I'm setting up CAS authentication on my application using Spring Security 6.2.
The documentation (https://docs.spring.io/spring-security/reference/servlet/authentication/cas.html) states:
The processing filter will construct a UsernamePasswordAuthenticationToken representing the service ticket. The principal will be equal to CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, whilst the credentials will be the service ticket opaque value.
However, it seems that in version 6 of Spring Security, the CAS_STATEFUL_IDENTIFIER member has disappeared from the CasAuthenticationFilter class.
So, what's the best way to create this UsernamePasswordAuthenticationToken?
Since Spring Security 6.1.0, the CasAuthenticationFilter creates an instance of CasServiceTicketAuthenticationToken instead of UsernamePasswordAuthenticationToken and the CAS_STATEFUL_IDENTIFIER constant got moved to the new class.
The change was made in the commit Use a Custom Authentication Token for CAS. Apparently though, the project's documentation page source was left intact, so it is no longer up-to-date with the changed code.
So, what's the best way to create this UsernamePasswordAuthenticationToken?
Provided you don't insist on creating UsernamePasswordAuthenticationToken, you can create a new CasServiceTicketAuthenticationToken instead:
token = CasServiceTicketAuthenticationToken.stateful(serviceTicket);
While you can surely still create UsernamePasswordAuthenticationToken, it could be a little bit more complicated because the visibility of CasServiceTicketAuthenticationToken.CAS_STATEFUL_IDENTIFIER (obtainable via token.getPrincipal() in the example above) is package-level now.