https://github.com/spring-projects/spring-security/blob/1de0cf5057d755bcf25ef0db60297d42e2852f45/core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationToken.java#L34
This class has multiple methods that do mutate the state (two setters and eraseSecret). Am I supposed to override them to have immutable implementations? I think the documentation should mention what to do here.
Comment From: rwinch
This is a good point. Ideally we would provide Authentication implementations that are immutable to avoid race conditions. However, for historical reasons it is unfortunate that both Authentication and SecurityContext are mutable. I created gh-8323 to fix this