From 809ff883b03e44ac4053b51360fcd9ee270476fe Mon Sep 17 00:00:00 2001 From: Hiroshi Shirosaki Date: Wed, 16 Jun 2021 16:53:13 +0900 Subject: [PATCH] Address SecurityContextHolder memory leak To get current context without creating a new context. Creating a new context may cause ThreadLocal leak. Closes gh-9841 --- .../SecurityReactorContextConfiguration.java | 14 ++++++++++++-- .../GlobalSecurityContextHolderStrategy.java | 5 +++++ ...leThreadLocalSecurityContextHolderStrategy.java | 5 +++++ .../core/context/SecurityContextHolder.java | 8 ++++++++ .../context/SecurityContextHolderStrategy.java | 6 ++++++ .../ThreadLocalSecurityContextHolderStrategy.java | 5 +++++ 6 files changed, 41 insertions(+), 2 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfiguration.java index a9ee42415c..f98cc05a7e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfiguration.java @@ -36,6 +36,7 @@ import org.springframework.beans.factory.InitializingBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.RequestContextHolder; @@ -94,7 +95,12 @@ class SecurityReactorContextConfiguration { } private static boolean contextAttributesAvailable() { - return SecurityContextHolder.getContext().getAuthentication() != null + SecurityContext context = SecurityContextHolder.peekContext(); + Authentication authentication = null; + if (context != null) { + authentication = context.getAuthentication(); + } + return authentication != null || RequestContextHolder.getRequestAttributes() instanceof ServletRequestAttributes; } @@ -107,7 +113,11 @@ class SecurityReactorContextConfiguration { servletRequest = servletRequestAttributes.getRequest(); servletResponse = servletRequestAttributes.getResponse(); // possible null } - Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + SecurityContext context = SecurityContextHolder.peekContext(); + Authentication authentication = null; + if (context != null) { + authentication = context.getAuthentication(); + } if (authentication == null && servletRequest == null) { return Collections.emptyMap(); } diff --git a/core/src/main/java/org/springframework/security/core/context/GlobalSecurityContextHolderStrategy.java b/core/src/main/java/org/springframework/security/core/context/GlobalSecurityContextHolderStrategy.java index d8367c4ebd..330afdb743 100644 --- a/core/src/main/java/org/springframework/security/core/context/GlobalSecurityContextHolderStrategy.java +++ b/core/src/main/java/org/springframework/security/core/context/GlobalSecurityContextHolderStrategy.java @@ -44,6 +44,11 @@ final class GlobalSecurityContextHolderStrategy implements SecurityContextHolder return contextHolder; } + @Override + public SecurityContext peekContext() { + return contextHolder; + } + @Override public void setContext(SecurityContext context) { Assert.notNull(context, "Only non-null SecurityContext instances are permitted"); diff --git a/core/src/main/java/org/springframework/security/core/context/InheritableThreadLocalSecurityContextHolderStrategy.java b/core/src/main/java/org/springframework/security/core/context/InheritableThreadLocalSecurityContextHolderStrategy.java index cb415500ca..d08b221c28 100644 --- a/core/src/main/java/org/springframework/security/core/context/InheritableThreadLocalSecurityContextHolderStrategy.java +++ b/core/src/main/java/org/springframework/security/core/context/InheritableThreadLocalSecurityContextHolderStrategy.java @@ -44,6 +44,11 @@ final class InheritableThreadLocalSecurityContextHolderStrategy implements Secur return ctx; } + @Override + public SecurityContext peekContext() { + return contextHolder.get(); + } + @Override public void setContext(SecurityContext context) { Assert.notNull(context, "Only non-null SecurityContext instances are permitted"); diff --git a/core/src/main/java/org/springframework/security/core/context/SecurityContextHolder.java b/core/src/main/java/org/springframework/security/core/context/SecurityContextHolder.java index 337fde3a57..6671e6dd9d 100644 --- a/core/src/main/java/org/springframework/security/core/context/SecurityContextHolder.java +++ b/core/src/main/java/org/springframework/security/core/context/SecurityContextHolder.java @@ -123,6 +123,14 @@ public class SecurityContextHolder { return strategy.getContext(); } + /** + * Peeks the current SecurityContext. + * @return the security context (may be null) + */ + public static SecurityContext peekContext() { + return strategy.peekContext(); + } + /** * Primarily for troubleshooting purposes, this method shows how many times the class * has re-initialized its SecurityContextHolderStrategy. diff --git a/core/src/main/java/org/springframework/security/core/context/SecurityContextHolderStrategy.java b/core/src/main/java/org/springframework/security/core/context/SecurityContextHolderStrategy.java index 4954db70aa..2a29566fae 100644 --- a/core/src/main/java/org/springframework/security/core/context/SecurityContextHolderStrategy.java +++ b/core/src/main/java/org/springframework/security/core/context/SecurityContextHolderStrategy.java @@ -38,6 +38,12 @@ public interface SecurityContextHolderStrategy { */ SecurityContext getContext(); + /** + * Peeks the current context without creating an empty context. + * @return a context (may be null) + */ + SecurityContext peekContext(); + /** * Sets the current context. * @param context to the new argument (should never be null, although diff --git a/core/src/main/java/org/springframework/security/core/context/ThreadLocalSecurityContextHolderStrategy.java b/core/src/main/java/org/springframework/security/core/context/ThreadLocalSecurityContextHolderStrategy.java index 801f5c8207..84f23bbe22 100644 --- a/core/src/main/java/org/springframework/security/core/context/ThreadLocalSecurityContextHolderStrategy.java +++ b/core/src/main/java/org/springframework/security/core/context/ThreadLocalSecurityContextHolderStrategy.java @@ -45,6 +45,11 @@ final class ThreadLocalSecurityContextHolderStrategy implements SecurityContextH return ctx; } + @Override + public SecurityContext peekContext() { + return contextHolder.get(); + } + @Override public void setContext(SecurityContext context) { Assert.notNull(context, "Only non-null SecurityContext instances are permitted");