[FIXED HUDSON-7256] use setContext() instead of getContext().setAuthentication()

to temporarily set SYSTEM ACL, so this temporary access change does not affect other concurrent threads for same HttpSession.. conflict between such requests was creating the possibility of getting SYSTEM permission actually set in the session. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@36210 71c3de6d-444a-0410-be80-ed276b4c234a

[FIXED HUDSON-7256] use setContext() instead of getContext().setAuthentication()
to temporarily set SYSTEM ACL, so this temporary access change does not affect other concurrent threads for same HttpSession.. conflict between such requests was creating the possibility of getting SYSTEM permission actually set in the session. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@36210 71c3de6d-444a-0410-be80-ed276b4c234a
a1cc3b4f · mindless · 6b36bd60 · a1cc3b4f
隐藏空白更改
内联并排

Showing with 9 addition and 5 deletion

core/src/main/java/hudson/model/DependencyGraph.java core/src/main/java/hudson/model/DependencyGraph.java +9 -5

未找到文件。
--- a/core/src/main/java/hudson/model/DependencyGraph.java
+++ b/core/src/main/java/hudson/model/DependencyGraph.java
@@ -25,7 +25,8 @@
 package hudson.model;

 import hudson.security.ACL;
-import org.acegisecurity.Authentication;
+import hudson.security.NotSerilizableSecurityContext;
+import org.acegisecurity.context.SecurityContext;
 import org.acegisecurity.context.SecurityContextHolder;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
@@ -92,10 +93,13 @@ public final class DependencyGraph implements Comparator<AbstractProject> {
     * Builds the dependency graph.
     */
    public DependencyGraph() {
-        // Set full privileges while computing to avoid missing any projects the current user cannot see
-        Authentication saveAuth = SecurityContextHolder.getContext().getAuthentication();
+        // Set full privileges while computing to avoid missing any projects the current user cannot see.
+        // Use setContext (NOT getContext().setAuthentication()) so we don't affect concurrent threads for same HttpSession.
+        SecurityContext saveCtx = SecurityContextHolder.getContext();
        try {
-            SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM);
+            NotSerilizableSecurityContext system = new NotSerilizableSecurityContext();
+            system.setAuthentication(ACL.SYSTEM);
+            SecurityContextHolder.setContext(system);
            for( AbstractProject p : Hudson.getInstance().getAllItems(AbstractProject.class) )
                p.buildDependencyGraph(this);

@@ -104,7 +108,7 @@ public final class DependencyGraph implements Comparator<AbstractProject> {

            built = true;
        } finally {
-            SecurityContextHolder.getContext().setAuthentication(saveAuth);
+            SecurityContextHolder.setContext(saveCtx);
        }
    }