Hi Jasper. If you're talking about the attemptAuthentication method, the Javadoc says:
The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
Which doesn't really seem very ambiguous to me... The "isAuthenticated" flag was originally intended as an indicator that a token had not been processed (by the AuthenticationManager). In this case, the method is supposed to perform the authentication which should by definition mean that a user has been successfully authenticated if the method returns a non-null value. There's no practical reason I can see why it would return a token which had isAuthenticated==false. Perhaps you could explain the use case where you envisage doing this.