Describe the bug Create a spring boot war application and deploy to tomcat server. Undeploy the app from tomcat causes the following log.
SEVERE [Catalina-utility-1] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [xxxxxx] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@b58535e3]) and a value of type [org.springframework.security.core.context.SecurityContextImpl] (value [SecurityContextImpl [Null authentication]]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.
To Reproduce Put war file to webapps directory in tomcat and remove the war from webapps. Spring boot v2.4.1, Java 11 and tomcat 9.0.41.
Expected behavior
SecurityContextImpl [Null authentication] is not created with ThreadLocal or removed on stopping.
If SecurityContextHolder strategy is MODE_GLOBAL, this doesn't occur.
I don't find how to remove SecurityContextImpl [Null authentication].
Comment From: jzheaux
Hi, @shirosaki, thanks for the report. I've attempted to reproduce this behavior using the Hello Security sample and the versions described; however, I'm unsuccessful. Would you be able to supply a minimal sample that reproduces the issue?
Comment From: shirosaki
@jzheaux Thanks. I've created a sample. https://github.com/shirosaki/spring-security-samples/tree/threadlocalleak/servlet/spring-boot/java/oauth2/webclient
Create war.
./gradlew war
Put the war file to tomcat webapps. Then the war is deployed.
cp build/libs/webclient-5.6.0-SNAPSHOT-plain.war /path/to/apache-tomcat/webapps/
And remove the war file to undeploy.
rm /path/to/apache-tomcat/webapps/webclient-5.6.0-SNAPSHOT-plain.war
Comment From: shirosaki
This change seems to fix leaks. https://github.com/shirosaki/spring-security/commit/6065479f2bcd5d408bc2d2f7187645c90b9e4448
SecurityContextHolder.getContext() creates null authentication object.