Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-356

Changes to Authentication leak into synchronous requests when using HttpSessionContextIntegrationFilter

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.0.1, 1.0.2
    • Fix Version/s: 1.0.3
    • Component/s: Core
    • Labels:
      None

      Description

      HttpSessionContextIntegrationFilter will read an existing SecurityContext object from the session and attach it to the Http request thread by calling: SecurityContextHolder#setContext. This means that simultaneous requests get the same SecurityContext object. If one of those threads changes the authentication attached to the context (for example, to enable some "Run As" functionality such as in org.acegisecurity.intercept.AbstractSecurityInterceptor) that authentication will be seen to change in all the request threads and may enable those threads to be able to gain access that they shouldn't have.

        Activity

        Hide
        balex Ben Alex added a comment -

        Added a new cloneFromHttpSession property to HttpSessionContextIntegrationFilter, which defaults to false. If true, a clone method is expected to be provided on the SecurityContext implementation, which will be used instead of by-reference semantics. This will fix the issue, although it's notable that very few people would experience this problem in any event (ie the need to have per-session-per-thread security differentation as opposed to simply per-session-all-threads security differentation).

        Show
        balex Ben Alex added a comment - Added a new cloneFromHttpSession property to HttpSessionContextIntegrationFilter, which defaults to false. If true, a clone method is expected to be provided on the SecurityContext implementation, which will be used instead of by-reference semantics. This will fix the issue, although it's notable that very few people would experience this problem in any event (ie the need to have per-session-per-thread security differentation as opposed to simply per-session-all-threads security differentation).
        Hide
        ckokotsis Christos Kokotsis added a comment -

        see SEC-423

        Show
        ckokotsis Christos Kokotsis added a comment - see SEC-423

          People

          • Assignee:
            balex Ben Alex
            Reporter:
            paul.field Paul Field
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: