Spring security context is not cleared on logout, more globally ThreadLocal doesn't work #8
Description
Hi
I am trying to logout and login with a different user, but when I look inside the Spring security context SecurityContextHolder.getContext().getAuthentication() I still see my initial user.
I see the Spring SecurityContextLogoutHandler is correctly called but the logout is applied on a non authentified context.
It appears that there is a mix between scout threads and tomcat threads (embedded by spring boot).
The Spring context is correctly disabled in http-nio-* threads, but not in scout-* threads.
The spring security context is managed by ThreadLocal, I have tried to apply MODE_INHERITABLETHREADLOCAL strategy but it doesn't solve the issue. I have also tried MODE_GLOBAL which don't use ThreadLocal but a static field, but it didn't work at all.
@Bean
public boolean initStrategy() {
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
return true;
}
I am using the configuration proposed in the standard archetype.
I think the problem is more global than the Spring context, it is a problem on ThreadLocal functionnement in this spring-scout architecture. A simple ThreadLocal doesn't work.
Have you already had this kind of problem ?
Edit : I started on the basis of the ScoutBoot tasks example and not the archetype. I think I can't trust the SecurityContext and I must use the ClientSession only.
But in a multi module project, the ClientSession may not be visible in other layers.