SEVERE [Catalina-utility-1] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [xxxxxx] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@b58535e3]) and a value of type [org.springframework.security.core.context.SecurityContextImpl] (value [SecurityContextImpl [Null authentication]]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.
To Reproduce

Put war file to webapps directory in tomcat and remove the war from webapps.

Spring boot v2.4.1, Java 11 and tomcat 9.0.41.
Expected behavior

SecurityContextImpl [Null authentication] is not created with ThreadLocal or removed on stopping.
If SecurityContextHolder strategy is MODE_GLOBAL, this doesn't occur.

I don't find how to remove SecurityContextImpl [Null authentication].
          
@jzheaux

Thanks. I've created a sample.

https://github.com/shirosaki/spring-security-samples/tree/threadlocalleak/servlet/spring-boot/java/oauth2/webclient
Create war.
./gradlew war
Put the war file to tomcat webapps. Then the war is deployed.
cp build/libs/webclient-5.6.0-SNAPSHOT-plain.war /path/to/apache-tomcat/webapps/
And remove the war file to undeploy.
rm /path/to/apache-tomcat/webapps/webclient-5.6.0-SNAPSHOT-plain.war
        changed the title
Undeploy shows SecurityContextImpl [Null authentication]] memory leak on tomcat
Undeploy shows SecurityContextImpl [Null authentication] memory leak on tomcat
      Jun 2, 2021
      
To get current context without creating a new context.
Creating a new context may cause ThreadLocal leak.
Closes gh-9841