For each session authorization, the server creates a new and separate, empty handler. Factory which creates handler instance allows to inject different objects to the handler, depending on interfaces implemented by the handler class:
AuthRepositoryAware
- injectsAuthRepository;
DomainAware
- injects domain name within which the user attempts to authenticateNonAuthUserRepositoryAware
- injectsNonAuthUserRepository
, although I have no idea what for…