I have an application where the users are identified via an Active Directory server.

For that, I'm using three stacked LdapExtLoginModule (one for each company of the group I'm working for), and the user is correctly authentified with an AD group returned as expected.

Then, in order to map the AD group to an application role, I'm using a RoleMappingLoginModule with a rolesProperties file.

But I have a special role that I would like to assign to only a few authenticated users - a kind of "admin" role - that would be listed in a properties file with entries like "specialRole=userA,userB".

Is there a login module I can use for that?

In a perfect world, I would have:

1/ The AD login modules for authentication, with "password-stacking" option set to "useFirstPass" in order to stop the authentification as soon as one of them recognized the user.

2/ The role mapping modules, ie one module assigning a special role to some users, and another one changing AD groups to application roles if the first module didn't recognized the user (ie it was not an "admin" user).

What is the best way to achieve that scenario?