Fix for SEC-159. Added clearContext() method to SecurityContextHolder and refactored code to use it instead of putting an empty context into the holder.

core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java

@@ -279,7 +279,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
                 }
 
                 // Remove SecurityContextHolder contents
-                SecurityContextHolder.setContext(generateNewContext());
+                SecurityContextHolder.clearContext();
 
                 if (logger.isDebugEnabled()) {
                     logger.debug(

core/src/main/java/org/acegisecurity/context/SecurityContextHolder.java

@@ -75,4 +75,16 @@ public class SecurityContextHolder {
 
         return (SecurityContext) contextHolder.get();
     }
+
+    /**
+     * Explicitly clears the context value from thread local storage.
+     * Typically used on completion of a request to prevent potential
+     * misuse of the associated context information if the thread is
+     * reused. 
+     */
+    public static void clearContext() {
+        // Internally set the context value to null. This is never visible
+        // outside the class.
+        contextHolder.set(null);
+    }
 }

core/src/main/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocation.java

@@ -123,7 +123,7 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
 
         } finally {
 
-            SecurityContextHolder.setContext(new SecurityContextImpl());
+            SecurityContextHolder.clearContext();
 
             if (logger.isDebugEnabled()) {
                 logger.debug(

core/src/test/java/org/acegisecurity/captcha/CaptchaChannelProcessorTemplateTests.java

@@ -39,6 +39,15 @@ import javax.servlet.ServletException;
 public class CaptchaChannelProcessorTemplateTests extends TestCase {
     //~ Methods ================================================================
 
+    public void setUp() {
+        SecurityContextHolder.clearContext();
+    }
+
+    public void tearDown() {
+        SecurityContextHolder.clearContext();
+    }
+
+
     public void testContextRedirect() throws Exception {
         CaptchaChannelProcessorTemplate processor = new TestHumanityCaptchaChannelProcessor();
         processor.setKeyword("X");

core/src/test/java/org/acegisecurity/context/rmi/ContextPropagatingRemoteInvocationTests.java

@@ -66,7 +66,7 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
         // Set to null, as ContextPropagatingRemoteInvocation already obtained
         // a copy and nulling is necessary to ensure the Context delivered by
         // ContextPropagatingRemoteInvocation is used on server-side
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
 
         // The result from invoking the TargetObject should contain the
         // Authentication class delivered via the SecurityContextHolder

core/src/test/java/org/acegisecurity/intercept/web/FilterSecurityInterceptorTests.java

@@ -176,7 +176,7 @@ public class FilterSecurityInterceptorTests extends TestCase {
         interceptor.invoke(fi);
 
         // Destroy the Context
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public void testNormalStartupAndGetter() throws Exception {
@@ -233,7 +233,7 @@ public class FilterSecurityInterceptorTests extends TestCase {
         interceptor.invoke(fi);
 
         // Destroy the Context
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     //~ Inner Classes ==========================================================

core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilterTests.java

@@ -164,12 +164,12 @@ public class AnonymousProcessingFilterTests extends TestCase {
 
     protected void setUp() throws Exception {
         super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     protected void tearDown() throws Exception {
         super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     private void executeFilterInContainerSimulator(FilterConfig filterConfig,

core/src/test/java/org/acegisecurity/providers/jaas/SecurityContextLoginModuleTests.java

@@ -111,11 +111,11 @@ public class SecurityContextLoginModuleTests extends TestCase {
     protected void setUp() throws Exception {
         module = new SecurityContextLoginModule();
         module.initialize(subject, null, null, null);
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
         module = null;
     }
 }

core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagAttributeTests.java

@@ -98,6 +98,6 @@ public class AuthorizeTagAttributeTests extends TestCase {
     }
 
     protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 }

core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagCustomGrantedAuthorityTests.java

@@ -73,7 +73,7 @@ public class AuthorizeTagCustomGrantedAuthorityTests extends TestCase {
     }
 
     protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     //~ Inner Classes ==========================================================

core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagExpressionLanguageTests.java

@@ -81,6 +81,6 @@ public class AuthorizeTagExpressionLanguageTests extends TestCase {
     }
 
     protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 }

core/src/test/java/org/acegisecurity/taglibs/authz/AuthorizeTagTests.java

@@ -120,6 +120,6 @@ public class AuthorizeTagTests extends TestCase {
     }
 
     protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 }

core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAttributeTest.java

@@ -51,7 +51,7 @@ public class AuthzImplAttributeTest extends TestCase {
     }
 
     protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public void testAssertsIfAllGrantedSecond() {

core/src/test/java/org/acegisecurity/taglibs/velocity/AuthzImplAuthorizeTagTest.java

@@ -49,7 +49,7 @@ public class AuthzImplAuthorizeTagTest extends TestCase {
     }
 
     protected void tearDown() throws Exception {
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public void testAlwaysReturnsUnauthorizedIfNoUserFound() {

core/src/test/java/org/acegisecurity/ui/AbstractProcessingFilterTests.java

@@ -419,12 +419,12 @@ public class AbstractProcessingFilterTests extends TestCase {
 
     protected void setUp() throws Exception {
         super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     protected void tearDown() throws Exception {
         super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     private MockHttpServletRequest createMockRequest() {

core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java

@@ -67,7 +67,7 @@ public class ExceptionTranslationFilterTests extends TestCase {
 
     protected void tearDown() throws Exception {
         super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public void testAccessDeniedWhenAnonymous() throws Exception {

core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java

@@ -74,7 +74,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase {
 
     protected void setUp() throws Exception {
         super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
 
         // Create User Details Service, provider and authentication manager
         InMemoryDaoImpl dao = new InMemoryDaoImpl();
@@ -97,7 +97,7 @@ public class BasicProcessingFilterTests extends MockObjectTestCase {
 
     protected void tearDown() throws Exception {
         super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public void testDoFilterWithNonHttpServletRequestDetected()

core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java

@@ -86,7 +86,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
 
     protected void setUp() throws Exception {
         super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
         // Create User Details Service
         InMemoryDaoImpl dao = new InMemoryDaoImpl();
         UserMapEditor editor = new UserMapEditor();
@@ -107,7 +107,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
 
     protected void tearDown() throws Exception {
         super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public void testDoFilterWithNonHttpServletRequestDetected()

core/src/test/java/org/acegisecurity/ui/rememberme/RememberMeProcessingFilterTests.java

@@ -76,12 +76,12 @@ public class RememberMeProcessingFilterTests extends TestCase {
 
     protected void setUp() throws Exception {
         super.setUp();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     protected void tearDown() throws Exception {
         super.tearDown();
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public void testDetectsAuthenticationManagerProperty()

samples/contacts/src/main/java/sample/contact/ClientApplication.java

@@ -137,7 +137,7 @@ public class ClientApplication {
             System.out.println(stopWatch.prettyPrint());
         }
 
-        SecurityContextHolder.setContext(new SecurityContextImpl());
+        SecurityContextHolder.clearContext();
     }
 
     public static void main(String[] args) {