securityContext.authenticate always returns SUCCESS when I used a custom form in JSF 2.3

[glassfishrobot]

Currently I am experiencing the security with custom form by JSF 2.3, I just updated the sample from soteria test app-mem-customform.

My sample is here:

https://github.com/hantsy/ee8-sandbox/tree/master/security-form-custom

I have upgraded the original jsf config to 2.3, and in the following code, status is always SUCCESS, even I used wrong user/password pair.

        AuthenticationStatus status = securityContext.authenticate(
                getRequest(context),
                getResponse(context),
                withParams()
                        .credential(credential));

        LOG.info("authentication result:" + status);

     if (status.equals(SEND_CONTINUE)) {
            // Authentication mechanism has send a redirect, should not
            // send anything to response from JSF now.
            context.responseComplete();
        } else if (status.equals(SEND_FAILURE)) {
            addError(context, "Authentication failed");
        }