Cooperter opened a new issue, #15988: URL: https://github.com/apache/dubbo/issues/15988
### Pre-check - [x] I am sure that all the content I provide is in English. ### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dubbo/issues?q=is%3Aissue) and found no similar issues. ### Apache Dubbo Component Java SDK (apache/dubbo) ### Dubbo Version Dubbo Java 3.2.9,OpenJDK 17 ### Steps to reproduce this issue The `ContextHolderAuthenticationResolverFilter` retrieves the authentication information from the invocation attachment and sets it into Spring Security's `SecurityContextHolder`. However, the filter **does not clear the context** after the RPC invocation is finished. Since Dubbo providers typically use a thread pool to handle requests, the `ThreadLocal` variable stored in `SecurityContextHolder` persists on the thread. If a subsequent request (which carries no authentication token or is intended to be anonymous) is processed by the same reused thread, it will incorrectly inherit the authentication of the previous user. This causes serious **Identity Pollution**. ### What you expected to happen In `org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter`: ```java @Override public Result invoke(Invoker<?> invoker, Invocation invocation) throws RpcException { if (this.mapper != null) { getSecurityContext(invocation); // Sets the ThreadLocal } // Missing try-finally block to clear the context return invoker.invoke(invocation); } ``` **Steps to Reproduce** 1. User A sends a request to the Provider. The filter sets `User A` into the `SecurityContext`. 2. The request finishes, but `SecurityContextHolder.clearContext()` is never called. 3. User B (or an anonymous user) sends a request without any security attachment. 4. If the Dubbo thread pool reuses the same thread that handled User A's request, `SecurityContextHolder.getContext().getAuthentication()` will return User A. 5. User B acts with User A's privileges. **Expected Behavior** The SecurityContext should be cleared immediately after the invocation finishes, regardless of success or failure. **Proposed Solution** Wrap the invocation in a `try-finally` block to ensure the context is cleared. ```java @Override public Result invoke(Invoker<?> invoker, Invocation invocation) throws RpcException { if (this.mapper != null) { getSecurityContext(invocation); } try { return invoker.invoke(invocation); } finally { if (this.mapper != null) { SecurityContextHolder.clearContext(); } } } ``` ### Anything else _No response_ ### Do you have a (mini) reproduction demo? - [ ] Yes, I have a minimal reproduction demo to help resolve this issue more effectively! ### Are you willing to submit a pull request to fix on your own? - [ ] Yes I am willing to submit a pull request on my own! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
