SecurityContext is not propagated by asynchronous endpoints [INT-3036]

[spring-operator]

Jürgen Failenschmid opened INT-3036 and commented

<si-sec:secured-channels> adds AOP proxies checking a Spring Security SecurityContext for authentication and authorization information.

However, the SecurityContext is a ThreadLocal and currently Spring Integration does not have a purpose-built mechanism to ensure that the SecurityContext is propagated to all channels/endpoints, even asynchronous ones.

The propagation of the SecurityContext could be done with a channel interceptor - see the forum thread for an example.

It would be great to improve how Spring Integration interoperates with Spring Security - for example, by creating the context-propagating channel interceptors using another namespace element.

---

Affects: 2.2.3

Reference URL: http://forum.springsource.org/showthread.php?137889-Disappearing-SecurityContext-ThreadLocal

Issue Links:

• 6152 Adding support for SecurityContext Propagation

  ("duplicates")

[spring-operator]

Artem Bilan commented

Hi, Jurgen! Unfortunately, it duplicates an existing one #6152. Although I raised it long time ago, now I don't see a reason to add it to the framework. There are many concerns, where it would be confused and undesirable. Our applications live in the distributed environment and each module or system may have its own security infrastructure, so always propagate SecurityContext would be 'cruel'. IMO it's up to specific application how to play with SecurityContext: channel-interceptor, custom MessageHeader, some external ContextHolder (Gemfire cache?) etc.. Thanks

[spring-operator]

Gary Russell commented

I added Jürgen as a watcher to 2166; we can continue the conversation over there.