Spring Security No way to specify SecurityContextHolderStrategy for AbstractSecurityInterceptor

When switching to version 5.x I see that you now inject SecurityContextHolderStrategy into AbstractSecurityInterceptor:

https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/access/intercept/AbstractSecurityInterceptor.java#L401

However there is no way we can provide our custom SecurityContextHolderStrategy:

https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java#L110

In my case it is important to use InheritableThreadLocalSecurityContextHolderStrategy however the above code returns ThreadLocalSecurityContextHolderStrategy which has no authentication set and then I get this error:

"An Authentication object was not found in the SecurityContext"

It would be nice if we have a method getSecurityContextHolderStrategy() with defaultImplementation that we can override in our extension of GlobalMethodSecurityConfiguration.

Comment From: sjohnr

@ptahchiev thanks for reaching out. I apologize for the delay in responding. At this time, the AbstractSecurityInterceptor is deprecated in favor of AuthorizationFilter and will be removed in a future release. I don't believe it makes sense to enhance it, and I would encourage you to migrate to using the AuthorizationManager API for customizing. See the chapter on Authorization Migrations in the 5.8 reference documentation and the latest docs on Authorization.

I'm going to close this as declined with the above explanation, but if I have misunderstood anything please let me know.