Fix WebPrincipal not serializable - make sessionPrincipal final again

OndroMih · OndroMih · commit 7051a9c0bdcf · 2025-02-05T09:55:04.000+01:00
diff --git a/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java b/nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java
@@ -66,15 +66,15 @@ public class SecurityContext extends AbstractSecurityContext {
 
     private static final long serialVersionUID = 1L;
     private static final Logger _logger = SecurityLoggerInfo.getLogger();
+    // sessionPrincipal is static because it's a thread local, which isn't serializable,
+    // and we need at most one instance per thread
+    private static final ThreadLocal<Principal> sessionPrincipal = new ThreadLocal<>();
 
     private static InheritableThreadLocal<SecurityContext> currentSecurityContext = new InheritableThreadLocal<>();
     private static SecurityContext defaultSecurityContext = generateDefaultSecurityContext();
 
     private static AuthPermission doAsPrivilegedPerm = new AuthPermission("doAsPrivileged");
 
-    // this is static because it's a thread local, which isn't serializable
-    private static ThreadLocal<Principal> sessionPrincipal = new ThreadLocal<>();
-
     // Did the client log in as or did the server generate the context
     private boolean serverGeneratedSecurityContext;
 
