improve javadoc to detail exactly what is expected when overriding the methods for custom pre-auth - while there are a few examples on the web it took a bit of digging to find - my issue was not knowing i had to at least return an empty string from getPreAuthenticatedCredentials() and what object type to return from getPreAuthenticatedPrincipal()
perhaps add a little more detail on the methods to something like:
- Override to extract the principal information from the current request.
- return either a String object with the principal name or a subclass of java.security.Principal.
protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request);
- Override to extract the credentials (if applicable) from the current request. Ensure to return at least an empty string in the case of no credentials, as returning null will cause an exception to be thrown and the pre-authentication filter to fail.
protected Object getPreAuthenticatedCredentials(final HttpServletRequest request);