concord-server: avoid security subject creation when it is not needed

server/impl/src/main/java/com/walmartlabs/concord/server/process/ProcessSecurityContext.java

@@ -72,16 +72,14 @@ public byte[] serializePrincipals(PrincipalCollection src) {
         return SecurityUtils.serialize(dst);
     }
 
-    // TODO: invalidate cache for processKey?
     public void storeCurrentSubject(ProcessKey processKey) {
-        Subject s = SecurityUtils.getSubject();
-        PrincipalCollection src = s.getPrincipals();
-        storeSubject(processKey, src);
+        Subject subject = SecurityUtils.assertSubject();
+        storeSubject(processKey, subject.getPrincipals());
     }
 
-    // TODO: invalidate cache for processKey?
     public void storeSubject(ProcessKey processKey, PrincipalCollection src) {
         stateManager.replace(processKey, PRINCIPAL_FILE_PATH, serializePrincipals(src));
+        principalCache.invalidate(processKey);
     }
 
     public PrincipalCollection getPrincipals(PartialProcessKey processKey) {

server/impl/src/main/java/com/walmartlabs/concord/server/process/pipelines/processors/PayloadStoreProcessor.java

@@ -30,6 +30,7 @@
 import com.walmartlabs.concord.server.sdk.ProcessKey;
 import com.walmartlabs.concord.server.sdk.metrics.WithTimer;
 import com.walmartlabs.concord.server.security.SecurityUtils;
+import org.apache.shiro.subject.PrincipalCollection;
 
 import javax.inject.Inject;
 import java.nio.file.Path;
@@ -79,9 +80,11 @@ public Payload process(Chain chain, Payload payload) {
 
         String serializedHeaders = serialize(headers);
 
+        PrincipalCollection initiator = SecurityUtils.assertSubject().getPrincipals();
+
         stateManager.tx(tx -> {
             stateManager.insertInitial(tx, processKey, "payload.json", serializedHeaders.getBytes());
-            stateManager.insertInitial(tx, processKey, "initiator", securityContext.serializePrincipals(SecurityUtils.getSubject().getPrincipals()));
+            stateManager.insertInitial(tx, processKey, "initiator", securityContext.serializePrincipals(initiator));
             stateManager.importPathInitial(tx, processKey, "attachments/", payload.getHeader(Payload.BASE_DIR), (path, basicFileAttributes) -> payload.getAttachments().containsValue(path));
         });
 

server/impl/src/main/java/com/walmartlabs/concord/server/security/SecurityUtils.java

@@ -44,31 +44,41 @@ public final class SecurityUtils {
 
     public static void logout() {
         Subject subject = getSubject();
-        if (subject != null) {
-            subject.logout();
+        if (subject == null) {
+            return;
         }
+        subject.logout();
     }
 
     public static boolean hasRole(String role) {
         Subject s = getSubject();
+        if (s == null) {
+            return false;
+        }
         return s.hasRole(role);
     }
 
     public static boolean isPermitted(String permission) {
         Subject s = getSubject();
+        if (s == null) {
+            return false;
+        }
         return s.isPermitted(permission);
     }
 
     public static Subject getSubject() {
-        Subject subject = ThreadContext.getSubject();
+        return ThreadContext.getSubject();
+    }
+
+    public static Subject assertSubject() {
+        Subject subject = getSubject();
         if (subject == null) {
-            subject = (new Subject.Builder()).buildSubject();
-            ThreadContext.bind(subject);
+            throw new AuthenticationException("Can't determine the current security subject");
         }
         return subject;
     }
 
-    public static <T> T getCurrent(Class<T> type) {
+    public static <T> T getPrincipal(Class<T> type) {
         SecurityManager securityManager = ThreadContext.getSecurityManager();
         if (securityManager == null) {
             return null;
@@ -87,8 +97,8 @@ public static <T> T getCurrent(Class<T> type) {
         return principals.oneByType(type);
     }
 
-    public static <T> T assertCurrent(Class<T> type) {
-        T p = getCurrent(type);
+    public static <T> T assertPrincipal(Class<T> type) {
+        T p = getPrincipal(type);
         if (p == null) {
             throw new AuthenticationException("Can't determine the current principal (" + type.getName() + ")");
         }

server/impl/src/main/java/com/walmartlabs/concord/server/security/UserPrincipal.java

@@ -37,11 +37,11 @@ public class UserPrincipal implements Serializable {
     private static final long serialVersionUID = 1L;
 
     public static UserPrincipal getCurrent() {
-        return SecurityUtils.getCurrent(UserPrincipal.class);
+        return SecurityUtils.getPrincipal(UserPrincipal.class);
     }
 
     public static UserPrincipal assertCurrent() {
-        return SecurityUtils.assertCurrent(UserPrincipal.class);
+        return SecurityUtils.assertPrincipal(UserPrincipal.class);
     }
 
     private final String realm;

server/impl/src/main/java/com/walmartlabs/concord/server/security/github/GithubKey.java

@@ -28,7 +28,7 @@
 public class GithubKey implements AuthenticationToken {
 
     public static GithubKey getCurrent() {
-        return SecurityUtils.getCurrent(GithubKey.class);
+        return SecurityUtils.getPrincipal(GithubKey.class);
     }
 
     private static final long serialVersionUID = 1L;

server/impl/src/main/java/com/walmartlabs/concord/server/security/ldap/LdapPrincipal.java

@@ -63,7 +63,7 @@ public LdapPrincipal(String username,
     }
 
     public static LdapPrincipal getCurrent() {
-        return SecurityUtils.getCurrent(LdapPrincipal.class);
+        return SecurityUtils.getPrincipal(LdapPrincipal.class);
     }
 
     public String getUsername() {

server/impl/src/main/java/com/walmartlabs/concord/server/security/sessionkey/SessionKeyPrincipal.java

@@ -26,7 +26,7 @@
 public class SessionKeyPrincipal {
 
     public static SessionKeyPrincipal getCurrent() {
-        return SecurityUtils.getCurrent(SessionKeyPrincipal.class);
+        return SecurityUtils.getPrincipal(SessionKeyPrincipal.class);
     }
 
     private final PartialProcessKey processKey;

server/impl/src/test/java/com/walmartlabs/concord/server/ConcordObjectMapperTest.java

@@ -1,5 +1,25 @@
 package com.walmartlabs.concord.server;
 
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2025 Walmart Inc.
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.walmartlabs.concord.common.ObjectMapperProvider;
 import org.junit.jupiter.api.Test;

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoLogoutFilter.java

@@ -65,7 +65,9 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
         }
         SsoCookies.clear(response);
         Subject subject = SecurityUtils.getSubject();
-        subject.logout();
+        if (subject != null) {
+            subject.logout();
+        }
 
         redirectHelper.sendRedirect(response, "/#/logout/done");
     }