SEC-2571: Improve wording of UsernamePasswordAuthenticationToken#setAuthenticated() error

core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java

@@ -85,7 +85,7 @@ public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationT
     public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
         if (isAuthenticated) {
             throw new IllegalArgumentException(
-                "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
+                "Once created you cannot set this token to authenticated. Create a new instance using the constructor which takes a GrantedAuthority list will mark this as authenticated.");
         }
 
         super.setAuthenticated(false);

core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java

@@ -15,6 +15,7 @@
 
 package org.springframework.security.authentication;
 
+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -58,6 +59,8 @@ public class UsernamePasswordAuthenticationTokenTests {
             token.setAuthenticated(true);
             fail("Should have prohibited setAuthenticated(true)");
         } catch (IllegalArgumentException expected) {
+            // SEC-2540
+            assertThat(expected).hasMessage("Once created you cannot set this token to authenticated. Create a new instance using the constructor which takes a GrantedAuthority list will mark this as authenticated.");
         }
     }