You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Brian Demers (Jira)" <ji...@apache.org> on 2020/11/13 16:33:00 UTC
[jira] [Commented] (SHIRO-799) When ThreadContext works with
ThreadPool bring security issues
[ https://issues.apache.org/jira/browse/SHIRO-799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17231610#comment-17231610 ]
Brian Demers commented on SHIRO-799:
------------------------------------
Hi [~Leven] If you think there is a security concern in a project, it's best to report it directly to the project's security team: [https://www.apache.org/security/] (this is good advice for non-apache projects too)
> When ThreadContext works with ThreadPool bring security issues
> --------------------------------------------------------------
>
> Key: SHIRO-799
> URL: https://issues.apache.org/jira/browse/SHIRO-799
> Project: Shiro
> Issue Type: Bug
> Components: Authorization (access control)
> Affects Versions: 1.4.0, 1.7.0
> Reporter: leven.chen
> Priority: Major
>
> Beacause ThreadContext use InheritableThreadLocalMap , but when it work with ThreadPool , it bring security problem. Although, we can use SubjectAwareExecutor or SubjectAwareExecutorService to fix this problem. but not elegant . Maybe use ThreadLocal or *[Transmittable-thread-local|https://github.com/alibaba/transmittable-thread-local]* better then InheritableThreadLocal
--
This message was sent by Atlassian Jira
(v8.3.4#803005)