From 5e485ba71e802047c2d6c5d0adc1af632faac057 Mon Sep 17 00:00:00 2001 From: lprimak Date: Sat, 12 Apr 2025 15:17:16 -0500 Subject: [PATCH] bugfix: remove InheriableThreadLocal from ThreadContext as it was causing leaking security TLs into child threads --- .../org/apache/shiro/util/ThreadContext.java | 23 +------------------ 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/core/src/main/java/org/apache/shiro/util/ThreadContext.java b/core/src/main/java/org/apache/shiro/util/ThreadContext.java index 267a7949b9..d4a291f648 100644 --- a/core/src/main/java/org/apache/shiro/util/ThreadContext.java +++ b/core/src/main/java/org/apache/shiro/util/ThreadContext.java @@ -60,7 +60,7 @@ public abstract class ThreadContext { */ private static final Logger LOGGER = LoggerFactory.getLogger(ThreadContext.class); - private static final ThreadLocal> RESOURCES = new InheritableThreadLocalMap>(); + private static final ThreadLocal> RESOURCES = new ThreadLocal<>(); /** * Default no-argument constructor. @@ -327,26 +327,5 @@ public static void bind(Subject subject) { public static Subject unbindSubject() { return (Subject) remove(SUBJECT_KEY); } - - private static final class InheritableThreadLocalMap> - extends InheritableThreadLocal> { - - /** - * This implementation was added to address a - * - * user-reported issue. - * - * @param parentValue the parent value, a HashMap as defined in the {@link #initialValue()} method. - * @return the HashMap to be used by any parent-spawned child threads (a clone of the parent HashMap). - */ - @SuppressWarnings({"unchecked"}) - protected Map childValue(Map parentValue) { - if (parentValue != null) { - return (Map) ((HashMap) parentValue).clone(); - } else { - return null; - } - } - } }