UsernamePasswordAuthenticationToken factory methods

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

@@ -246,7 +246,8 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 			this.logger.debug("Failed to obtain an artifact (cas ticket)");
 			password = "";
 		}
-		UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
+		UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username,
+				password);
 		authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
 		return this.getAuthenticationManager().authenticate(authRequest);
 	}

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java

@@ -87,8 +87,8 @@ public void statefulAuthenticationIsSuccessful() throws Exception {
 		cap.setServiceProperties(makeServiceProperties());
 		cap.setTicketValidator(new MockTicketValidator(true));
 		cap.afterPropertiesSet();
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
-				CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "ST-123");
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken
+				.unauthenticated(CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "ST-123");
 		token.setDetails("details");
 		Authentication result = cap.authenticate(token);
 		// Confirm ST-123 was NOT added to the cache
@@ -120,8 +120,8 @@ public void statelessAuthenticationIsSuccessful() throws Exception {
 		cap.setTicketValidator(new MockTicketValidator(true));
 		cap.setServiceProperties(makeServiceProperties());
 		cap.afterPropertiesSet();
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
-				CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, "ST-456");
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken
+				.unauthenticated(CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, "ST-456");
 		token.setDetails("details");
 		Authentication result = cap.authenticate(token);
 		// Confirm ST-456 was added to the cache
@@ -157,8 +157,8 @@ public void authenticateAllNullService() throws Exception {
 		cap.setServiceProperties(serviceProperties);
 		cap.afterPropertiesSet();
 		String ticket = "ST-456";
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
-				CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket);
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken
+				.unauthenticated(CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket);
 		Authentication result = cap.authenticate(token);
 	}
 
@@ -178,8 +178,8 @@ public void authenticateAllAuthenticationIsSuccessful() throws Exception {
 		cap.setServiceProperties(serviceProperties);
 		cap.afterPropertiesSet();
 		String ticket = "ST-456";
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
-				CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket);
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken
+				.unauthenticated(CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket);
 		Authentication result = cap.authenticate(token);
 		verify(validator).validate(ticket, serviceProperties.getService());
 		serviceProperties.setAuthenticateAllArtifacts(true);
@@ -211,8 +211,8 @@ public void missingTicketIdIsDetected() throws Exception {
 		cap.setTicketValidator(new MockTicketValidator(true));
 		cap.setServiceProperties(makeServiceProperties());
 		cap.afterPropertiesSet();
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
-				CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "");
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken
+				.unauthenticated(CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "");
 		assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> cap.authenticate(token));
 	}
 
@@ -314,8 +314,8 @@ public void ignoresUsernamePasswordAuthenticationTokensWithoutCasIdentifiersAsPr
 		cap.setTicketValidator(new MockTicketValidator(true));
 		cap.setServiceProperties(makeServiceProperties());
 		cap.afterPropertiesSet();
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("some_normal_user",
-				"password", AuthorityUtils.createAuthorityList("ROLE_A"));
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken
+				.authenticated("some_normal_user", "password", AuthorityUtils.createAuthorityList("ROLE_A"));
 		assertThat(cap.authenticate(token)).isNull();
 	}
 

cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java

@@ -121,8 +121,8 @@ public void testNotEqualsDueToDifferentAuthenticationClass() {
 		final Assertion assertion = new AssertionImpl("test");
 		CasAuthenticationToken token1 = new CasAuthenticationToken("key", makeUserDetails(), "Password", this.ROLES,
 				makeUserDetails(), assertion);
-		UsernamePasswordAuthenticationToken token2 = new UsernamePasswordAuthenticationToken("Test", "Password",
-				this.ROLES);
+		UsernamePasswordAuthenticationToken token2 = UsernamePasswordAuthenticationToken.authenticated("Test",
+				"Password", this.ROLES);
 		assertThat(!token1.equals(token2)).isTrue();
 	}
 

config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -56,7 +56,7 @@ public void simpleProviderAuthenticatesCorrectly() {
 		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
 				AuthenticationManager.class);
 		Authentication auth = authenticationManager
-				.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
 		UserDetails ben = (UserDetails) auth.getPrincipal();
 		assertThat(ben.getAuthorities()).hasSize(3);
 	}
@@ -89,7 +89,7 @@ public void supportsPasswordComparisonAuthentication() {
 		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
 				AuthenticationManager.class);
 		Authentication auth = authenticationManager
-				.authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword"));
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"));
 
 		assertThat(auth).isNotNull();
 	}
@@ -104,7 +104,8 @@ public void supportsPasswordComparisonAuthenticationWithPasswordEncoder() {
 
 		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
 				AuthenticationManager.class);
-		Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben"));
+		Authentication auth = authenticationManager
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "ben"));
 
 		assertThat(auth).isNotNull();
 	}
@@ -121,7 +122,7 @@ public void supportsCryptoPasswordEncoder() {
 		AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER,
 				AuthenticationManager.class);
 		Authentication auth = authenticationManager
-				.authenticate(new UsernamePasswordAuthenticationToken("bcrypt", "password"));
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("bcrypt", "password"));
 
 		assertThat(auth).isNotNull();
 	}

config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -93,8 +93,8 @@ public void customAuthenticationEventPublisherWithWeb() throws Exception {
 		given(opp.postProcess(any())).willAnswer((a) -> a.getArgument(0));
 		AuthenticationManager am = new AuthenticationManagerBuilder(opp).authenticationEventPublisher(aep)
 				.inMemoryAuthentication().and().build();
-		assertThatExceptionOfType(AuthenticationException.class)
-				.isThrownBy(() -> am.authenticate(new UsernamePasswordAuthenticationToken("user", "password")));
+		assertThatExceptionOfType(AuthenticationException.class).isThrownBy(
+				() -> am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")));
 		verify(aep).publishAuthenticationFailure(any(), any());
 	}
 
@@ -103,7 +103,8 @@ public void getAuthenticationManagerWhenGlobalPasswordEncoderBeanThenUsed() thro
 		this.spring.register(PasswordEncoderGlobalConfig.class).autowire();
 		AuthenticationManager manager = this.spring.getContext().getBean(AuthenticationConfiguration.class)
 				.getAuthenticationManager();
-		Authentication auth = manager.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
+		Authentication auth = manager
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
 		assertThat(auth.getName()).isEqualTo("user");
 		assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER");
 	}
@@ -113,7 +114,8 @@ public void getAuthenticationManagerWhenProtectedPasswordEncoderBeanThenUsed() t
 		this.spring.register(PasswordEncoderGlobalConfig.class).autowire();
 		AuthenticationManager manager = this.spring.getContext().getBean(AuthenticationConfiguration.class)
 				.getAuthenticationManager();
-		Authentication auth = manager.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
+		Authentication auth = manager
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
 		assertThat(auth.getName()).isEqualTo("user");
 		assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER");
 	}

config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationPublishTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,7 +47,8 @@ public class AuthenticationConfigurationPublishTests {
 	// gh-4940
 	@Test
 	public void authenticationEventPublisherBeanUsedByDefault() {
-		this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
+		this.authenticationManager
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
 		assertThat(this.listener.getEvents()).hasSize(1);
 	}
 

config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -129,7 +129,8 @@ public void getAuthenticationManagerWhenNoOpGlobalAuthenticationConfigurerAdapte
 
 	@Test
 	public void getAuthenticationWhenGlobalAuthenticationConfigurerAdapterThenAuthenticates() throws Exception {
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password");
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user",
+				"password");
 		this.spring.register(AuthenticationConfiguration.class, ObjectPostProcessorConfiguration.class,
 				UserGlobalAuthenticationConfigurerAdapter.class).autowire();
 		AuthenticationManager authentication = this.spring.getContext().getBean(AuthenticationConfiguration.class)
@@ -139,7 +140,8 @@ public void getAuthenticationWhenGlobalAuthenticationConfigurerAdapterThenAuthen
 
 	@Test
 	public void getAuthenticationWhenAuthenticationManagerBeanThenAuthenticates() throws Exception {
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password");
+		UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user",
+				"password");
 		this.spring.register(AuthenticationConfiguration.class, ObjectPostProcessorConfiguration.class,
 				AuthenticationManagerBeanConfig.class).autowire();
 		AuthenticationManager authentication = this.spring.getContext().getBean(AuthenticationConfiguration.class)
@@ -165,9 +167,9 @@ public void getAuthenticationWhenConfiguredThenBootNotTrigger() throws Exception
 		config.setGlobalAuthenticationConfigurers(Arrays.asList(new ConfiguresInMemoryConfigurerAdapter(),
 				new BootGlobalAuthenticationConfigurerAdapter()));
 		AuthenticationManager authenticationManager = config.getAuthenticationManager();
-		authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
-		assertThatExceptionOfType(AuthenticationException.class).isThrownBy(
-				() -> authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("boot", "password")));
+		authenticationManager.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
+		assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> authenticationManager
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("boot", "password")));
 	}
 
 	@Test
@@ -176,7 +178,7 @@ public void getAuthenticationWhenNotConfiguredThenBootTrigger() throws Exception
 		AuthenticationConfiguration config = this.spring.getContext().getBean(AuthenticationConfiguration.class);
 		config.setGlobalAuthenticationConfigurers(Arrays.asList(new BootGlobalAuthenticationConfigurerAdapter()));
 		AuthenticationManager authenticationManager = config.getAuthenticationManager();
-		authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("boot", "password"));
+		authenticationManager.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("boot", "password"));
 	}
 
 	// gh-2531
@@ -206,9 +208,9 @@ public void getAuthenticationWhenUserDetailsServiceBeanThenAuthenticationManager
 		AuthenticationManager am = this.spring.getContext().getBean(AuthenticationConfiguration.class)
 				.getAuthenticationManager();
 		given(uds.loadUserByUsername("user")).willReturn(PasswordEncodedUser.user(), PasswordEncodedUser.user());
-		am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
-		assertThatExceptionOfType(AuthenticationException.class)
-				.isThrownBy(() -> am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid")));
+		am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
+		assertThatExceptionOfType(AuthenticationException.class).isThrownBy(
+				() -> am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "invalid")));
 	}
 
 	@Test
@@ -221,9 +223,9 @@ public void getAuthenticationWhenUserDetailsServiceAndPasswordEncoderBeanThenEnc
 				.getAuthenticationManager();
 		given(uds.loadUserByUsername("user")).willReturn(User.withUserDetails(user).build(),
 				User.withUserDetails(user).build());
-		am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
-		assertThatExceptionOfType(AuthenticationException.class)
-				.isThrownBy(() -> am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid")));
+		am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
+		assertThatExceptionOfType(AuthenticationException.class).isThrownBy(
+				() -> am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "invalid")));
 	}
 
 	@Test
@@ -237,7 +239,7 @@ public void getAuthenticationWhenUserDetailsServiceAndPasswordManagerThenManager
 		given(manager.loadUserByUsername("user")).willReturn(User.withUserDetails(user).build(),
 				User.withUserDetails(user).build());
 		given(manager.updatePassword(any(), any())).willReturn(user);
-		am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
+		am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
 		verify(manager).updatePassword(eq(user), startsWith("{bcrypt}"));
 	}
 
@@ -250,7 +252,7 @@ public void getAuthenticationWhenAuthenticationProviderAndUserDetailsBeanThenAut
 				.getAuthenticationManager();
 		given(ap.supports(any())).willReturn(true);
 		given(ap.authenticate(any())).willReturn(TestAuthentication.authenticatedUser());
-		am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
+		am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
 	}
 
 	// gh-3091
@@ -262,7 +264,7 @@ public void getAuthenticationWhenAuthenticationProviderBeanThenUsed() throws Exc
 				.getAuthenticationManager();
 		given(ap.supports(any())).willReturn(true);
 		given(ap.authenticate(any())).willReturn(TestAuthentication.authenticatedUser());
-		am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
+		am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/annotation/issue50/Issue50Tests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -75,21 +75,21 @@ public void loadWhenGlobalMethodSecurityConfigurationThenAuthenticationManagerLa
 	@Test
 	public void authenticateWhenMissingUserThenUsernameNotFoundException() {
 		assertThatExceptionOfType(UsernameNotFoundException.class).isThrownBy(() -> this.authenticationManager
-				.authenticate(new UsernamePasswordAuthenticationToken("test", "password")));
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "password")));
 	}
 
 	@Test
 	public void authenticateWhenInvalidPasswordThenBadCredentialsException() {
 		this.userRepo.save(User.withUsernameAndPassword("test", "password"));
 		assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> this.authenticationManager
-				.authenticate(new UsernamePasswordAuthenticationToken("test", "invalid")));
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "invalid")));
 	}
 
 	@Test
 	public void authenticateWhenValidUserThenAuthenticates() {
 		this.userRepo.save(User.withUsernameAndPassword("test", "password"));
 		Authentication result = this.authenticationManager
-				.authenticate(new UsernamePasswordAuthenticationToken("test", "password"));
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "password"));
 		assertThat(result.getName()).isEqualTo("test");
 	}
 
@@ -98,7 +98,7 @@ public void globalMethodSecurityIsEnabledWhenNotAllowedThenAccessDenied() {
 		SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("test", null, "ROLE_USER"));
 		this.userRepo.save(User.withUsernameAndPassword("denied", "password"));
 		assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> this.authenticationManager
-				.authenticate(new UsernamePasswordAuthenticationToken("test", "password")));
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "password")));
 	}
 
 }

config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -106,8 +106,8 @@ public void configureWhenGlobalMethodSecurityHasCustomMetadataSourceThenNoEnabli
 	@Test
 	public void methodSecurityAuthenticationManagerPublishesEvent() {
 		this.spring.register(InMemoryAuthWithGlobalMethodSecurityConfig.class).autowire();
-		assertThatExceptionOfType(AuthenticationException.class).isThrownBy(
-				() -> this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("foo", "bar")));
+		assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> this.authenticationManager
+				.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("foo", "bar")));
 		assertThat(this.events.getEvents()).extracting(Object::getClass)
 				.containsOnly((Class) AuthenticationFailureBadCredentialsEvent.class);
 	}