The documentation for Spring Security seems to have a discrepancy regarding how the UsernamePasswordAuthenticationToken is created and passed during authentication. The described behavior does not align with the actual implementation in the code.
What the documentation says
When the user submits their username and password, the BasicAuthenticationFilter creates a UsernamePasswordAuthenticationToken, which is a type of Authentication by extracting the username and password from the HttpServletRequest.
Next, the UsernamePasswordAuthenticationToken is passed into the AuthenticationManager to be authenticated. The details of what AuthenticationManager looks like depend on how the user information is stored.
What I observe in the code
- BasicAuthenticationFilter creates a new Authentication with the user credentials from the HttpServletRequest. It then delegates to the AuthenticationManager to authenticate this object.
- The AuthenticationManager delegates to its AuthenticationProviders.
- Upon successfull authentication the provder creates the UsernamePasswordAuthenticationToken and returns it.
Conclusion
As I understand it, the BasicAuthenticationFilter neither creates the token nor passes it to the authentication manager as the documentation suggests.
What it actual does is create and pass the Authentication object filled with credentials from the request.