That's what I suspected (but wasn't sure about): that the request object is discarded and a new authentication object is created.
Thanks for your comments.
Another question I asked before: in my own implementation of attemptAuthentication() I took over the following lines of code:
Are they needed or can I remove them?
// Place the last username attempted into HttpSession for views
HttpSession session = request.getSession (false);
if (session != null || getAllowSessionCreation ())
request.getSession ().setAttribute (SPRING_SECURITY_LAST_USERNAME_KEY, TextUtils.escapeEntities (username));
// Allow subclasses to set the "details" property
setDetails (request, authRequest);