4

Ive some questions about Spring Security 3.0.5 and the SecurityContext. First of all, Ill try to conclude what I know:

  • SecurityContextHolder stores SecurityContext
  • Between Request, SecurityContext is stored in HttpSession
  • Begin of Request: SecurityContextHolder gets SecurityContext from HttpSession

  • End of Request: SecurityContextHolder puts SecurityContext in HttpSession

  • During the Request, on the server, SecurityContextHolder uses a ThreadLocal. Everywhere in the application (same request), the SecurityContext can be accessed

Now my question....

--> Two Requests: the SecurityContext-instance will be shared

How does this work? I mean, SecurityContextHolder uses a ThreadLocal for Each Request. 2 Request = 2 ThreadLocals

Each request does: getSessionAttribute (SecurityContext) from HttpSession What happens if they work on the SecurityContext? Is the SecurityContext changed in all ThreadLocals?

As far as I know: yes (??)

How does this work? How can they work on the same instance? I mean, I really cant imagine how two different threads with two different ThreadLocals can work on the same instance?

API (ThreadLocal): This class provides thread-local variables. These variables differ from their normal counterparts in that each thread that accesses one (via its get or set method) has its own, independently initialized copy of the variable.

I mean, thats it: copy! maybe Im wrong and its not possible for two threads to work on the same SecurityContext? But Spring Security Documentation says so!

Would be great if someone could explain that to me :-) Thank you!

Nick Bastin
  • 30,415
  • 7
  • 59
  • 78
nano7
  • 2,455
  • 7
  • 35
  • 52

1 Answers1

2

Each thread has its own value of ThreadLocal, but nothing prevents these values from being equal. So, in this case multiple thread would have references to the same instance of SecurityContext.

Usually it's not a problem, but if you want to modify security context, you can enable defensive copying, see SEC-356.

axtavt
  • 239,438
  • 41
  • 511
  • 482
  • But why does ThreadLocal API then say, that those variables are just copys? I mean, if they are copys, they cant be the "same", right? – nano7 Jun 16 '11 at 18:05
  • @nano7: Objects in Java are identified by references. So, references can be copied, but they still point to the same object. – axtavt Jun 16 '11 at 18:37
  • ah. so I misunderstood it, because.... Im not an expert.... but I still think the ThreadLocal API could be more precise then. thank you! – nano7 Jun 17 '11 at 10:25
  • 1
    I am getting a `AuthenticationCredentialsNotFoundException` exception ([see link](http://stackoverflow.com/questions/34273755/sometimes-getting-authenticationcredentialsnotfoundexception-between-multiple-re)) and it seems the problem is that the `Authentication` object of the logged in user is not available for all threads in the pool. Maybe you can help me on this .. – Stefan Falk Jun 09 '16 at 18:51
  • Same problem @Stefan Falk , Did you solve it? – Matías W. Mar 21 '22 at 18:30
  • @MatíasW. did you check the link I added to my comment? If these answer don't help then I won't be able to help you. That's 6 years ago and Spring changed a a lot in the meantime – Stefan Falk Mar 21 '22 at 20:05