Please specify detailed contract of HttpServerAuthenticationMechanismFactory.
Describe which params are allowed to be null and what happens in that case. Also describe if null return values are allowed from interface methods and when does that could happen.
You can consider javax.security.sasl.SaslServerFactory as example of detailed contract.
- Is properties parameter of getMechanismNames() allowed to be null?
- is getMechanismNames() allowed to return null ?
- Are any of createAuthenticationMechanism() parameters allowed to be null?
- For ServerMechanismFactoryImpl implementation properties could not be null - is it general rule?
- For ServerMechanismFactoryImpl implementation callbackHandler could not be null - is it general rule?
- For ServerMechanismFactoryImpl implementation mechanismName could not be null - is it general rule?
I would suggest to wrap java.lang.IllegalArgumentException to HttpAuthenticationException. Otherwise possibility of IllegalArgumentException should be documented in contract.
Filing as Critical, as this interface is expected to be implemented by custom factories.