Review SecurityContext associations ------------------------------------ Key: WFLY-485 URL: https://issues.jboss.org/browse/WFLY-485 Project: WildFly Issue Type: Sub-task Components: Security Reporter: Darran Lofthouse Assignee: David Lloyd Labels: Security_SPI Fix For: 8.0.0.CR1 We should re-review the approach we take for security context association within AS7 containers. Back at the time of AS 3 it fairly reliable to assume a 1:1 mapping of thread and client with the incoming connection being allocated it's own thread, this is no longer automatically the case and different containers can use different threading models e.g. using Executors to handle asynchronous requests. The problem with using a ThreadLocal approach is that every time a container diverges from the 1:1 mapping of thread and client that container needs to work around the issue of an invalid SecurityContext association. One possibility is to pass responsibility for managing the context to the container although this then introduces the question of how it is passed from container to container. This issue needs to consider this further. Also need to review further how the security context can be created at all entry points to the server and how it can be manually switched now that we use SASL on entry for remote calls we do now have the opportunity for equivalent behaviour at the entry point for both web and ejb type calls - in the past we only had this opportunity for web based calls and would only create a security context on entering the interceptors for the EJB calls.