Problems with caching when SecurityContextHolder.MODE_INHERITABLETHREADLOCAL enabled

[xelahalo]

Hi there! I've been using spring-addons and it makes my life way easier, so I thank every contributor for that!

I have a question related to token caching. I don't know if this place is the one I should ask this at, but here I go.

Context:

• Spring boot 3.2.4
• Kotlin 1.9.23
• Spring addons 7.6.12
• Just a simple resource server

I am spawning new coroutines when authorizing rpc methods. I have enabled SecurityContextHolder.MODE_INHERITABLETHREADLOCAL as the default security context holder strategy so that I can inherit the security context in new coroutines. It works, but somehow even when I refresh the token (to get the new authorities) I still have the old token in spawned threads even though the thread with which the controller enters has the new token (with the new authorities). I don't know what to make of this.

Can I somehow clear the context, set up a custom strategy that handles all contexts correctly or something to fix this?

Or would the best practice be something like to pass down the authentication object from the controller, instead of trying to inherit context and get it from SecurityContextHolder?

Snips of what I am doing (maybe that helps):

@Configuration
@EnableMethodSecurity
class SecurityConfig
{
    @Bean
    fun methodSecurityExpressionHandler(
        recruitmentService: RecruitmentService
    ): MethodSecurityExpressionHandler =
        SpringAddonsMethodSecurityExpressionHandler {
            ProxiesMethodSecurityExpressionRoot( recruitmentService )
        }

    @PostConstruct
    fun setDefaultSecurityContextStrategy() =
        SecurityContextHolder.setStrategyName( SecurityContextHolder.MODE_INHERITABLETHREADLOCAL )
}

com:
  c4-soft:
    springaddons:
      oidc:
        resourceserver:
          permit-all:
          - /actuator/**
          - /swagger-ui/**
          - /v3/api-docs/**
          cors:
          - path: /**
            allowed-origins: "*"
        ops:
          - iss: ${keycloak.auth-server-url}/realms/${keycloak.realm}
            username-claim: preferred_username
            authorities:
            - path: $.realm_access.roles
              prefix: ROLE_
              caze: upper
            - <some-other-authorities>

Sample endpoints:

@PostMapping("/endpoint")
suspend fun invoke(@RequestBody request: RpcRequest<*>): List<Resource>
{
    return service.invoke( request )
}

Sometimes I use custom securityExpressions

@PostMapping("/endpoint2")
@PreAuthorize("canDoSomething(#param)")
suspend fun doSomething(
    @PathVariable("param") param: UUID
) 
{
    service.doSomething()
}

[ch4mpy]

pass down the authentication object from the controller, instead of trying to inherit context and get it from SecurityContextHolder

This is something I almost always do, reason why I never faced the kind of issue you are reporting. That said, it doesn't seem legit to get an outdated Authentication instance from the SecurityContext.

I don't think that spring-addons can do much about the issue you report (not sure it can be fixed with just configuration). Maybe would it be worth to ask a question on stackoverflow (and later an issue on Spring Security repo if you don't get any useful answer from SO)?