David (Migrated from SEC-1350) said:
improve javadoc to detail exactly what is expected when overriding the methods for custom pre-auth - while there are a few examples on the web it took a bit of digging to find - my issue was not knowing i had to at least return an empty string from getPreAuthenticatedCredentials() and what object type to return from getPreAuthenticatedPrincipal()
perhaps add a little more detail on the methods to something like:
Luke Taylor said:
The pre-authentication framework is very flexible (it's main purpose is for customization), so neither of these assumptions really hold in all cases. We should probably clarify that the standard PreAuthenticationProvider, if used, will reject null credentials, but where does the assertion that the principal must be a String or a Principal instance come from?
I've added some extra Javadoc to clarify the situation if credentials are null and the standard provider is in use.