By JAAS's design there is only one CallBackHandler in one LoginContext, so it's better to write a CallBackHandler that can handle both CallBack here.
I write a small test case to test RI's behavior. It also implements B. -Jack On Sun, Aug 2, 2009 at 7:31 AM, David Jencks <[email protected]> wrote: > I found another aspect of LoginModules to get confused about, see > https://issues.apache.org/jira/browse/GERONIMO-4781.. > > What should a login module login method do if the callback handler doesn't > recognize its callbacks and throws an UnsupportedCallbackException? > > A. return false, on the grounds that not enough info was obtained to > successfully authenticate, so the result of this login module should be > ignored for determining if login was successful. Since we didn't get enough > information to try to authenticate, we can't claim authentication failed. > > B. throw a LoginException, because authentication failed. > > Currently we implement B. > > This is currently a possible issue because (see > https://issues.apache.org/jira/browse/GERONIMO-4779) client cert auth in > jetty uses name and password callbacks but in tomcat it uses a ClientCert > callback. To construct a security realm that would work with either one you > can use a CertificateChainLoginModule (for tomcat) and a > PropertiesFileNoPasswordLoginModule (for jetty). With policy A you could > use any flag but with policy B you could not use REQUIRED or REQUISITE. > > I'm confused. Thoughts? > > thanks > david jencks > >
