WARNING: Security bypass in multi threaded environments

[ST-DDT]

According to SO each grpc callback can be triggered by a different thread, thus setting and clearing the security context only in the interceptor's startCall may lead to other threads picking up the security contexts. grpc avoided the issue for their contexts with this interceptor

I could observe rare / random security exceptions with an interceptor that works similar to the ones used in this repository. The likelihood of these exceptions increased by running more requests (both authenticated and non-authenticated) in parallel and running on slower/busier CPUs.

Is the SO overflow answer wrong or is this demo affected by this?

[alexleigh]

Yes, this demo is indeed affected by this issue. It is something I have been intending to fix but unfortunately haven't had the time to fix.

[ST-DDT]

See https://github.com/yidongnan/grpc-spring-boot-starter/pull/126 for my attempt to fix the concurrency issue (for a different grpc-spring library though).

[alex-lzl]

See yidongnan/grpc-spring-boot-starter#126 for my attempt to fix the concurrency issue (for a different grpc-spring library though).

This concurrency issue is terrible, you can easily reproduce it by sending concurrent requests to the server. This means the demo shouldn't be used by anyone for any purposes.

@ST-DDT 's fix is live in net.devh:grpc-spring-boot-starter:2.2.0.RELEASE. Everyone should switch to that. THANK YOU!