Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-3109: Concurrent/ThreadPoolTaskScheduler don't work with DelegatingSecurityContextExecutor #3311

Closed
spring-projects-issues opened this issue Sep 18, 2015 · 3 comments
Assignees
Labels
type: bug type: jira
Milestone

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Sep 18, 2015

Matthias Nöbl (Migrated from SEC-3109) said:

We have a setup with Spring Boot with scheduling. To use method security with background jobs we want to use the DelegatingSecurityContextScheduledExecutorService like described here: http://www.petrikainulainen.net/programming/spring-framework/spring-from-the-trenches-invoking-a-secured-method-from-a-scheduled-job/ (see "Spring Security 3.2: It Is Almost Like Magic!").

I suspect this stopped working with SEC-3031, because now DelegatingSecurityContextRunnable/Callable doesn't set/clear the security context if run on the same thread as they were created.
As Concurrent/TheadPoolTaskScheduler uses a ReschedulingRunnable for the trigger mechanic (we use cron triggers), so the rescheduling is done on the pool thread. So random subsequent calls executed on the same pool thread might fail, because the SecurityContext is not set.
Getting DelegatingSecurityContextExecutor to set the enableOnOriginalThread property on DelegatingSecurityContextRunnable to true would fix that issue.

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 26, 2015

Rob Winch said:

Thanks this is now fixed by keeping track of the original SecurityContext and then restoring it. Can you please give the latest 3.2.9.CI-SNAPSHOT or 4.0.3.CI-SNAPSHOT a try to verify it resolves your issue?

Instructions for getting 4.0.3.CI-SNAPSHOT can be found at http://docs.spring.io/spring-security/site/docs/4.0.x-SNAPSHOT/reference/htmlsingle/#get-spring-security

Instructions for getting 3.2.9.CI-SNAPSHOT can be found at http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/reference/htmlsingle/#get-spring-security

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 27, 2015

Matthias Nöbl said:

I tested it with 4.0.3.CI-SNAPSHOT and it works now as expected. (y) Thank you.

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 27, 2015

Rob Winch said:

Thanks for the quick follow up!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug type: jira
Projects
None yet
Development

No branches or pull requests

2 participants