Context

UsernamePasswordAuthenticationToken has two constructors.

one creates a UsernamePasswordAuthenticationToken in the unauthenticated state, and the other creates a UsernamePasswordAuthenticationToken in the authenticated state.

constructors in Java cannot have names, so you have to look at the detailed implementation or refer to javadoc etc to get this information.

i think this part can be improved by adding a static factory method with names.

let us know what you think about this proposal. and have a nice day.

Current codes

public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {

       ...

    /**
     * This constructor can be safely used by any code that wishes to create a
     * <code>UsernamePasswordAuthenticationToken</code>, as the {@link #isAuthenticated()}
     * will return <code>false</code>.
     *
     */
    public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {
        super(null);
        this.principal = principal;
        this.credentials = credentials;
        setAuthenticated(false);
    }

    /**
     * This constructor should only be used by <code>AuthenticationManager</code> or
     * <code>AuthenticationProvider</code> implementations that are satisfied with
     * producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
     * authentication token.
     * @param principal
     * @param credentials
     * @param authorities
     */
    public UsernamePasswordAuthenticationToken(Object principal, Object credentials,
            Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        super.setAuthenticated(true); // must use super, as we override
    }

        ...
}

Improvement codes

public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {

       ...

    /**
     * This constructor can be safely used by any code that wishes to create a
     * <code>UsernamePasswordAuthenticationToken</code>, as the {@link #isAuthenticated()}
     * will return <code>false</code>.
     *
     */
    public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {
        super(null);
        this.principal = principal;
        this.credentials = credentials;
        setAuthenticated(false);
    }

        public UsernamePasswordAuthenticationToken unauthenticated(Object principal, Object credentials){
        return new UsernamePasswordAuthenticationToken(principal, credentials);
    }

    /**
     * This constructor should only be used by <code>AuthenticationManager</code> or
     * <code>AuthenticationProvider</code> implementations that are satisfied with
     * producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
     * authentication token.
     * @param principal
     * @param credentials
     * @param authorities
     */
    public UsernamePasswordAuthenticationToken(Object principal, Object credentials,
            Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        super.setAuthenticated(true); // must use super, as we override
    }

        public UsernamePasswordAuthenticationToken authenticated(Object principal, Object credentials,
            Collection<? extends GrantedAuthority> authorities){
        return new UsernamePasswordAuthenticationToken(principal, credentials, authorities);
    }

        ...
}

Comment From: nor-ek

@jzheaux If you want I can take it.

Comment From: jzheaux

It's yours, @nor-ek!

Comment From: nor-ek

Pull request https://github.com/spring-projects/spring-security/pull/10901