Jasper Blues (Migrated from SEC-1567) said:
AbstractAuthenticationProcessingFilter treats a returned Authentication implementation as successful, even if Authentication.isAuthenticated == false.
Only 'null' or AuthenticationFailureException are honored as failed authentication attempts.
This seems ambiguous. Wouldn't it be better if only Authentication.isAuthenticated == true is honored as successful authentication?
Luke Taylor said:
Hi Jasper. If you're talking about the attemptAuthentication method, the Javadoc says:
The implementation should do one of the following:
Which doesn't really seem very ambiguous to me... The "isAuthenticated" flag was originally intended as an indicator that a token had not been processed (by the AuthenticationManager). In this case, the method is supposed to perform the authentication which should by definition mean that a user has been successfully authenticated if the method returns a non-null value. There's no practical reason I can see why it would return a token which had isAuthenticated==false. Perhaps you could explain the use case where you envisage doing this.
No further input, so closing.