It is possible to add custom fields to a token used by the AuthenticationTokenCookieInterceptor, by using a TokenProviderAspect which adds the custom fields to the attributes parameter of the generateToken() method.
These attributes could be used to store authorization context, for example if a user has access to a specific tenant then that tenant identifier could be stored as a custom attribute in the token.
The SubjectRoleProvider used by the AuthenticationRequestInterceptor will not have to perform a call to the database to determine if the user has access to the tenant, but can just check the token to verify access.
If the user then switches to a different context the token needs to be updated so the new tenant identifier is stored. Currently the only option for this is to force a logout/login when a user switches roles.