Spring Security
  1. Spring Security
  2. SEC-1622

Classloading in SecurityContextHolder#initialize() fails if spring-security JAR is located in ${catalina.home}/shared/lib and class to be loaded is located in webapps/<app>/WEB-INF/classes

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M2
    • Component/s: Core
    • Labels:
      None
    • Environment:
      Ubuntu 32-Bit, JDK 1.6.20 , Tomcat 5.5.25

      Description

      Note: I'm reporting this issue against the latest GIT "master" branch.

      When using the current thread's context classloader (see change below) the class loading works. Maybe the code should be changed to check the context classloader if Class.forName() fails (and yes, I'm aware that this change might have security implications).

      ---------------------
      private static void initialize() {
      if ((strategyName == null) || "".equals(strategyName))

      { // Set default strategyName = MODE_THREADLOCAL; }

      if (strategyName.equals(MODE_THREADLOCAL))

      { strategy = new ThreadLocalSecurityContextHolderStrategy(); }

      else if (strategyName.equals(MODE_INHERITABLETHREADLOCAL))

      { strategy = new InheritableThreadLocalSecurityContextHolderStrategy(); }

      else if (strategyName.equals(MODE_GLOBAL))

      { strategy = new GlobalSecurityContextHolderStrategy(); }

      else {
      // Try to load a custom strategy
      try {
      // Class clazz = Class.forName(strategyName);
      Class clazz = Thread.currentThread().getContextClassLoader().loadClass(strategyName);
      Constructor customStrategy = clazz.getConstructor(new Class[] {});
      strategy = (SecurityContextHolderStrategy) customStrategy.newInstance(new Object[] {});
      } catch (Exception ex)

      { ReflectionUtils.handleReflectionException(ex); }

      }

      initializeCount++;
      }

        Activity

        Hide
        Luke Taylor added a comment -

        Does it work if you move the strategy class into the Tomcat shared/lib directory? If so, is there a pressing reason why the class shouldn't also be in this directory? If you have the security class in the container classloader then it doesn't really make sense for the context strategy to be pointing to an instance of a class from an individual web application. For one thing, this will probably prevent the application classloader from being garbage collected if the app is redeployed. It may also cause problems if you have more than one application using Spring Security.

        Show
        Luke Taylor added a comment - Does it work if you move the strategy class into the Tomcat shared/lib directory? If so, is there a pressing reason why the class shouldn't also be in this directory? If you have the security class in the container classloader then it doesn't really make sense for the context strategy to be pointing to an instance of a class from an individual web application. For one thing, this will probably prevent the application classloader from being garbage collected if the app is redeployed. It may also cause problems if you have more than one application using Spring Security.
        Hide
        Luke Taylor added a comment -

        No response, so closing.

        Show
        Luke Taylor added a comment - No response, so closing.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Tobias
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: