the createSuccessfulAuthentication(UsernamePasswordAuthenticationToken auth, UserDetails user) method from LdapAuthenticationProvider returns a new UsernamePasswordAuthenticationToken based on auth's password, depending on useAuthenticationRequestCredentials boolean.
In the case this happens, shouldn't the returned object also include auth.getDetails()? I.e., something like:
protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication, UserDetails user)
Object password = useAuthenticationRequestCredentials ? authentication.getCredentials() : ((Object) (user.getPassword()));
return new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
(as part of our current project, we are building a custom authenticationProvider which extends LdapAuthenticationProvider, and we expected this behaviour. Not very sure this should be marked as bug or as an improvement, though)