The FormBasedCredentialsProvider class should accept the login and failed login URLs : these should obviously not be authenticated.
In the same way, this CredentialsProvider should be made more flexible by adding the possibility to configure it with an URL prefix or a set of URL prefixes which should be accepted without authentication. This way, features as "subscribe form" and "lost password form" could be easily implemented.