Fix WebPrincipal not serializable - make sessionPrincipal final again

eclipse-ee4j · Feb 5, 2025 · 7051a9c · 7051a9c
1 parent 073f35d
commit 7051a9c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java
@@ -66,15 +66,15 @@ public class SecurityContext extends AbstractSecurityContext {
 
     private static final long serialVersionUID = 1L;
     private static final Logger _logger = SecurityLoggerInfo.getLogger();
+    // sessionPrincipal is static because it's a thread local, which isn't serializable,
+    // and we need at most one instance per thread
+    private static final ThreadLocal<Principal> sessionPrincipal = new ThreadLocal<>();
 
     private static InheritableThreadLocal<SecurityContext> currentSecurityContext = new InheritableThreadLocal<>();
     private static SecurityContext defaultSecurityContext = generateDefaultSecurityContext();
 
     private static AuthPermission doAsPrivilegedPerm = new AuthPermission("doAsPrivileged");
 
-    // this is static because it's a thread local, which isn't serializable
-    private static ThreadLocal<Principal> sessionPrincipal = new ThreadLocal<>();
-
     // Did the client log in as or did the server generate the context
     private boolean serverGeneratedSecurityContext;