[JBoss-user] JBoss LoginModules with sufficient flag

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

We want to authenticate users who exist in either an LDAP directory *or* a
database.  

My understanding of JAAS is that this can be achieved by chaining two
LoginModules, both flagged as 'sufficient'.  On login(), each LoginModule
can either:
- return true when authentication is successful
- throw a LoginException when authentication fails
  (e.g. subject was known but credentials were invalid)
- or return false if nothing is known about the subject, 
  allowing the next LoginModule in the chain to try the 
  authentication (i.e. Ignore this LoginModule).

The problem is that the existing JBoss classes (LDAPLoginModule,
DatabaseServerLoginModule, UsernamePasswordLoginModule,...) are not designed
to return false when nothing is known about a subject.  They all throw when
they fail to find a subject/user, preventing the chaining described above.

Is there a specific reason why the existing JBoss LoginModules are designed
this way, or is there a better way to achieve this type of multiple source
authentication.

Norrie