Delete Deprecated clientSaslAuthenticationSuccess from FilterContext (kroxylicious#3623)

m1a2st · web-flow · commit 642768bc18cf · 2026-04-07T19:53:49.000Z
* remove the deprecate code

Signed-off-by: m1a2st &lt;s7133700@gmail.com&gt;

* add the pom exclude

Signed-off-by: m1a2st &lt;s7133700@gmail.com&gt;

* fix linter

Signed-off-by: m1a2st &lt;s7133700@gmail.com&gt;

* addressed by comment

Signed-off-by: m1a2st &lt;s7133700@gmail.com&gt;

---------

Signed-off-by: m1a2st &lt;s7133700@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,11 +7,16 @@ Format `<github issue/pr number>: <short description>`.
 
 ## SNAPSHOT
 
+* [#3620](https://github.com/kroxylicious/kroxylicious/issues/3620): Removed Deprecated clientSaslAuthenticationSuccess from FilterContext
 * [#3624](https://github.com/kroxylicious/kroxylicious/pull/3624): feat(operator): set Kubernetes client User-Agent to `kroxylicious-operator/<version>` for API server audit log identification
 * [#3565](https://github.com/kroxylicious/kroxylicious/pull/3514): build(deps): bump kubernetes-client.version from 7.5.2 to 7.6.1
 * [#3514](https://github.com/kroxylicious/kroxylicious/pull/3514): build(deps): build(deps-dev): bump org.yaml:snakeyaml from 2.5 to 2.6
 * [#3564](https://github.com/kroxylicious/kroxylicious/pull/3564): build(deps): bump apicurio-registry.version from 3.1.6 to 3.2.1
 
+### Changes, deprecations and removals
+
+* The deprecated method `FilterContext#clientSaslAuthenticationSuccess(String, String)` is removed. Filter authors must use `FilterContext#clientSaslAuthenticationSuccess(String, Subject)` to announce a successful SASL authentication to the other filters in the chain.
+
 ## 0.20.0
 
 * [#3570](https://github.com/kroxylicious/kroxylicious/pull/3570): build(deps): bump netty.version from 4.2.10.Final to 4.2.12.Final
diff --git a/kroxylicious-api/pom.xml b/kroxylicious-api/pom.xml
@@ -169,6 +169,8 @@
                             <!-- The following methods become deprecated and are given a default implementation at 0.19.0 which throws UnsupportedOperationException -->
                             <exclude>io.kroxylicious.proxy.filter.RequestFilter#onRequest(org.apache.kafka.common.protocol.ApiKeys, org.apache.kafka.common.message.RequestHeaderData, org.apache.kafka.common.protocol.ApiMessage, io.kroxylicious.proxy.filter.FilterContext)</exclude>
                             <exclude>io.kroxylicious.proxy.filter.ResponseFilter#onResponse(org.apache.kafka.common.protocol.ApiKeys, org.apache.kafka.common.message.ResponseHeaderData, org.apache.kafka.common.protocol.ApiMessage, io.kroxylicious.proxy.filter.FilterContext)</exclude>
+                            <!-- The following method was deprecated since 0.18 and removed at 0.21.0, see https://github.com/kroxylicious/kroxylicious/issues/3620 -->
+                            <exclude>io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationSuccess(java.lang.String, java.lang.String)</exclude>
                         </excludes>
                         <!-- see documentation -->
                     </parameter>
diff --git a/kroxylicious-api/src/main/java/io/kroxylicious/proxy/filter/FilterContext.java b/kroxylicious-api/src/main/java/io/kroxylicious/proxy/filter/FilterContext.java
@@ -19,7 +19,6 @@
 
 import io.kroxylicious.proxy.authentication.ClientSaslContext;
 import io.kroxylicious.proxy.authentication.Subject;
-import io.kroxylicious.proxy.authentication.User;
 import io.kroxylicious.proxy.filter.metadata.TopicNameMapping;
 import io.kroxylicious.proxy.filter.metadata.TopicNameMappingException;
 import io.kroxylicious.proxy.tls.ClientTlsContext;
@@ -185,27 +184,6 @@ <M extends ApiMessage> CompletionStage<M> sendRequest(RequestHeaderData header,
      * may be arbitrarily interleaved during the lifetime of a given filter instance.
      *
      * @param mechanism The SASL mechanism used
-     * @param authorizedId The authorizedId
-     *
-     * @deprecated Callers should use {@link #clientSaslAuthenticationSuccess(String, Subject)}
-     * to announce authentication outcomes instead of this method.
-     * When this method is used the result of {@link #authenticatedSubject()} will be a non-empty Optional
-     * with a {@link Subject} having a single {@link User} principal with the given {@code authorizedId}
-     */
-    @Deprecated(since = "0.18")
-    void clientSaslAuthenticationSuccess(String mechanism,
-                                         String authorizedId);
-
-    /**
-     * Allows a filter (typically one which implements {@link SaslAuthenticateRequestFilter})
-     * to announce a successful authentication outcome with the Kafka client to other plugins.
-     * After calling this method the results of {@link #clientSaslContext()}
-     * and {@link #authenticatedSubject()} will both be non-empty for this and other filters.
-     *
-     * In order to support reauthentication, calls to this method and
-     * {@link #clientSaslAuthenticationFailure(String, String, Exception)}
-     * may be arbitrarily interleaved during the lifetime of a given filter instance.
-     * @param mechanism The SASL mechanism used
      * @param subject The subject
      */
     void clientSaslAuthenticationSuccess(String mechanism,
@@ -219,7 +197,7 @@ void clientSaslAuthenticationSuccess(String mechanism,
      * It is the filter's responsibility to return the right error response to a client, and/or disconnect.
      *
      * In order to support reauthentication, calls to this method and
-     * {@link #clientSaslAuthenticationSuccess(String, String)}
+     * {@link #clientSaslAuthenticationSuccess(String, Subject)}
      * may be arbitrarily interleaved during the lifetime of a given filter instance.
      * @param mechanism The SASL mechanism used, or null if this is not known.
      * @param authorizedId The authorizedId, or null if this is not known.
diff --git a/kroxylicious-filter-test-support/src/main/java/io/kroxylicious/test/context/MockFilterContext.java b/kroxylicious-filter-test-support/src/main/java/io/kroxylicious/test/context/MockFilterContext.java
@@ -367,13 +367,6 @@ public Optional<ClientTlsContext> clientTlsContext() {
         return Optional.ofNullable(clientTlsContext);
     }
 
-    @Override
-    public void clientSaslAuthenticationSuccess(String mechanism, String authorizedId) {
-        synchronized (clientSaslGestureInvocations) {
-            clientSaslGestureInvocations.add(new ClientSaslGestureInvocation.DeprecatedAuthenticationSuccess(mechanism, authorizedId));
-        }
-    }
-
     @Override
     public void clientSaslAuthenticationSuccess(String mechanism, Subject subject) {
         synchronized (clientSaslGestureInvocations) {
@@ -615,8 +608,6 @@ public record SendRequestInvocation(ApiMessage header, ApiMessage request) {
     }
 
     public sealed interface ClientSaslGestureInvocation {
-        record DeprecatedAuthenticationSuccess(String mechanism, String authorizedId) implements ClientSaslGestureInvocation {}
-
         record AuthenticationSuccess(String mechanism, Subject subject) implements ClientSaslGestureInvocation {}
 
         record AuthenticationFailure(@Nullable String mechanism, @Nullable String authorizedId, Exception exception) implements ClientSaslGestureInvocation {}
diff --git a/kroxylicious-filter-test-support/src/test/java/io/kroxylicious/test/context/MockFilterContextTest.java b/kroxylicious-filter-test-support/src/test/java/io/kroxylicious/test/context/MockFilterContextTest.java
@@ -35,7 +35,6 @@
 import io.kroxylicious.test.assertj.MockFilterContextAssert;
 import io.kroxylicious.test.context.MockFilterContext.ClientSaslGestureInvocation.AuthenticationFailure;
 import io.kroxylicious.test.context.MockFilterContext.ClientSaslGestureInvocation.AuthenticationSuccess;
-import io.kroxylicious.test.context.MockFilterContext.ClientSaslGestureInvocation.DeprecatedAuthenticationSuccess;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 
@@ -761,15 +760,6 @@ void sendRequestHeaderNotEquals() {
                 .hasMessageContaining("header being passed to sendRequest did not equal expected header");
     }
 
-    @Test
-    void recordsDeprecatedSaslSuccess() {
-        MockFilterContext context = MockFilterContext.builder(HEADER, MESSAGE).build();
-        context.clientSaslAuthenticationSuccess("mechanism", "authorizedId");
-
-        assertThat(context.clientSaslGestureInvocations()).hasSize(1)
-                .containsExactly(new DeprecatedAuthenticationSuccess("mechanism", "authorizedId"));
-    }
-
     @Test
     void recordsSaslSuccess() {
         MockFilterContext context = MockFilterContext.builder(HEADER, MESSAGE).build();
diff --git a/kroxylicious-filters/kroxylicious-authorization/src/test/java/io/kroxylicious/filter/authorization/MockFilterContext.java b/kroxylicious-filters/kroxylicious-authorization/src/test/java/io/kroxylicious/filter/authorization/MockFilterContext.java
@@ -138,11 +138,6 @@ public Optional<ClientTlsContext> clientTlsContext() {
         throw new UnsupportedOperationException();
     }
 
-    @Override
-    public void clientSaslAuthenticationSuccess(@NonNull String mechanism, @NonNull String authorizedId) {
-        throw new UnsupportedOperationException();
-    }
-
     @Override
     public void clientSaslAuthenticationSuccess(@NonNull String mechanism, @NonNull Subject subject) {
         throw new UnsupportedOperationException();
diff --git a/kroxylicious-filters/kroxylicious-entity-isolation/src/test/java/io/kroxylicious/filter/entityisolation/MockFilterContext.java b/kroxylicious-filters/kroxylicious-entity-isolation/src/test/java/io/kroxylicious/filter/entityisolation/MockFilterContext.java
@@ -138,15 +138,6 @@ public Optional<ClientTlsContext> clientTlsContext() {
         return Optional.empty();
     }
 
-    /**
-     * @deprecated for removal
-     */
-    @Override
-    @Deprecated(forRemoval = true, since = "0.18")
-    public void clientSaslAuthenticationSuccess(@NonNull String mechanism, @NonNull String authorizedId) {
-        throw new UnsupportedOperationException();
-    }
-
     @Override
     public void clientSaslAuthenticationSuccess(@NonNull String mechanism, @NonNull Subject subject) {
         throw new UnsupportedOperationException();
diff --git a/kroxylicious-filters/kroxylicious-oauthbearer-validation/src/main/java/io/kroxylicious/filter/oauthbearer/OauthBearerValidationFilter.java b/kroxylicious-filters/kroxylicious-oauthbearer-validation/src/main/java/io/kroxylicious/filter/oauthbearer/OauthBearerValidationFilter.java
@@ -38,6 +38,8 @@
 import com.github.benmanes.caffeine.cache.LoadingCache;
 
 import io.kroxylicious.filter.oauthbearer.sasl.BackoffStrategy;
+import io.kroxylicious.proxy.authentication.Subject;
+import io.kroxylicious.proxy.authentication.User;
 import io.kroxylicious.proxy.filter.FilterContext;
 import io.kroxylicious.proxy.filter.RequestFilterResult;
 import io.kroxylicious.proxy.filter.ResponseFilterResult;
@@ -177,7 +179,7 @@ public CompletionStage<ResponseFilterResult> onSaslAuthenticateResponse(short ap
                                                                             SaslAuthenticateResponseData response, FilterContext context) {
         if (response.errorCode() == NONE.code()) {
             this.validateAuthentication = false;
-            context.clientSaslAuthenticationSuccess(OAUTHBEARER_MECHANISM, Objects.requireNonNull(authorizationId));
+            context.clientSaslAuthenticationSuccess(OAUTHBEARER_MECHANISM, new Subject(new User(Objects.requireNonNull(authorizationId))));
         }
         return context.forwardResponse(header, response);
     }
diff --git a/kroxylicious-filters/kroxylicious-oauthbearer-validation/src/test/java/io/kroxylicious/filter/oauthbearer/OauthBearerValidationFilterTest.java b/kroxylicious-filters/kroxylicious-oauthbearer-validation/src/test/java/io/kroxylicious/filter/oauthbearer/OauthBearerValidationFilterTest.java
@@ -34,6 +34,8 @@
 import com.github.benmanes.caffeine.cache.LoadingCache;
 
 import io.kroxylicious.filter.oauthbearer.sasl.BackoffStrategy;
+import io.kroxylicious.proxy.authentication.Subject;
+import io.kroxylicious.proxy.authentication.User;
 import io.kroxylicious.proxy.filter.FilterContext;
 import io.kroxylicious.proxy.filter.RequestFilterResultBuilder;
 import io.kroxylicious.proxy.filter.filterresultbuilder.CloseOrTerminalStage;
@@ -186,7 +188,7 @@ void mustLetPassWhenAlreadyAuthenticated() throws NoSuchAlgorithmException {
 
         verify(context).forwardResponse(any(ResponseHeaderData.class), eq(givenAuthenticateResponse));
         verify(context).forwardRequest(any(RequestHeaderData.class), eq(givenAuthenticateRequest));
-        verify(context).clientSaslAuthenticationSuccess(OAUTHBEARER_MECHANISM, AUTHORIZED_ID);
+        verify(context).clientSaslAuthenticationSuccess(OAUTHBEARER_MECHANISM, new Subject(new User(AUTHORIZED_ID)));
     }
 
     private void stubInitialAuthentication() throws NoSuchAlgorithmException {
@@ -211,7 +213,7 @@ void shouldNotifyContextOfSuccessfulAuthResponse() throws NoSuchAlgorithmExcepti
 
         verify(context).forwardResponse(any(ResponseHeaderData.class), eq(givenAuthenticateResponse));
         verify(context).forwardRequest(any(RequestHeaderData.class), eq(givenAuthenticateRequest));
-        verify(context).clientSaslAuthenticationSuccess(OAUTHBEARER_MECHANISM, AUTHORIZED_ID);
+        verify(context).clientSaslAuthenticationSuccess(OAUTHBEARER_MECHANISM, new Subject(new User(AUTHORIZED_ID)));
     }
 
     @Test
diff --git a/kroxylicious-filters/kroxylicious-sasl-inspection/src/main/java/io/kroxylicious/filter/sasl/inspection/OauthBearerSaslObserver.java b/kroxylicious-filters/kroxylicious-sasl-inspection/src/main/java/io/kroxylicious/filter/sasl/inspection/OauthBearerSaslObserver.java
@@ -117,7 +117,7 @@ public String authorizationId() throws SaslException {
     /**
      * The server's OAuthBearerSaslServer will accept an expired token as authenticated successfully but with a
      * zero {@link SaslAuthenticateResponseData#sessionLifetimeMs()} sent the client. In this circumstance we want to
-     * avoid announcing {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationSuccess(String, String)}
+     * avoid announcing {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationSuccess(String, io.kroxylicious.proxy.authentication.Subject)}
      * and flag a {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationFailure(String, String, Exception)}
      * instead.
      *
diff --git a/kroxylicious-filters/kroxylicious-sasl-inspection/src/main/java/io/kroxylicious/filter/sasl/inspection/SaslInspectionFilter.java b/kroxylicious-filters/kroxylicious-sasl-inspection/src/main/java/io/kroxylicious/filter/sasl/inspection/SaslInspectionFilter.java
@@ -46,7 +46,7 @@
 /**
  * A filter that performs <a href="https://github.com/kroxylicious/design/blob/main/proposals/004-terminology-for-authentication.md#sasl-passthrough-inspection">SASL passthrough inspection</a>.
  * It does this by looking at the requests and responses to infer the client's identity negotiated by the SASL layer. Once the authentication is complete,
- * it uses {@link FilterContext#clientSaslAuthenticationSuccess(String, String)} or {@link FilterContext#clientSaslAuthenticationFailure(String, String, Exception)} to announce the
+ * it uses {@link FilterContext#clientSaslAuthenticationSuccess(String, io.kroxylicious.proxy.authentication.Subject)} or {@link FilterContext#clientSaslAuthenticationFailure(String, String, Exception)} to announce the
  * result of the authentication to the rest of the filters in the filter chain.
  * <br/>
  * If client reauthentication is in-use (KIP-368), the result of the subsequent re-authentication will be announced using
diff --git a/kroxylicious-filters/kroxylicious-sasl-inspection/src/test/java/io/kroxylicious/filter/sasl/inspection/SaslInspectionFilterTest.java b/kroxylicious-filters/kroxylicious-sasl-inspection/src/test/java/io/kroxylicious/filter/sasl/inspection/SaslInspectionFilterTest.java
@@ -336,7 +336,6 @@ void shouldDetectMissingHandshake() {
                 .satisfies(rfr -> assertThat(rfr.message())
                         .isEqualTo(expectedDownstreamAuthenticateShortCircuitResponse));
 
-        verify(context, never()).clientSaslAuthenticationSuccess(anyString(), anyString());
     }
 
     @Test
@@ -379,7 +378,6 @@ void shouldDetectUnexpectedSecondHandshake() {
                     assertThat(rfr.closeConnection()).isTrue();
                 });
 
-        verify(context, never()).clientSaslAuthenticationSuccess(anyString(), anyString());
     }
 
     @Test
@@ -484,7 +482,6 @@ void shouldReturnAuthenticationErrorResponseDownstreamWhenBrokerSignalsAuthentic
                     assertThat(rfr.closeConnection()).isTrue();
                 });
 
-        verify(context, never()).clientSaslAuthenticationSuccess(anyString(), anyString());
         verify(context).clientSaslAuthenticationFailure(eq("PLAIN"), eq("tim"), isA(SaslException.class));
     }
 
@@ -635,7 +632,6 @@ void shouldReportRecentlyExpiredTokenAsFailedAuthentication() {
         doSaslAuthenticateRequest(TestData.SASL_OAUTHBEARER_SIGNED_JWT, filter, (short) 0);
         doSaslAuthenticateResponse(new byte[0], filter, 0 /* a session lifespan of 0ms means the client must re-auth next */);
 
-        verify(context, never()).clientSaslAuthenticationSuccess(anyString(), anyString());
         verify(context).clientSaslAuthenticationFailure(eq("OAUTHBEARER"), eq("johndoe"), isA(SaslException.class));
     }
 
@@ -680,7 +676,7 @@ void shouldHandleSaslBuilderException(SaslObserverFactory observerFactory,
 
         // Then
         verify(context).clientSaslAuthenticationFailure(eq(observerFactory.mechanismName()), eq(expectedAuthorizedId), isA(SubjectBuildingException.class));
-        verify(context, never()).clientSaslAuthenticationSuccess(anyString(), anyString());
+
         verify(context, never()).clientSaslAuthenticationSuccess(anyString(), any(Subject.class));
         // verify(context).r
 
@@ -712,7 +708,7 @@ void shouldNotForwardMetadataWhenAuthnNotPerformedButRequired(SaslObserverFactor
 
         // Then
         verify(context, never()).clientSaslAuthenticationSuccess(any(), any(Subject.class));
-        verify(context, never()).clientSaslAuthenticationSuccess(any(), any(String.class));
+
         verify(context, never()).clientSaslAuthenticationFailure(anyString(), anyString(), nullable(Exception.class));
         verify(context, never()).forwardRequest(any(), ArgumentMatchers.assertArg(r -> assertThat(ApiKeys.forId(r.apiKey())).isEqualTo(ApiKeys.METADATA)));
         verify(requestCloseOrTerminalStage).withCloseConnection();
@@ -733,7 +729,7 @@ void shouldForwardMetadataWhenAuthnNotPerformedButNotRequired(SaslObserverFactor
 
         // Then
         verify(context, never()).clientSaslAuthenticationSuccess(any(), any(Subject.class));
-        verify(context, never()).clientSaslAuthenticationSuccess(any(), any(String.class));
+
         verify(context, never()).clientSaslAuthenticationFailure(anyString(), anyString(), nullable(Exception.class));
         verify(context, times(1)).forwardRequest(any(), ArgumentMatchers.assertArg(r -> assertThat(ApiKeys.forId(r.apiKey())).isEqualTo(ApiKeys.METADATA)));
         assertThat(filterResult)
@@ -766,7 +762,7 @@ void shouldForwardMetadataWhenAuthnFailedButNotRequired(SaslObserverFactory obse
 
         // Then
         verify(context, never()).clientSaslAuthenticationSuccess(any(), any(Subject.class));
-        verify(context, never()).clientSaslAuthenticationSuccess(any(), any(String.class));
+
         verify(context, never()).clientSaslAuthenticationFailure(anyString(), anyString(), nullable(Exception.class));
         var inOrder = Mockito.inOrder(context);
         inOrder.verify(context).forwardRequest(any(), ArgumentMatchers.argThat(r -> ApiKeys.forId(r.apiKey()).equals(ApiKeys.SASL_HANDSHAKE)));
diff --git a/kroxylicious-integration-tests/src/test/java/io/kroxylicious/it/testplugins/ConstantSasl.java b/kroxylicious-integration-tests/src/test/java/io/kroxylicious/it/testplugins/ConstantSasl.java
@@ -21,7 +21,7 @@
 
 /**
  * A filter for testing purposes which simply calls
- * {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationSuccess(String, String)} or
+ * {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationSuccess(String, io.kroxylicious.proxy.authentication.Subject)} or
  * {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationFailure(String, String, Exception)}
  * when it first observes a specific request type.
  *
diff --git a/kroxylicious-integration-tests/src/test/java/io/kroxylicious/it/testplugins/ConstantSaslFilter.java b/kroxylicious-integration-tests/src/test/java/io/kroxylicious/it/testplugins/ConstantSaslFilter.java
@@ -17,6 +17,7 @@
 
 import io.kroxylicious.proxy.authentication.Principal;
 import io.kroxylicious.proxy.authentication.Subject;
+import io.kroxylicious.proxy.authentication.User;
 import io.kroxylicious.proxy.filter.FilterContext;
 import io.kroxylicious.proxy.filter.RequestFilter;
 import io.kroxylicious.proxy.filter.RequestFilterResult;
@@ -42,7 +43,8 @@ public CompletionStage<RequestFilterResult> onRequest(ApiKeys apiKey, short apiV
         if (!finished && apiKey == config.api()) {
             if (config.exceptionClassName() == null) {
                 if (config.principalType() == null) {
-                    context.clientSaslAuthenticationSuccess(Objects.requireNonNull(config.mechanism()), Objects.requireNonNull(config.authorizedId()));
+                    context.clientSaslAuthenticationSuccess(Objects.requireNonNull(config.mechanism()),
+                            new Subject(new User(Objects.requireNonNull(config.authorizedId()))));
                 }
                 else {
                     try {
diff --git a/kroxylicious-microbenchmarks/src/main/java/io/kroxylicious/microbenchmarks/InvokerDispatchBenchmark.java b/kroxylicious-microbenchmarks/src/main/java/io/kroxylicious/microbenchmarks/InvokerDispatchBenchmark.java
@@ -195,11 +195,6 @@ public Optional<ClientTlsContext> clientTlsContext() {
             return Optional.empty();
         }
 
-        @Override
-        public void clientSaslAuthenticationSuccess(String mechanism, String authorizedId) {
-
-        }
-
         @Override
         public void clientSaslAuthenticationSuccess(String mechanism, Subject subject) {
 
diff --git a/kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/FilterHandler.java b/kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/FilterHandler.java
diff --git a/kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/internal/FilterHandlerTest.java b/kroxylicious-runtime/src/test/java/io/kroxylicious/proxy/internal/FilterHandlerTest.java

Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ public String authorizationId() throws SaslException {`
`117`	`117`	`/**`
`118`	`118`	`* The server's OAuthBearerSaslServer will accept an expired token as authenticated successfully but with a`
`119`	`119`	`* zero {@link SaslAuthenticateResponseData#sessionLifetimeMs()} sent the client. In this circumstance we want to`
`120`		`- * avoid announcing {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationSuccess(String, String)}`
	`120`	`+ * avoid announcing {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationSuccess(String, io.kroxylicious.proxy.authentication.Subject)}`
`121`	`121`	`* and flag a {@link io.kroxylicious.proxy.filter.FilterContext#clientSaslAuthenticationFailure(String, String, Exception)}`
`122`	`122`	`* instead.`
`123`	`123`	`*`