Spring Security How to use with completable futures?

Expected Behavior

When setting a security context have it also be propagated to the worker threads used by Completable Futures.

Current Behavior

When using CompletableFuture within a method that has a security context, the security context is not passed to the CompletableFuture, if we don't specify the executor given that it uses the default ForkJoinPool.commonPool().

Context

There are external libraries like graphql-java that use CompletableFutures and the ForkJoinPool.commonPool() to complete tasks asynchronously. The security context is not passed to those threads.

In order to use graphql-java with Spring Security correctly we would need a way to have the CompletableFutures be aware of the security context.

Using the SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) causes a security context leak since the threads in the ForkJoinPool.commonPool() are shared and have the context set during creation only.

https://www.graphql-java.com/documentation/execution/#asyncexecutionstrategy

Comment From: luismolina13

I see that spring-graphql has support for this. Thank you!