Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-356: Changes to Authentication leak into synchronous requests when using HttpSessionContextIntegrationFilter #617

spring-issuemaster opened this Issue Sep 20, 2006 · 2 comments


None yet
1 participant

Paul Field(Migrated from SEC-356) said:

HttpSessionContextIntegrationFilter will read an existing SecurityContext object from the session and attach it to the Http request thread by calling: SecurityContextHolder#setContext. This means that simultaneous requests get the same SecurityContext object. If one of those threads changes the authentication attached to the context (for example, to enable some “Run As” functionality such as in org.acegisecurity.intercept.AbstractSecurityInterceptor) that authentication will be seen to change in all the request threads and may enable those threads to be able to gain access that they shouldn’t have.

Ben Alex said:

Added a new cloneFromHttpSession property to HttpSessionContextIntegrationFilter, which defaults to false. If true, a clone method is expected to be provided on the SecurityContext implementation, which will be used instead of by-reference semantics. This will fix the issue, although it’s notable that very few people would experience this problem in any event (ie the need to have per-session-per-thread security differentation as opposed to simply per-session-all-threads security differentation).

@spring-issuemaster spring-issuemaster added this to the 1.0.3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment