SEC-356: Changes to Authentication leak into synchronous requests when using HttpSessionContextIntegrationFilter #617

Closed
spring-issuemaster opened this Issue Sep 20, 2006 · 2 comments

Projects

None yet

1 participant

@spring-issuemaster

Paul Field (Migrated from SEC-356) said:

HttpSessionContextIntegrationFilter will read an existing SecurityContext object from the session and attach it to the Http request thread by calling: SecurityContextHolder#setContext. This means that simultaneous requests get the same SecurityContext object. If one of those threads changes the authentication attached to the context (for example, to enable some “Run As” functionality such as in org.acegisecurity.intercept.AbstractSecurityInterceptor) that authentication will be seen to change in all the request threads and may enable those threads to be able to gain access that they shouldn’t have.

@spring-issuemaster

Ben Alex said:

Added a new cloneFromHttpSession property to HttpSessionContextIntegrationFilter, which defaults to false. If true, a clone method is expected to be provided on the SecurityContext implementation, which will be used instead of by-reference semantics. This will fix the issue, although it’s notable that very few people would experience this problem in any event (ie the need to have per-session-per-thread security differentation as opposed to simply per-session-all-threads security differentation).

@spring-issuemaster spring-issuemaster added this to the 1.0.3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment