AbstractPreAuthenticatedProcessingFilter helpfully has continueFilterChainOnUnsuccessfulAuthentication. However, the try/catch that enables the continue is not broad enough. The methods getPreAuthenticatedPrincipal() and getPreAuthenticatedCredentials() are not covered, so if, for example, when using the request header preauth and the preauth header (SM_USER or otherwise) is not found, the filter chain does not continue; you get an auth failure instead because it throws PreAuthenticatedCredentialsNotFoundException.
The behavior I'm looking for is if AbstractPreAuthenticatedProcessingFilter.doAuthenticate() fails, the filter chain continues, whether it's getPreAuthenticatedPrincipal() or getPreAuthenticatedCredentials() or authenticationManager.authenticate() that fails.
I don't know if you want to just extend the try/catch to cover the two get methods or have some separate configuration property, but since you already support a "continue" configuration it'd be nice to support continuing on any failure in doAuthenticate().