SEC-3109: Concurrent/ThreadPoolTaskScheduler don't work with DelegatingSecurityContextExecutor

[spring-projects-issues]

Matthias Nöbl (Migrated from SEC-3109) said:

We have a setup with Spring Boot with scheduling. To use method security with background jobs we want to use the DelegatingSecurityContextScheduledExecutorService like described here: http://www.petrikainulainen.net/programming/spring-framework/spring-from-the-trenches-invoking-a-secured-method-from-a-scheduled-job/ (see "Spring Security 3.2: It Is Almost Like Magic!").

I suspect this stopped working with SEC-3031, because now DelegatingSecurityContextRunnable/Callable doesn't set/clear the security context if run on the same thread as they were created.
As Concurrent/TheadPoolTaskScheduler uses a ReschedulingRunnable for the trigger mechanic (we use cron triggers), so the rescheduling is done on the pool thread. So random subsequent calls executed on the same pool thread might fail, because the SecurityContext is not set.
Getting DelegatingSecurityContextExecutor to set the enableOnOriginalThread property on DelegatingSecurityContextRunnable to true would fix that issue.

[spring-projects-issues]

Rob Winch said:

Thanks this is now fixed by keeping track of the original SecurityContext and then restoring it. Can you please give the latest 3.2.9.CI-SNAPSHOT or 4.0.3.CI-SNAPSHOT a try to verify it resolves your issue?

Instructions for getting 4.0.3.CI-SNAPSHOT can be found at http://docs.spring.io/spring-security/site/docs/4.0.x-SNAPSHOT/reference/htmlsingle/#get-spring-security

Instructions for getting 3.2.9.CI-SNAPSHOT can be found at http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/reference/htmlsingle/#get-spring-security

[spring-projects-issues]

Matthias Nöbl said:

I tested it with 4.0.3.CI-SNAPSHOT and it works now as expected. (y) Thank you.

[spring-projects-issues]

Rob Winch said:

Thanks for the quick follow up!