That's what I suspected (but wasn't sure about): that the request object is discarded and a new authentication object is created.

Thanks for your comments.

Another question I asked before: in my own implementation of attemptAuthentication() I took over the following lines of code:

Code:
// Place the last username attempted into HttpSession for views
         HttpSession session = request.getSession (false);
         if (session != null || getAllowSessionCreation ())
         {
            request.getSession ().setAttribute (SPRING_SECURITY_LAST_USERNAME_KEY, TextUtils.escapeEntities (username));
         }

         // Allow subclasses to set the "details" property
         setDetails (request, authRequest);
Are they needed or can I remove them?