i am not convinced that this change according to the specification which states:
> 4.2.2 Guest Credentials
> GuestCredentials is used to acquire an anonymous session.
> 4.2.4 External Authentication
> By providing a signature of Repository.login that does not require
> Credentials, the content repository allows for authorization and authentication
> to be handled by JAAS (or another external mechanism) if the implementer so
> To use such an external mechanism to create sessions with end-user identity,
> invocations of the Repository.login method that do not specify Credentials
> (i.e., either a null Credentials is passed or a signature without the
> Credentials parameter is used) should obtain the identity of the already-
> authenticated user through that external mechanism.
IMO having null credentials mapped to anonymous login is not correct. we
use to have that in jackrabbit-core for backwards compatibility but i would
rather not add this to the SPI.