For each session authorization, the server creates a new and separate, empty handler. Factory which creates handler instance allows to inject different objects to the handler, depending on interfaces implemented by the handler class:

  • AuthRepositoryAware - injects AuthRepository;
  • DomainAware - injects domain name within which the user attempts to authenticate
  • NonAuthUserRepositoryAware - injects NonAuthUserRepository, although I have no idea what for…​