Do you mean I need to define my own custom filter instead of ClientCredentialsTokenEndpointFilter and declare it as follows:-
The normal way to authenticate a token request is with <basic/> auth
<!--TOKEN REQUEST -->
<http pattern="/api/oauth/token" use-expressions="true" create-session="stateless" entry-point-ref="clientAuthenticationEntryPoint" authentication-manager-ref="clientAuthenticationManager">
<intercept-url pattern="/api/oauth/token" access="hasRole('USER')" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="myCustomFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
Surely the token request has to be validated and the credentials have to be checked? if not how do you differentiate between a valid access token request and a rogue one? A rogue client can simply invoke the /oath/token endpoint with any user credentials and get a valid token. Surely that cant be allowed?
What I suggested was that you simply trust the webapp to send you valid user data. If you want to you could add a check in a filter downstream of the auth filter that pulls data out of your user store based on the username.