I am trying to understand how Login module flags work in JAAS (using JBoss 5.1 EAP), and I came across a mysterious situation in which I hope someone can clarify for me.
For the background, my login-config.xml looks like this:
<authentication-policy>
<authentication>
<login-module code="...loginModule1" flag="sufficient">
...
</login-module>
<login-module code="...loginModule2" flag="optional">
...
</login-module>
<login-module code="...loginModule3" flag="optional">
...
</login-module>
</authentication>
</authentication-policy>
In this case, loginModule1 is autonomous, but loginModule2 is dependent on loginModule3. The problem is that if loginModule1 fails, and loginModule2 and loginModule3 both succeed, I still get a bad login. If I change loginModule1 to be optional, then when loginModule1 fails and 2 and 3 succeed, I get a successful login.
From the JBoss security documentation (http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html):
sufficient: the LoginModule is not required to succeed. If it does succeed,
control immediately returns to the application (authentication does not proceed
down the LoginModule list). If it fails, authentication continues down the
LoginModule list.
, , , LoginModule , LoginModule, , - , ?