Announcement Announcement Module
No announcement yet.
Spring Social and threading model (using ThreadLocal) Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Social and threading model (using ThreadLocal)

    I'm walking through the spring-social-quickstart sample. I stumpled upon the SecurityContext class which allows to remember the current user (at least as long as a single request-response phase) by wrapping a User object in a ThreadLocal object.

    This made me reason about the threading model in Spring Social/Spring Web MVC. Is Spring inherently single-threaded per single HTTP request? Can I expect that there is only a single thread handling a single HTTP request?

    From a security perspective, could a ThreadLocal object leak from a pooled thread into a new HTTP request thread - possibly providing a malicious user with the ThreadLocal objects of a past user?

  • #2
    Honestly, this question is a bit out of my area and is really more a question for the Spring Security guys, as SecurityContext is part of Spring Security, not Spring Social or Spring MVC. I'll move this thread to that forum.


    • #3
      Thanks for moving this post to a better forum. I'd say that my question generally relates to Spring MVC and how it internally works with threads. By the way, in the spring-social-quickstart sample, its "SecurityContext" doesn't extend or implement Spring Social's SecurityContext.