Is there any reason why the following functionality cannot be implemented using AbstractProcessingFilter?
Scenario: User can't remember password. User clicks Forgot Password. App prompts user with his registered secret question. User submits answer to secret question. Email gets sent to user. User clicks time-sensitive link in email to change password.
Since the answer to the secret question is as good as having the password associated with the user, why can't I use AbstractProcessingFilter as follows:
The AbstractProcessingFilter is launched when a URL is requested (that is different from the URL watched by the regular username/password processing filter i.e. AuthenticationProcessingFilter).
Filter extracts username and secret answer from request.
If unsuccessful, we go to failureUrl.
If successful, the overridden successfulAuthentication method does NOT put the authentication into the context. It skips that step. I read that a best practice is to not allow the user to change his password immediately after a successful secret question challenge. We just go to the defaultUrl (which says an email has been sent containing a link to reset the password, blah, blah, blah).