using authentication token during authorisation

[guythomas]

That's what I suspected (but wasn't sure about): that the request object is discarded and a new authentication object is created.

Thanks for your comments.

Another question I asked before: in my own implementation of attemptAuthentication() I took over the following lines of code:

Code:

// Place the last username attempted into HttpSession for views
         HttpSession session = request.getSession (false);
         if (session != null || getAllowSessionCreation ())
         {
            request.getSession ().setAttribute (SPRING_SECURITY_LAST_USERNAME_KEY, TextUtils.escapeEntities (username));
         }

         // Allow subclasses to set the "details" property
         setDetails (request, authRequest);

Are they needed or can I remove them?

[Luke Taylor]

It depends on whether you want access to the username (in a failed authentication view, for example) or the "details" object created by the authentication filter for any reason. If you don't, then you don't need them.