I'm walking through the spring-social-quickstart sample. I stumpled upon the SecurityContext class which allows to remember the current user (at least as long as a single request-response phase) by wrapping a User object in a ThreadLocal object.
This made me reason about the threading model in Spring Social/Spring Web MVC. Is Spring inherently single-threaded per single HTTP request? Can I expect that there is only a single thread handling a single HTTP request?
From a security perspective, could a ThreadLocal object leak from a pooled thread into a new HTTP request thread - possibly providing a malicious user with the ThreadLocal objects of a past user?