Spring Social and threading model (using ThreadLocal)

[Eduard]

I'm walking through the spring-social-quickstart sample. I stumpled upon the SecurityContext class which allows to remember the current user (at least as long as a single request-response phase) by wrapping a User object in a ThreadLocal object.

This made me reason about the threading model in Spring Social/Spring Web MVC. Is Spring inherently single-threaded per single HTTP request? Can I expect that there is only a single thread handling a single HTTP request?

From a security perspective, could a ThreadLocal object leak from a pooled thread into a new HTTP request thread - possibly providing a malicious user with the ThreadLocal objects of a past user?

[habuma]

Honestly, this question is a bit out of my area and is really more a question for the Spring Security guys, as SecurityContext is part of Spring Security, not Spring Social or Spring MVC. I'll move this thread to that forum.

[Eduard]

Thanks for moving this post to a better forum. I'd say that my question generally relates to Spring MVC and how it internally works with threads. By the way, in the spring-social-quickstart sample, its "SecurityContext" doesn't extend or implement Spring Social's SecurityContext.