I found another aspect of LoginModules to get confused about, see https://issues.apache.org/jira/browse/GERONIMO-4781
..
What should a login module login method do if the callback handler
doesn't recognize its callbacks and throws an
UnsupportedCallbackException?
A. return false, on the grounds that not enough info was obtained to
successfully authenticate, so the result of this login module should
be ignored for determining if login was successful. Since we didn't
get enough information to try to authenticate, we can't claim
authentication failed.
B. throw a LoginException, because authentication failed.
Currently we implement B.
This is currently a possible issue because (see https://issues.apache.org/jira/browse/GERONIMO-4779)
client cert auth in jetty uses name and password callbacks but in
tomcat it uses a ClientCert callback. To construct a security realm
that would work with either one you can use a
CertificateChainLoginModule (for tomcat) and a
PropertiesFileNoPasswordLoginModule (for jetty). With policy A you
could use any flag but with policy B you could not use REQUIRED or
REQUISITE.
I'm confused. Thoughts?
thanks
david jencks
