There are 3 ThreadLocals that are used by SwitchYard's security code that need to get removed. This is important not only to maintain clean code, but also so we can support asynchronous dispatching in the future.

The 1st ThreadLocal was introduced in SWITCHYARD-1450, where org.switchyard.as7.extension.ws.Interceptors.SwitchYardEncryptionConfidentialityInterceptor class adds a ConfidentialityCredential to org.switchyard.component.soap.InboundHandler.CREDENTIALS, so it can be added to the SecurityContext. This was done because there was no apparent API to transfer that credential from the CXF world to the SwitchYard world.

The 2nd ThreadLocal was introduced in SWITCHYARD-1729, where org.switchyard.handlers.SecurityHandler.PROCESS_COUNT keeps track of how many times it is invoked in a single thread, so we know when we are done with a service -> service reference -> service reference chain of execution, so we can remove the 3rd ThreadLocal below.

The 3rd ThreadLocal was introduced in SWITCHYARD-1729, where org.switchyard.security.context.SecurityContextManager.THREAD_LOCAL holds onto the current SecurityContext so it can be propagated from one Exchange Context Property to another (one that was created by org.switchyard.internal.ServiceReferenceImpl). This exists because we create new Exchanges from ServiceReferences without having access to the previous Exchange, so we have no easy place to transfer Exchange Context Properties from one to the other.

The 2nd and 3rd ThreadLocals are closely related to each other. Once we can get rid of the 3rd, the 2nd becomes obsolete.