UsernamePasswordAuthenticationToken 类的构造器逻辑，来控制 isAuthenticated 的默认值

public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
private final Object principal;
private Object credentials;

// 构造器 1：未认证时调用
public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {
super(null); // authorities 为 null
this.principal = principal;
this.credentials = credentials;
setAuthenticated(false); // 未认证，明确设置为 false
}

// 构造器 2：已认证时调用
public UsernamePasswordAuthenticationToken(Object principal, Object credentials,
Collection<? extends GrantedAuthority> authorities) {
super(authorities); // 设置 authorities
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(true); // 已认证，明确设置为 true
}

// 省略了其他方法...
}