which, for example, would return 'false' for PLAIN if the connection is not secured. But make that behavior configurable (via static SASL mechanism interface or via ConnectionConfiguration?).
Also add an explaination if authentication fails to the SmackSaslException that some mechanisms where not applicable for the connection at a given time. This probably means that isApplicableFor may returns a String explaining the reason why the mechanism is not applicable.