Considering the ClientLoginModule is the only supported mechanism for a client to establish the current thread's caller, both standalone client applicatins and server enviroments, acting as JBoss EJB clients where the security enviroment has not been configured to use JBossSX transparently, need to use the ClientLoginModule.
Is username/password pair enough to cover all the authentication mechanisms? (In some cases, it is not obvious to use username and password.)
E.g., In Jabber's JEP-0078 (about the jabber authentication), the working procedure is:
(1) client ask the server to get an sessionID (String).
(2) Client hash the String (UserID+SessionID) by its own password and send this hash to the server
(3) the server then verify whether the user is a good citizen.
Under this case, how to use the ClientLoginModule to pass the username and password to the server and use DatabaseServerLoginModule to authenticate it?
You need to create your own implementation of client and server side login modules that support two way handshake negotiation between the server and client.
See SRP for an example of one such implementation.