[ http://issues.apache.org/jira/browse/GERONIMO-2294?page=comments#action_12426379 ] Aaron Mulder commented on GERONIMO-2294: ----------------------------------------
Actually, a successful login attempt goes through -- only failed login attempts skip the subsequent login modules. Still, that violates the JAAS control flags on the login modules. Also, note that the sequence is: - gather callbacks on one - invoke one - if unsuccessful, quit - gather callbacks on two - invoke two I thought this defeated the purpose of gathering callbacks, which was to gather the callbacks for all login modules at once and "prompt the user" for all necessary callbacks across all login modules at the same time. > In security realm with multiple login modules, anything after the first is > ignored > ---------------------------------------------------------------------------------- > > Key: GERONIMO-2294 > URL: http://issues.apache.org/jira/browse/GERONIMO-2294 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 1.1 > Reporter: Aaron Mulder > Priority: Blocker > Fix For: 1.1.1 > > Attachments: security-test-webapp.war, test-realm.xml > > > If you deploy the attached plan to create a security realm the same as the > default except with a second login module, and put breakpoints in the login() > method of both login modules, the first login module is called twice as > expected (once to gather callbacks and again for real) but the second login > module is never called at all! > The attached web app uses this realm, just deploy it at point to > http://localhost:8080/security/index.html to get the login, and put > breakpoints in > org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule and > org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
