The listener should then store the authenticated token using the token storage : The default authentication manager is an instance of AuthenticationProviderManager : hash the password the user has just provided (e.g. using a login form) with is not too long, i.e. the password length is no longer than 4096 characters..