Spring Security SwitchUserFilter should be able to remove credentials when necessary.

Expected Behavior

The SwitchUserFilter should be able to configure to allow the credentials to be removed from the UsernamePasswordAuthenticationToken object when necessary.

Current Behavior

Currently, SwitchUserFilter puts credentials in the UsernamePasswordAuthenticationToken for some needed purpose. It would be nice if there's an option that we can configure to remove credentials from it.

Context

When working with Spring Authorization Server, when a user authenticates success, it saves an access_token with some additional data including credentials inside of the UsernamePasswordTokenAuthentication that got from SwitchUserFilter to the database (token store). My current solution is to implement AuthenticationSuccessHandler that erases credentials from authentication object before forwarding to Spring Authorization Server in order to avoid potential security risks. I apologize if there was any misunderstanding.

Best regards,