Spring Security
  1. Spring Security
  2. SEC-356

Changes to Authentication leak into synchronous requests when using HttpSessionContextIntegrationFilter

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.0.1, 1.0.2
    • Fix Version/s: 1.0.3
    • Component/s: Core
    • Labels:
      None

      Description

      HttpSessionContextIntegrationFilter will read an existing SecurityContext object from the session and attach it to the Http request thread by calling: SecurityContextHolder#setContext. This means that simultaneous requests get the same SecurityContext object. If one of those threads changes the authentication attached to the context (for example, to enable some "Run As" functionality such as in org.acegisecurity.intercept.AbstractSecurityInterceptor) that authentication will be seen to change in all the request threads and may enable those threads to be able to gain access that they shouldn't have.

        Activity

        Hide
        Ben Alex added a comment -

        Added a new cloneFromHttpSession property to HttpSessionContextIntegrationFilter, which defaults to false. If true, a clone method is expected to be provided on the SecurityContext implementation, which will be used instead of by-reference semantics. This will fix the issue, although it's notable that very few people would experience this problem in any event (ie the need to have per-session-per-thread security differentation as opposed to simply per-session-all-threads security differentation).

        Show
        Ben Alex added a comment - Added a new cloneFromHttpSession property to HttpSessionContextIntegrationFilter, which defaults to false. If true, a clone method is expected to be provided on the SecurityContext implementation, which will be used instead of by-reference semantics. This will fix the issue, although it's notable that very few people would experience this problem in any event (ie the need to have per-session-per-thread security differentation as opposed to simply per-session-all-threads security differentation).
        Hide
        Christos Kokotsis added a comment -

        see SEC-423

        Show
        Christos Kokotsis added a comment - see SEC-423

          People

          • Assignee:
            Ben Alex
            Reporter:
            Paul Field
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: