1. Questions

What is Authentication in AuthenticationSuccessHandler processing, is it the same as Authentication passed in AuthenticationManager#authenticate(Authentication authentication)

2. Analysis

AuthenticationManager#authenticate is called in UsernameAuthenticationFilter. In fact, the authentication of DaoAuthenticationProvider is called, and the processing template is defined in its parent class AbstractUserDetailsAuthenticationProvider.The processing code is as follows

public Authentication authenticate(Authentication authentication) throws AuthenticationException {String username = determineUsername(authentication);boolean cacheWasUsed = true;UserDetails user = this.userCache.getUserFromCache(username);if (user == null) {cacheWasUsed = false;user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);}this.preAuthenticationChecks.check(user);additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);this.postAuthenticationChecks.check(user);if (!cacheWasUsed) {this.userCache.putUserInCache(user);}Object principalToReturn = user;if (this.forcePrincipalAsString) {principalToReturn = user.getUsername();}return createSuccessAuthentication(principalToReturn, authentication, user);}

principalToReturn is returned by retrieveUser.The retrieveUser of DaoAuthenticationProvider gets UserDetails through UserDetailsService#loadUserByUserName.

protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {prepareTimingAttackProtection();UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);if (loadedUser == null) {throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");}return loadedUser;}}

Then create a new Authentication with UserDetails as principal.

protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,UserDetails user) {// Ensure we return the original credentials the user supplied,// so subsequent attempts are successful even with encoded passwords.// Also ensure we return the original getDetails(), so that future// authentication events after cache expiry contain the detailsUsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken.authenticated(principal,authentication.getCredentials(), this.authoritiesMapper.mapAuthorities(user.getAuthorities()));result.setDetails(authentication.getDetails());this.logger.debug("Authenticated user");return result;}

3. Conclusion

The authentication in AuthenticationSuccessHandler is different from that passed in AuthenticationManager#authenticate. The authentication in AuthenticationSuccessHandler is used as the principal by UserDetails, and the credentials of the authentication passed in by AuthenticationManager#authenticate are used as the credentials of the new authentication