grails-spring-security-core icon indicating copy to clipboard operation
grails-spring-security-core copied to clipboard

Published 20 hours ago verified publisher icon grails

Configuring SecurityContextHodler Strategy is broken

Open lynchie14 opened this issue 4 months ago • 0 comments

Expected Behavior

Configuring grails.plugin.springsecurity.sch.strategyName='MODE_INHERITABLETHREADLOCAL' should allow spawned threads to inherit authentication

Actual Behaviour

Spawned threads do not inherit authentication

Steps To Reproduce

In Spring security 5.8 (https://github.com/spring-projects/spring-security/commit/31e25b115e412b5c741b1cc80f1a2f33539610be) Direct calls to SecurityContextHolder.getContext().getAuthentication() where replaced with a instance level private SecurityContextHolderStrategy securityContextHolderStrategy instead. This means that once filters such as the FilterSecurityInterceptor are initialised they will fetch the current SecurityContextHolder strategy once.

As a result of this change, in a case where you want to change the default strategy to MODE_INHERITABLETHREADLOCAL it will not work as the current location where this is set in plugin occurs after all the beans have been initialised and any changes to the strategy will not be updated in any of the security filters.

Fix is to move the configuration to before the beans are configured.

Attached sample repo has a secure controller that demonstrates the issue.

Environment Information

No response

Example Application

https://github.com/lynchie14/g7schissue

Version

7.0.0-M4

lynchie14 avatar Jun 25 '25 15:06 lynchie14