This is a small POC to illustrate a discussion on StackOverflow question Spring Security Virtual Threads and ThreadLocal.
Custom SecurityContextHolderStrategy which retrieves and saves SecurityContext from and to a ScopedValue is installed. Tomcat Handler customizer registers an ExecutorService which starts a virtual thread, with the ScopedValue bound to it.
To test, run Spring Boot SpringSecurityScopedValueApplication, point your browser to a protected resource, make sure that current SecurityContextHolderStrategy is our custom one, and see the dump of current Authentication in the console log.