We should add a SecurityContextHolderFilter that loads the SecurityContext from the request. It will not automatically save the SecurityContext. Using this mechanism requires explicitly saving the SecurityContext rather than just setting the SecurityContextHolder. We also want to consider a simplified API to SecurityContextRepository.loadContext(HttpRequestResponseHolder) so that users do not need to worry about replacing the request/response. Perhaps just adding a default method to SecurityContextRepository.loadContext(HttpServletRequest,HttpServletResponse)
Related gh-9634 gh-10947