Hi Bruno,
I think, in the context of wider refactorisation of authentication and authorisation, that authentication should provided a Principal when a client has been authenticated (and perhaps a default guest principal when no one has, like jGuard does, but that's a different matter).why not use null as "guest principal"? What is the advantage of an object for it?
best regards Stephan
