When using default form-based authentication, UsernamePasswordAuthenticationToken.getCredentials() (specifically, ((SecurityContextHolderAwareRequestWrapper)request).getUserPrincipal().getCredentials()) returns the user's cleartext password on all requests, even after the user's session has been authenticated.
Though I'm far from a security expert, this seems really bad. Authentication instances (in this case, UsernamePasswordAuthenticationToken) are likely being serialized to disk and databases right now by various containers – those serializations almost certainly contain users' cleartext passwords. Clustered applications that use distributed sessions offer an even broader surface for accessing those credentials.
A localized solution would be to add a setCredentials() method to AbstractAuthenticationToken, which UsernamePasswordAuthenticationFilter.attemptAuthentication() could use to clear the credentials after a successful authentication.
More broadly: perhaps there are auth providers that do require credentials even after a session has been authenticated, or perhaps there are other use cases where having credentials around is necessary for some other purpose, but (from my naive perspective) it seems that user credentials are never needed after authentication has been completed successfully, so perhaps all authentication managers should clear credentials from Authentication instances, regardless of the type of token/provider involved?