This change adds auto-configuration capabilities to Spring Security's SecurityContextChangedListener feature which supports creating listeners that are notified about SecurityContextChangedEvents.
The main use-case of this change is observability-related: users can record these events through their listeners and Spring Cloud Sleuth also supports it via TracingSecurityContextChangedListener: Sleuth annotates its Spans so users can see what happened with the security context during their operations.
Comment From: jonatan-ivanov
After discussing with @jzheaux, I removed the SecurityContextChangedListenerRegistrar (https://github.com/spring-projects/spring-boot/pull/28544/commits/4e7c81c2acf5bc2c351a42ceb6ab1fc75634ba2d) to simplify the change.
Comment From: snicoll
@jonatan-ivanov no rush but there are some comments for you on this PR.
Comment From: jonatan-ivanov
@snicoll Thanks for the ping (I needed to focus on other things); I've just got back to this, I made the changes you requested but in the SecurityContextHolderStrategyRegistrar, I just removed the null check instead of introducing an ObjectProvider since auto-configuration won't inject null there and this way the class is simpler and also more reusable (no need for ObjectProvider). Please let me know what you think.
Comment From: jonatan-ivanov
@snicoll Would you please check if this looks good whenever you have some time for this?
Comment From: snicoll
@jonatan-ivanov with the release of Spring Security happening in a few days, can you please follow-up on this?
Comment From: wilkinsona
As discussed with @jonatan-ivanov, @rwinch, and @jzheaux, Jonatan is going to try to pursue a different approach here where the listener is managed by the tracing code where it can associate a thread's security context with its span.