Enhance context switching

Support for gRPC Context access as well as Kotlin coroutine
access to the SecurityContext.

Author: dsyer

pom.xml

@@ -84,6 +84,7 @@
 		<spring-boot.version>4.0.1</spring-boot.version>
 		<jackson.version>2.20.1</jackson.version>
 		<junit.version>6.0.1</junit.version>
+		<kotlin.coroutines.version>1.10.2</kotlin.coroutines.version>
 		<assertj.version>3.27.6</assertj.version>
 		<awaitility.version>4.3.0</awaitility.version>
 		<mockito.version>5.20.0</mockito.version>

spring-grpc-core/pom.xml

@@ -79,6 +79,18 @@
 			<groupId>io.grpc</groupId>
 			<artifactId>grpc-kotlin-stub</artifactId>
 			<optional>true</optional>
+			<exclusions>
+				<exclusion>
+					<groupId>javax.annotation</groupId>
+					<artifactId>javax.annotation-api</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.jetbrains.kotlinx</groupId>
+			<artifactId>kotlinx-coroutines-core</artifactId>
+			<optional>true</optional>
+			<version>${kotlin.coroutines.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>com.salesforce.servicelibs</groupId>

spring-grpc-core/src/main/java/org/springframework/grpc/server/security/AuthenticationProcessInterceptor.java

@@ -28,7 +28,8 @@
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import io.grpc.ForwardingServerCallListener.SimpleForwardingServerCallListener;
+import io.grpc.Context;
+import io.grpc.Contexts;
 import io.grpc.Metadata;
 import io.grpc.ServerCall;
 import io.grpc.ServerCall.Listener;
@@ -97,67 +98,13 @@ else if (user == null || !user.isAuthenticated()) {
 
 		SecurityContext currentContext = SecurityContextHolder.getContext();
 		try {
-			return new SecurityContextClearingListener<>(next.startCall(call, headers), currentContext);
+			Context context = Context.current().withValue(GrpcSecurity.SECURITY_CONTEXT_KEY, currentContext);
+			return new SecurityContextHandlerListener<ReqT, RespT>(Contexts.interceptCall(context, call, headers, next),
+					currentContext);
 		}
 		finally {
 			SecurityContextHolder.clearContext();
 		}
 	}
 
-	static class SecurityContextClearingListener<ReqT> extends SimpleForwardingServerCallListener<ReqT> {
-
-		private final SecurityContext securityContext;
-
-		SecurityContextClearingListener(ServerCall.Listener<ReqT> delegate, SecurityContext securityContext) {
-			super(delegate);
-			this.securityContext = securityContext;
-		}
-
-		@Override
-		public void onMessage(ReqT message) {
-			SecurityContextHolder.setContext(this.securityContext);
-			try {
-				super.onMessage(message);
-			}
-			finally {
-				SecurityContextHolder.clearContext();
-			}
-		}
-
-		@Override
-		public void onHalfClose() {
-			SecurityContextHolder.setContext(this.securityContext);
-			try {
-				super.onHalfClose();
-			}
-			finally {
-				SecurityContextHolder.clearContext();
-			}
-		}
-
-		@Override
-		public void onReady() {
-			SecurityContextHolder.setContext(this.securityContext);
-			try {
-				super.onReady();
-			}
-			finally {
-				SecurityContextHolder.clearContext();
-			}
-		}
-
-		@Override
-		public void onCancel() {
-			super.onCancel();
-			SecurityContextHolder.clearContext();
-		}
-
-		@Override
-		public void onComplete() {
-			super.onComplete();
-			SecurityContextHolder.clearContext();
-		}
-
-	}
-
 }

spring-grpc-core/src/main/java/org/springframework/grpc/server/security/CoroutineSecurityContextInterceptor.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.grpc.server.security;
+
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.kotlin.CoroutineContextServerInterceptor;
+import kotlin.coroutines.CoroutineContext;
+
+/**
+ * A gRPC server interceptor that integrates Spring Security's {@link SecurityContext}
+ * with Kotlin coroutines by adding an element to the coroutine context.
+ *
+ * @author Dave Syer
+ */
+public class CoroutineSecurityContextInterceptor extends CoroutineContextServerInterceptor {
+
+	@Override
+	public CoroutineContext coroutineContext(ServerCall<?, ?> call, Metadata metadata) {
+		return new SecurityContextElement(SecurityContextHolder.getContext());
+	}
+
+}

spring-grpc-core/src/main/java/org/springframework/grpc/server/security/GrpcSecurity.java

@@ -34,10 +34,12 @@
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.util.Assert;
 
 import io.grpc.Attributes;
+import io.grpc.Context;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
 import io.micrometer.observation.ObservationRegistry;
@@ -78,6 +80,11 @@ public final class GrpcSecurity
 	 */
 	public static final int CONTEXT_FILTER_ORDER = 0;
 
+	/**
+	 * Key for the SecurityContext in the gRPC Context.
+	 */
+	public static Context.Key<SecurityContext> SECURITY_CONTEXT_KEY = Context.key("spring-security-context");
+
 	private @Nullable AuthenticationManager authenticationManager;
 
 	private List<GrpcAuthenticationExtractor> authenticationExtractors = new ArrayList<>();

spring-grpc-core/src/main/java/org/springframework/grpc/server/security/SecurityContextElement.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2025-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.grpc.server.security;
+
+import java.util.Objects;
+
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import kotlin.coroutines.AbstractCoroutineContextElement;
+import kotlin.coroutines.CoroutineContext;
+import kotlinx.coroutines.ThreadContextElement;
+
+/**
+ * Holds a Spring Security {@link SecurityContext} in a Kotlin CoroutineContext.
+ *
+ * @author Dave Syer
+ */
+// To be replaced by official implementation when available from Spring Security
+class SecurityContextElement extends AbstractCoroutineContextElement implements ThreadContextElement<SecurityContext> {
+
+	/** The context key. */
+	private static final Key Key = new Key();
+
+	private final SecurityContext securityContext;
+
+	SecurityContextElement(SecurityContext securityContext) {
+		super(Key);
+		this.securityContext = securityContext;
+	}
+
+	@Override
+	public SecurityContext updateThreadContext(CoroutineContext coroutineContext) {
+		Objects.requireNonNull(coroutineContext, "coroutineContext must not be null");
+		SecurityContextHolder.setContext(this.securityContext);
+		return this.securityContext;
+	}
+
+	@Override
+	public void restoreThreadContext(CoroutineContext coroutineContext, SecurityContext securityContext) {
+		Objects.requireNonNull(coroutineContext, "coroutineContext must not be null");
+		SecurityContextHolder.clearContext();
+	}
+
+	public static final class Key implements CoroutineContext.Key<SecurityContextElement> {
+
+	}
+
+}

spring-grpc-core/src/main/java/org/springframework/grpc/server/security/SecurityContextHandlerListener.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2024-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.grpc.server.security;
+
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import io.grpc.ForwardingServerCallListener.SimpleForwardingServerCallListener;
+import io.grpc.ServerCall;
+
+class SecurityContextHandlerListener<ReqT, RespT> extends SimpleForwardingServerCallListener<ReqT> {
+
+	private SecurityContext securityContext;
+
+	SecurityContextHandlerListener(ServerCall.Listener<ReqT> delegate, SecurityContext securityContext) {
+		super(delegate);
+		this.securityContext = securityContext;
+	}
+
+	@Override
+	public void onMessage(ReqT message) {
+		SecurityContextHolder.setContext(this.securityContext);
+		try {
+			super.onMessage(message);
+		}
+		finally {
+			SecurityContextHolder.clearContext();
+		}
+	}
+
+	@Override
+	public void onHalfClose() {
+		SecurityContextHolder.setContext(this.securityContext);
+		try {
+			super.onHalfClose();
+		}
+		finally {
+			SecurityContextHolder.clearContext();
+		}
+	}
+
+	@Override
+	public void onReady() {
+		SecurityContextHolder.setContext(this.securityContext);
+		try {
+			super.onReady();
+		}
+		finally {
+			SecurityContextHolder.clearContext();
+		}
+	}
+
+	@Override
+	public void onCancel() {
+		super.onCancel();
+		SecurityContextHolder.clearContext();
+	}
+
+	@Override
+	public void onComplete() {
+		super.onComplete();
+		SecurityContextHolder.clearContext();
+	}
+
+}

spring-grpc-core/src/main/java/org/springframework/grpc/server/security/SecurityContextServerInterceptor.java

@@ -20,7 +20,8 @@
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import io.grpc.ForwardingServerCallListener.SimpleForwardingServerCallListener;
+import io.grpc.Context;
+import io.grpc.Contexts;
 import io.grpc.Metadata;
 import io.grpc.ServerCall;
 import io.grpc.ServerCall.Listener;
@@ -38,63 +39,9 @@ public int getOrder() {
 	public <ReqT, RespT> Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call, Metadata headers,
 			ServerCallHandler<ReqT, RespT> next) {
 		SecurityContext securityContext = SecurityContextHolder.getContext();
-		return new SecurityContextHandlerListener<ReqT, RespT>(next.startCall(call, headers), securityContext);
-	}
-
-	static class SecurityContextHandlerListener<ReqT, RespT> extends SimpleForwardingServerCallListener<ReqT> {
-
-		private SecurityContext securityContext;
-
-		SecurityContextHandlerListener(ServerCall.Listener<ReqT> delegate, SecurityContext securityContext) {
-			super(delegate);
-			this.securityContext = securityContext;
-		}
-
-		@Override
-		public void onMessage(ReqT message) {
-			SecurityContextHolder.setContext(this.securityContext);
-			try {
-				super.onMessage(message);
-			}
-			finally {
-				SecurityContextHolder.clearContext();
-			}
-		}
-
-		@Override
-		public void onHalfClose() {
-			SecurityContextHolder.setContext(this.securityContext);
-			try {
-				super.onHalfClose();
-			}
-			finally {
-				SecurityContextHolder.clearContext();
-			}
-		}
-
-		@Override
-		public void onReady() {
-			SecurityContextHolder.setContext(this.securityContext);
-			try {
-				super.onReady();
-			}
-			finally {
-				SecurityContextHolder.clearContext();
-			}
-		}
-
-		@Override
-		public void onCancel() {
-			super.onCancel();
-			SecurityContextHolder.clearContext();
-		}
-
-		@Override
-		public void onComplete() {
-			super.onComplete();
-			SecurityContextHolder.clearContext();
-		}
-
+		Context context = Context.current().withValue(GrpcSecurity.SECURITY_CONTEXT_KEY, securityContext);
+		return new SecurityContextHandlerListener<ReqT, RespT>(Contexts.interceptCall(context, call, headers, next),
+				securityContext);
 	}
 
 }