Paul Field (Migrated from SEC-356) said:
HttpSessionContextIntegrationFilter will read an existing SecurityContext object from the session and attach it to the Http request thread by calling: SecurityContextHolder#setContext. This means that simultaneous requests get the same SecurityContext object. If one of those threads changes the authentication attached to the context (for example, to enable some “Run As” functionality such as in org.acegisecurity.intercept.AbstractSecurityInterceptor) that authentication will be seen to change in all the request threads and may enable those threads to be able to gain access that they shouldn’t have.
Ben Alex said:
Added a new cloneFromHttpSession property to HttpSessionContextIntegrationFilter, which defaults to false. If true, a clone method is expected to be provided on the SecurityContext implementation, which will be used instead of by-reference semantics. This will fix the issue, although it’s notable that very few people would experience this problem in any event (ie the need to have per-session-per-thread security differentation as opposed to simply per-session-all-threads security differentation).
Christos Kokotsis said: