Description
OAuth2AuthenticationHandler handles checks and "only denies authentication when an invalid bearer token is received".
Unfortunately it also creates and returns an AnonymousSecurityToken explicitly, which means that extensions of shindig either reimplement all of the logic, or patch the method to return a more suitable token.
The name implies some generic behavior though, so I think it would be nice if the token creation was done in a separate overridable method. This way extensions could use the OAuth2AuthenticationHandler as a parent class, and just create the proper token by overriding the method.
In our specific case we use Apache Shiro for authentication/authorization purposes.