[ https://issues.apache.org/jira/browse/GERONIMO-4748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12736789#action_12736789 ]
David Jencks commented on GERONIMO-4748: ---------------------------------------- I think the idea of having this valve is our best bet for fixing the problem in 2.1. I would be more comfortable with it if, instead of clearing the thread context when done, it restored whatever Callers was there already. I'm worried that during cross-context dispatch, the request will go through the ThreadCleanerValve for the 2nd web app context and after return the security context will be missing. This would cause problems if the servlet tried to do isCallerInRole("foo"). I'm thinking Callers oldCallers = ContextManager.getCallers(); try { next.invoke; } finally { ContextManager.popCallers(oldCallers); } What do you think? > Security context is not cleared before the thread is returned to the pool for > Tomcat > ------------------------------------------------------------------------------------ > > Key: GERONIMO-4748 > URL: https://issues.apache.org/jira/browse/GERONIMO-4748 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: Tomcat > Affects Versions: 2.1.5, 2.2 > Reporter: Ivan > Assignee: Ivan > Priority: Critical > Fix For: 2.1.5, 2.2 > > Attachments: Geronimo-4748-2.1 > > > We do some authentication in the TomcatGeronimoRealm, and set the security > context, but it is not cleared later. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.