diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java index 8b31027f44d..5e7d63118af 100644 --- a/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java +++ b/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java @@ -66,15 +66,15 @@ public class SecurityContext extends AbstractSecurityContext { private static final long serialVersionUID = 1L; private static final Logger _logger = SecurityLoggerInfo.getLogger(); + // sessionPrincipal is static because it's a thread local, which isn't serializable, + // and we need at most one instance per thread + private static final ThreadLocal sessionPrincipal = new ThreadLocal<>(); private static InheritableThreadLocal currentSecurityContext = new InheritableThreadLocal<>(); private static SecurityContext defaultSecurityContext = generateDefaultSecurityContext(); private static AuthPermission doAsPrivilegedPerm = new AuthPermission("doAsPrivileged"); - // this is static because it's a thread local, which isn't serializable - private static ThreadLocal sessionPrincipal = new ThreadLocal<>(); - // Did the client log in as or did the server generate the context private boolean serverGeneratedSecurityContext;