Address SecurityContextHolder memory leak

To get current context without creating a new context.
Creating a new context may cause ThreadLocal leak.

Closes gh-9841
This commit is contained in:
Hiroshi Shirosaki 2021-06-16 16:53:13 +09:00 committed by Josh Cummings
parent 898ba67098
commit 809ff883b0
6 changed files with 41 additions and 2 deletions

View File

@ -36,6 +36,7 @@ import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.RequestContextHolder;
@ -94,7 +95,12 @@ class SecurityReactorContextConfiguration {
} }
private static boolean contextAttributesAvailable() { private static boolean contextAttributesAvailable() {
return SecurityContextHolder.getContext().getAuthentication() != null SecurityContext context = SecurityContextHolder.peekContext();
Authentication authentication = null;
if (context != null) {
authentication = context.getAuthentication();
}
return authentication != null
|| RequestContextHolder.getRequestAttributes() instanceof ServletRequestAttributes; || RequestContextHolder.getRequestAttributes() instanceof ServletRequestAttributes;
} }
@ -107,7 +113,11 @@ class SecurityReactorContextConfiguration {
servletRequest = servletRequestAttributes.getRequest(); servletRequest = servletRequestAttributes.getRequest();
servletResponse = servletRequestAttributes.getResponse(); // possible null servletResponse = servletRequestAttributes.getResponse(); // possible null
} }
Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); SecurityContext context = SecurityContextHolder.peekContext();
Authentication authentication = null;
if (context != null) {
authentication = context.getAuthentication();
}
if (authentication == null && servletRequest == null) { if (authentication == null && servletRequest == null) {
return Collections.emptyMap(); return Collections.emptyMap();
} }

View File

@ -44,6 +44,11 @@ final class GlobalSecurityContextHolderStrategy implements SecurityContextHolder
return contextHolder; return contextHolder;
} }
@Override
public SecurityContext peekContext() {
return contextHolder;
}
@Override @Override
public void setContext(SecurityContext context) { public void setContext(SecurityContext context) {
Assert.notNull(context, "Only non-null SecurityContext instances are permitted"); Assert.notNull(context, "Only non-null SecurityContext instances are permitted");

View File

@ -44,6 +44,11 @@ final class InheritableThreadLocalSecurityContextHolderStrategy implements Secur
return ctx; return ctx;
} }
@Override
public SecurityContext peekContext() {
return contextHolder.get();
}
@Override @Override
public void setContext(SecurityContext context) { public void setContext(SecurityContext context) {
Assert.notNull(context, "Only non-null SecurityContext instances are permitted"); Assert.notNull(context, "Only non-null SecurityContext instances are permitted");

View File

@ -123,6 +123,14 @@ public class SecurityContextHolder {
return strategy.getContext(); return strategy.getContext();
} }
/**
* Peeks the current <code>SecurityContext</code>.
* @return the security context (may be <code>null</code>)
*/
public static SecurityContext peekContext() {
return strategy.peekContext();
}
/** /**
* Primarily for troubleshooting purposes, this method shows how many times the class * Primarily for troubleshooting purposes, this method shows how many times the class
* has re-initialized its <code>SecurityContextHolderStrategy</code>. * has re-initialized its <code>SecurityContextHolderStrategy</code>.

View File

@ -38,6 +38,12 @@ public interface SecurityContextHolderStrategy {
*/ */
SecurityContext getContext(); SecurityContext getContext();
/**
* Peeks the current context without creating an empty context.
* @return a context (may be <code>null</code>)
*/
SecurityContext peekContext();
/** /**
* Sets the current context. * Sets the current context.
* @param context to the new argument (should never be <code>null</code>, although * @param context to the new argument (should never be <code>null</code>, although

View File

@ -45,6 +45,11 @@ final class ThreadLocalSecurityContextHolderStrategy implements SecurityContextH
return ctx; return ctx;
} }
@Override
public SecurityContext peekContext() {
return contextHolder.get();
}
@Override @Override
public void setContext(SecurityContext context) { public void setContext(SecurityContext context) {
Assert.notNull(context, "Only non-null SecurityContext instances are permitted"); Assert.notNull(context, "Only non-null SecurityContext instances are permitted");