Search:

I think this bug is my root issue.

https://jira.springframework.org/browse/SEC-356

Wouldn't any OAuth-based server have this concern? Not sure yet.

I am close now. SecurityContextPersistenceFilter is calling:

SecurityContextHolder.setContext(contextBeforeChainExecution);

This is, over time and in with exceptions occuring in request...

I am logging every occurrence of SecurityContext.setAuthentication() with the thread ID.

From observing it, it's really as if there is only one SecurityContext, instead of one-per-thread. For...

Definitely using ThreadLocal.

I'm logging Thread.currentThread().getId() in all logging, to make sure I know what's going on--definitely the same thread is being re-used. So that's a good point. ...

Hey stoicflame,

I do call it elsewhere in the code, but the issue is, in this flow, there should be no opportunity for any other code to do 'get in' The path from the OAuth library calling...

This is a real head-scratcher. At least, for me.

I'm using OAuth 1.0. If I hit a URL that I have protected one-at-a-time, there is no issue. But if make a bunch of concurrent HTTP requests to...