Spring Security Introduce @CurrentSecurityContext for method arguments

A user can easily obtain the current user principal using the @AuthenticationPrincipal annotation, say in a Spring MVC application:

@GetMapping("/path")
public String endpoint(@AuthenticatedPrincipal UserDetails user) {
    // ....
}

It would be nice to be able to do something more fundamental, like obtain the current security context:

@GetMapping("/path")
public String endpoint(@CurrentSecurityContext SecurityContext context) {
    // ....
}

and thus:

@GetMapping("/path")
public String endpoint(@CurrentSecurityContext(expression="authentication") Authentication authentication) {
    // ....
}

This ought to work for both Servlet and WebFlux applications, so we'd need to have two argument resolvers, one that retrieved the security context from SecurityContextHolder and another that got it from ReactiveSecurityContextHolder. Likely, they could be modeled after AuthenticationPrincipalArgumentResolver.

We'd also want to register these respectively in WebMvcSecurityConfiguration and ServerHttpSecurityConfiguration.

Comment From: clevertension

@jzheaux are you working on this issue, if not, i think i can provide a PR :)

Comment From: jzheaux

It's yours, @clevertension!

Comment From: clevertension

do we need to support the property dig with Authentication?

@GetMapping("/path")
public String endpoint(@CurrentSecurityContext(expression="authentication.details") Object details) {
    // ....
}

if yes,

@CurrentSecurityContext annotation should also have
errorOnInvalidType

Comment From: jzheaux

@rwinch Is there a compelling need for errorOnInvalidType?

Comment From: jgrandja

Closed via #6562