It should be possible to configure the AuthenticationManager to erase sensitive data (credentials) contained in Authentication objects and implementations of UserDetails. By making these implement a known interface (e.g. CredentialsContainer), the AuthenticationManager could invoke an "eraseCredentials" method to remove credentials data which is not required after authentication. This should be the default behaviour in 3.1 and optional in 3.0.3.
Users should be aware that this could cause problems with situations where a user cache is used. It will also not work if the user's credentials are required to be automatically propagated with RMI, for example.