Undeploy shows SecurityContextImpl [Null authentication] memory leak on tomcat

[shirosaki]

Describe the bug
Create a spring boot war application and deploy to tomcat server.
Undeploy the app from tomcat causes the following log.

SEVERE [Catalina-utility-1] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [xxxxxx] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@b58535e3]) and a value of type [org.springframework.security.core.context.SecurityContextImpl] (value [SecurityContextImpl [Null authentication]]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.

To Reproduce
Put war file to webapps directory in tomcat and remove the war from webapps.
Spring boot v2.4.1, Java 11 and tomcat 9.0.41.

Expected behavior
SecurityContextImpl [Null authentication] is not created with ThreadLocal or removed on stopping.

If SecurityContextHolder strategy is MODE_GLOBAL, this doesn't occur.
I don't find how to remove SecurityContextImpl [Null authentication].

[jzheaux]

Hi, @shirosaki, thanks for the report. I've attempted to reproduce this behavior using the Hello Security sample and the versions described; however, I'm unsuccessful. Would you be able to supply a minimal sample that reproduces the issue?

[shirosaki]

@jzheaux
Thanks. I've created a sample.
https://github.com/shirosaki/spring-security-samples/tree/threadlocalleak/servlet/spring-boot/java/oauth2/webclient

Create war.

./gradlew war

Put the war file to tomcat webapps. Then the war is deployed.

cp build/libs/webclient-5.6.0-SNAPSHOT-plain.war /path/to/apache-tomcat/webapps/

And remove the war file to undeploy.

rm /path/to/apache-tomcat/webapps/webclient-5.6.0-SNAPSHOT-plain.war

[shirosaki]

This change seems to fix leaks.
shirosaki@6065479

SecurityContextHolder.getContext() creates null authentication object.