even read from. A similar situation can occur if users manually create the filter chain and do not properly add the SecurityContextPersistenceFilter to the FilterChainProxy. In order to be defensive about memory leaks, it would be good to call SecurityContextHolder.clearContext() in the FilterChainProxy itself.


Rob Winch said:

Note that there is not a memory leak even prior to this issue assuming Spring Security is being used correctly. This is just a measure that allows it to get cleaned up properly even when used improperly. There are still edge cases where if used improperly, there would be a memory leak. For example if the user invokes SecurityContext.getContext() and does not add the FilterChainProxy (i.e. springSecurityFilterChain) to the web.xml there will still be a leak. However, there is little we can do about these other situations.

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016

This issue relates to #2252

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment