In order to enforce the WebFlux module, Spring 5 provides improved reactive support in the Spring Security module. Here, the central enhancement is support for the reactive programming model via Project Reactor. As we might remember, the old Spring Security used ThreadLocal as a storage method for SecurityContext instances. That technique works well in the case of execution within one Thread. At any point in time, we may access a SecurityContext stored inside the ThreadLocal storage. However, problems occur when asynchronous communication comes into force. Here, we have to provide additional effort to transfer the ThreadLocal content into another Thread, and we do this for each instance of switching between Thread instances. Even though Spring Framework simplifies the transfer of SecurityContext between Threads by using an additional ThreadLocal extension, we still may get into trouble when applying a reactive programming paradigm with Project Reactor or similar reactive libraries.

Fortunately, the new generation of Spring Security employs the reactor context feature in order to transfer security context within a Flux or Mono stream. In this way, we may safely access the security context even in a complicated reactive stream that may operate in different execution threads. The details of how such capability is implemented within a reactive stack are covered in Chapter 6, WebFlux Async Non-Blocking Communication.