Spring Security SEC-1516: Create Security Context Accessor interface

Luke Taylor (Migrated from SEC-1516) said:

The current approach for accessing the security context in user code involves using the SecurityContextHolder directly, which is quite cumbersome in unit tests and involves setting up a context beforehand and tearing it down to avoid leaking threadlocals.

Using an interface which could be injected into components which want to use programmatic security would allow mocking and could also provide methods to make it easier to perform common functions such as looking up authorities.

It's also possible that some internal components which require access to the context could make use of the same interface

Comment From: spring-projects-issues

Luke Taylor said:

Authority lookup is almost always perfromed using a direct reference to an Authentication object, so it would also probably be necessary to add authority lookup methods to the Authentication interface to allow for optimization, e.g.

hasAuthority(GrantedAuthority a); hasAuthority(String a);

Comment From: spring-projects-issues

Luke Taylor said:

Deferring as changing the Authentication interface at this stage isn't really feasible.

Comment From: spring-projects-issues

This issue supersedes #1790

Comment From: rwinch

User's wishing to do this should leverage Supplier<SecurityContext>