-
Defect
-
Resolution: Won't Do
-
Critical
-
1.0.0-M2
-
None
-
None
AcegiUnauthorizedResource is saved in thread local storage, but it doesn't appear to be ever removed from thread local storage.
All thread local storage variables need to be removed from the thread at the end of the request processing. Tomcat uses thread pools to reuse threads between requests. Thus values left here will be around for subsequent requests and that may lead to spurious and hard to debug crashes.
In this case a user may hit an AccessDeniedException and after login be redirected back to a resource from another users request, not where they came from.
All thread local storage variables need to be removed from the thread at the end of the request processing. Tomcat uses thread pools to reuse threads between requests. Thus values left here will be around for subsequent requests and that may lead to spurious and hard to debug crashes.
In this case a user may hit an AccessDeniedException and after login be redirected back to a resource from another users request, not where they came from.
- is related to
-
GTWY-931 Review all uses of thread local storage for proper cleanup.
-
- Done
-