SecurityContextHolderThreadLocalAccessor should not share SecurityContext instance across threads by ttddyy · Pull Request #18210 · spring-projects/spring-security

ttddyy · 2025-11-23T06:06:16Z

We encountered an issue where authentication was being mixed across threads.
During our analysis, we discovered that SecurityContextHolderThreadLocalAccessor propagates the same SecurityContext to other threads when using Micrometer Context Propagation.

Below is a simplified example that demonstrates the problem:

Authentication authA = ...
Authentication authB = ...

// Set authA in the main thread
SecurityContext securityContext = SecurityContextHolder.getContext();
securityContext.setAuthentication(authA);

Runnable runnable = () -> {
    // This retrieves the *same* SecurityContext instance as the main thread
    SecurityContext context = SecurityContextHolder.getContext();
    context.setAuthentication(authB);
};

// Executor integrated with Micrometer Context Propagation
ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
executor.setTaskDecorator(new ContextPropagatingTaskDecorator());
executor.afterPropertiesSet();

executor.execute(runnable);

// Wait until runnable finishes
...

// Authentication has now changed unexpectedly
SecurityContext current = SecurityContextHolder.getContext();
current.getAuthentication();  // returns authB instead of authA

When Micrometer context propagation is in use, the current implementation effectively shares the SecurityContext instance between threads. This is generally not recommended and can cause subtle and hard-to-diagnose behavior, such as authentication leakage across threads.

We understand that swapping the Authentication directly is rarely a good practice. However, if a new SecurityContext had been used for the different thread, it would have been isolated and harmless. The underlying issue happens only because the same SecurityContext instance is shared across threads.

Proposed Change

This PR updates SecurityContextHolderThreadLocalAccessor to create a new SecurityContext whenever a thread switch happens, and propagte only the Authentication.

I have targetted the PR to 6.5.x branch as I consider it is a bug and should be fixed in there and up.

`SecurityContextHolderThreadLocalAccessor` currently propagates the same `SecurityContext` to other threads when Micrometer Context Propagation is used. This leads to unintended sharing of mutable state and can cause authentication to leak between threads. This change updates the accessor to create a new `SecurityContext` for the target thread while reusing only the `Authentication` value. Each thread now receives its own `SecurityContext` instance, preventing cross-thread interference and aligning with recommended `SecurityContext` usage. Signed-off-by: Tadaya Tsuyukubo <tadaya@ttddyy.net>

ronodhirSoumik · 2025-11-26T17:56:00Z

 	public void setValue(SecurityContext securityContext) {
 		Assert.notNull(securityContext, "securityContext cannot be null");
-		SecurityContextHolder.setContext(securityContext);
+		SecurityContext newContext = SecurityContextHolder.createEmptyContext();


question : Can we apply singleton concept here?

The whole point of this PR is not to share the SecurityContext, so making it a singleton defeats the purpose.

ronodhirSoumik · 2025-11-26T17:58:17Z

 		Assert.notNull(securityContext, "securityContext cannot be null");
-		SecurityContextHolder.setContext(securityContext);
+		SecurityContext newContext = SecurityContextHolder.createEmptyContext();
+		newContext.setAuthentication(securityContext.getAuthentication());


newContext.setAuthentication(Objects.requireNonNull(securityContext.getAuthentication()))

Spring projects use Assert, which throws IllegalArgumentException instead of NullPointerException.

spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 23, 2025

jzheaux self-assigned this Nov 24, 2025

jzheaux added in: core An issue in spring-security-core type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 24, 2025

jzheaux added this to the 6.5.8 milestone Nov 24, 2025

jzheaux changed the title ~~SecurityContextHolderThreadLocalAccessor shares SecurityContext instance across threads~~ SecurityContextHolderThreadLocalAccessor should not share SecurityContext instance across threads Nov 24, 2025

ronodhirSoumik reviewed Nov 26, 2025

View reviewed changes

jgrandja modified the milestones: 6.5.8, 6.5.9 Feb 13, 2026

jzheaux modified the milestones: 6.5.9, 6.5.x Mar 16, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SecurityContextHolderThreadLocalAccessor should not share SecurityContext instance across threads#18210

SecurityContextHolderThreadLocalAccessor should not share SecurityContext instance across threads#18210
ttddyy wants to merge 1 commit into
spring-projects:6.5.xfrom
ttddyy:6.5.5/prevent-securitycontext-sharing

ttddyy commented Nov 23, 2025

Uh oh!

ronodhirSoumik Nov 26, 2025

Uh oh!

ttddyy Nov 29, 2025

Uh oh!

ronodhirSoumik Nov 26, 2025 •

edited

Loading

Uh oh!

ttddyy Nov 29, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Uh oh!

Conversation

ttddyy commented Nov 23, 2025

Proposed Change

Uh oh!

ronodhirSoumik Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

ttddyy Nov 29, 2025

Choose a reason for hiding this comment

Uh oh!

ronodhirSoumik Nov 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ttddyy Nov 29, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

ronodhirSoumik Nov 26, 2025 •

edited

Loading