RequestSecurityValidator.validateSecureRequestForEndpoint(...) currently has a void return type, with the idea that if the request passes auth you do nothing, and if it fails auth you throw an appropriate exception.

We should change the return type to Optional<ResponseInfo<?>> to allow you to short circuit with an explicit full-flexibility response if you wanted to. For example, you might want to send a 302/307 redirect.

So there would be three options for handling a request in RequestSecurityValidator.validateSecureRequestForEndpoint(...):

• Return Optional.empty() (or null) to indicate the request passed auth and request processing should proceed.
• Return a non-empty Optional<ResponseInfo<?>> to short circuit with the provided response immediately, bypassing any endpoint and any after-security-validator-RequestAndResponseFilters. (The response side of RequestAndResponseFilter should still run).
• Throw an exception with the same support we have now.

This would be an API breaking change.

To toss out another API breaking change, maybe considering changing the API to return a CompletableFuture instead of assuming a quick, fast response on the main thread when you make this change.

CompletableFuture<Optional<ResponseInfo<?>>> validateSecureRequestForEndpoint

This would remove the need for isFastEnoughToRunOnNettyWorkerThread flag