Spring Security
  1. Spring Security
  2. SEC-1950

Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.1.1
    • Component/s: Web
    • Labels:
      None

      Description

      In situations where applications try to obtain the SecurityContext globally it may cause a memory leak if the application uses security=none and the SecurityContextHolder is even read from. A similar situation can occur if users manually create the filter chain and do not properly add the SecurityContextPersistenceFilter to the FilterChainProxy. In order to be defensive about memory leaks, it would be good to call SecurityContextHolder.clearContext() in the FilterChainProxy itself.

        Issue Links

          Activity

          Hide
          Rob Winch added a comment -

          Note that there is not a memory leak even prior to this issue assuming Spring Security is being used correctly. This is just a measure that allows it to get cleaned up properly even when used improperly. There are still edge cases where if used improperly, there would be a memory leak. For example if the user invokes SecurityContext.getContext() and does not add the FilterChainProxy (i.e. springSecurityFilterChain) to the web.xml there will still be a leak. However, there is little we can do about these other situations.

          Show
          Rob Winch added a comment - Note that there is not a memory leak even prior to this issue assuming Spring Security is being used correctly. This is just a measure that allows it to get cleaned up properly even when used improperly. There are still edge cases where if used improperly, there would be a memory leak. For example if the user invokes SecurityContext.getContext() and does not add the FilterChainProxy (i.e. springSecurityFilterChain) to the web.xml there will still be a leak. However, there is little we can do about these other situations.

            People

            • Assignee:
              Rob Winch
              Reporter:
              Rob Winch
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: