password-stacking: if true, the login identity will be taken from the javax.security.auth.login.name value of the sharedState map, and the proof of identity from the javax.security.auth.login.password value sharedState map. If these are null then login should proceed as normal and the user and credentials acquired by the login module.
Thanks for all your help. What 'shares' the username and password? How do the values get in the sharedStateMap?