I'm trying to work out how the Login module flags work in JAAS (using JBoss 5.1 EAP) and I've come across a puzzling situation that I'm hoping someone can clarify for me.
For background, my login-config.xml looks like this:
<authentication-policy>
<authentication>
<login-module code="...loginModule1" flag="sufficient">
...
</login-module>
<login-module code="...loginModule2" flag="optional">
...
</login-module>
<login-module code="...loginModule3" flag="optional">
...
</login-module>
</authentication>
</authentication-policy>
In this case, loginModule1 is standalone, but loginModule2 depends on loginModule3. The problem I've got is that if loginModule1 fails and loginModule2 and loginModule3 both succeed I still get a failed login. If I change loginModule1 to be optional then when loginModule1 fails and 2 and 3 succeed I get a successful login.
From the JBoss security documentation (http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html):
sufficient: the LoginModule is not required to succeed. If it does succeed,
control immediately returns to the application (authentication does not proceed
down the LoginModule list). If it fails, authentication continues down the
LoginModule list.
I would have thought based on on this that when LoginModule with a sufficient flag fails, but a following LoginModule passes then I would get a successful login, anyone know why this isn't the case?
You should check out the java documentation on the javax.security.auth.login.Configuration class, it has all the information on what sufficient, required, requisite, and optional mean. What is pertinent to your question is this paragraph:
The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.
This is what should happen, so it seems like your setup is correct, but something is not returning correctly so everything is failing. Maybe JBoss does something a little bit differently.