tags:

views:

498

answers:

1
+2  Q: 

Is SecurityContextHolder thread safe?

I use SecurityContextHolder and a custom UserDetailsService to obtain UserDetails from SecurityContextHolder:

Object o = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
UserDetailsDTO user = (UserDetailsDTO) o;

I left out the null checks, etc., but that's the idea. I'm using this in an @Around pointcut of an @Aspect:

@Around("execution(* user.service.*.*(..))")
public Object audit(ProceedingJoinPoint call) throws Throwable {
     // get user id
     // add audit row in db
}

Looking at the SecurityContextHolder class, it uses a ThreadLocal by default, but the pointcut stuff also seems to have some sort of encapsulated threading logic.

Is it possible that there could be user collision (i.e. access UserA from one session for a UserB audit event in another concurrent session), or possibly a null user altogether.

Is there a better way to obtain the credentials/user profile?

+1  A: 

Yes, it's thread safe with the default strategy (MODE_THREADLOCAL) (as long as you don't try to change the strategy on the fly). However, if you want spawned threads to inherit SecurityContext of the parent thread, you should set MODE_INHERITABLETHREADLOCAL.

Also aspects don't have any "threading logic", they are executed at the same thread as the adviced method.

axtavt  2010-02-18 20:49:48
I saw that, but man does that seem like a huge miscue for the Spring guys. A static util class, and setStrategyName has this Javadoc blurb: `Do NOT call this method more than once for a given JVM, as it will reinitialize the strategy and adversely affect any existing threads using the old strategy.` I think I'll probably end up creating a singleton wrapper class.
Droo  2010-02-19 01:12:00
I guess there is also a system property: `public static final String SYSTEM_PROPERTY = "spring.security.strategy";`
Droo  2010-02-19 01:53:11

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java