QiuYucheng2003 opened a new issue, #2560: URL: https://github.com/apache/shiro/issues/2560
### Search before asking - [x] I had searched in the [issues, **including closed issues**](https://github.com/apache/shiro/issues?q=is%3Aissue) and found no similar issues. ### Environment Context: Non-Web environments (e.g., @Scheduled tasks, RMI, ThreadPoolExecutor) where ShiroFilter is not active. Java Version: All Concurrency: Thread Pooling enabled. ### Shiro version Shiro version All versions ### What was the actual outcome? The ThreadContext relies on static ThreadLocal<Map<Object, Object>> RESOURCES to hold the current Subject. If a developer calls ThreadContext.bind(subject) but fails to call unbind() (e.g., due to an exception or coding oversight), the Subject remains attached to the thread. When this thread is returned to the pool and reused for a subsequent (anonymous) task: 1. SecurityUtils.getSubject() returns the stale Subject from the previous task. 2. The new task runs with the identity and privileges of the previous user. 3. This leads to Privilege Escalation and incorrect Audit Logs. ### What was the expected outcome? The framework should robustly handle cleanup or warn against using ThreadContext.bind() directly in thread pools without try-finally. Ideally, ThreadContext should act more like a scope that auto-closes, rather than a static global state container. ### How to reproduce // 1. Setup a single thread pool ExecutorService executor = Executors.newFixedThreadPool(1); // 2. Task A (Privileged) - forgets to unbind executor.submit(() -> { Subject admin = new Builder().buildSubject(); // Simulate Admin ThreadContext.bind(admin); // ... logic ... // MISSING: ThreadContext.unbindSubject(); }); // 3. Task B (Anonymous) - reused thread hijacked executor.submit(() -> { Subject current = SecurityUtils.getSubject(); if (current.isAuthenticated()) { System.out.println("CRITICAL: I am anonymous but I have Admin privileges!"); } }); ### Debug logs N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
