Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clear null authentication to fix ThreadLocal leak #9877

Closed
wants to merge 2 commits into from
Closed

Clear null authentication to fix ThreadLocal leak #9877

wants to merge 2 commits into from

Conversation

shirosaki
Copy link
Contributor

Fix #9841

@pivotal-cla
Copy link

@shirosaki Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-cla
Copy link

@shirosaki Thank you for signing the Contributor License Agreement!

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 8, 2021
@eleftherias eleftherias added in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 8, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Jun 8, 2021

Hi, @shirosaki, thanks for the PR!

I don't think that we can safely clear the context here. This code doesn't know if it's the one to have populated the context. This may work in the special case of destroying a context. But, under normal operations, this may inadvertently log out a user.

Perhaps instead #1890 should be reopened and we consider adding a method to SecurityContextHolder that retrieves the context without creating one. Then, this PR can be updated to call that method instead.

@jzheaux jzheaux added the type: enhancement A general enhancement label Jun 8, 2021
@shirosaki
Copy link
Contributor Author

@jzheaux thanks for comments.
I also think getExistingContext() method which is not create null authentication object would be preferable.
Even if null authentication object is created, clearContext() is not called in SecurityReactorContextConfiguration.java.

@jzheaux jzheaux mentioned this pull request Jun 14, 2021
Closed
shirosaki added 2 commits June 16, 2021 17:03
@shirosaki
Add SecurityContextHolder.peekContext()
c6670b8 
To get current context without creating a new context.
Creating a new context may cause ThreadLocal leak.
@shirosaki
Fix ThreadLocal leak with SecurityContextHolder
aeb6f5f 
Use SecurityContextHolder.peekContext() so that it doesn't create
an empty object in ThreadLocal.
@shirosaki shirosaki force-pushed the fix_null_authentication branch from f5cfe73 to aeb6f5f Compare June 16, 2021 08:34
jzheaux
jzheaux requested changes Jun 28, 2021
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @shirosaki! I've left some feedback inline.

Also, in each of your two commit messages will you please include the phrase "Closes gh-xxxx" where xxxx is the related ticket?

core/src/main/java/org/springframework/security/core/context/SecurityContextHolderStrategy.java
* Peeks the current context without creating an empty context.
* @return a context (may be <code>null</code>)
*/
SecurityContext peekContext();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For backward compatibility, this will need to have a default implementation. Please see #1890 (comment) for more details on the recommended implementation.

...java/org/springframework/security/core/context/ThreadLocalSecurityContextHolderStrategy.java
@@ -45,6 +45,11 @@ public SecurityContext getContext() {
return ctx;
}

@Override
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you please update the copyright message for each edited file to include the year 2021?

core/src/main/java/org/springframework/security/core/context/SecurityContextHolder.java
@@ -110,6 +110,14 @@ public static SecurityContext getContext() {
return strategy.getContext();
}

/**
* Peeks the current <code>SecurityContext</code>.
* @return the security context (may be <code>null</code>)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For each new public method that you introduce, will you please add @since 5.6 to the JavaDoc?

@jzheaux
Copy link
Contributor

jzheaux commented Nov 30, 2021

Thanks, @shirosaki! I've merged your contribution via 809ff88 and added some of the changes I specified in 78857c6.

Note also that upon some deeper investigation, ThreadLocal also initializes the value when get is called, which means that peekContext is not sufficient. As such, I altered the approach to delay the reading of the SecurityContextHolder until it's time to send the bearer token. In this way, reactive stacks that aren't actually using the SecurityContextHolder don't affect it.

@jzheaux jzheaux closed this Nov 30, 2021
@jzheaux jzheaux added this to the 6.0.0-M1 milestone Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
6.0.0-M1
Development

Successfully merging this pull request may close these issues.

Undeploy shows SecurityContextImpl [Null authentication] memory leak on tomcat
5 participants
@shirosaki @pivotal-cla @jzheaux @eleftherias @spring-projects-issues