Rather than requiring the wrapped request/response we should allow any HttpServletRequest/HttpServletResponse can be used to save the SecurityContext. This will allow for explicit saves vs implicit saves that happen with the response is committed.