Spring Security Authentication - Question about the Documentation

I'm looking at this page in the Spring Security JavaDoc:

http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html#attemptAuthentication(javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse)

What does this line mean?

Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.

I'm working on a form that allows a user to log in and collects other data. I don't want to 开发者_运维问答use the default UsernamePasswordAuthenticationFilter because I will then lose all the other data filled out in the form.

The usual way to capture more data from the login form is to use a custom WebAuthenticationDetails.

See this thread for info on how to do this.

What does this line mean?

It generally means that if you return null from your overriden attemptAuthentication() method, the filter chain will be broken and no further filters will be invoked after the UsernamePasswordAuthenticationFilter. After which you are responsible for completing the authentication process, rather than the other filters along the chain.

You can have a look at the AbstractAuthenticationProcessingFilter#doFilter() method source code line: 201.

In other words, returning null will cost you additional work.

If you want to override only attemptAuthentication() you should throw an AuthenticationException on unsuccessful authentication.

If you want to return null from attemptAuthentication() you should also override doFilter() and handle the null result yourself.