After further investigation of the AbstractServerLoginModule
class, the javadoc documentation for the class states that:
You may also wish to override
public boolean login() throws LoginException
In which case the last line of your login() method should be
How can that possibly be an accurate statement since
AbstractServerLoginModule.login() will return false unless
the identity and credentials are stored in the sharedStatemap,
and there also are no mechanisms to standardize the "firstPass"
feature that places the information in the sharedStatemap.
Are these accurate statements, or am I reading this all wrong?
I am beginning to think that super.login() should be the first
value in the login method, if called at all. Example:
Why would we need the useFirstPass feature?
What is it? What is the benefit?
I too noticed the discrepency regarding super.login. I actually made this the first call in my login module (subclass of abstractServerLoginModule). I notice that the UsernamePasswordLogin module also calls it first.
As far as my understyanding goes (which is not very far as we dont support this yet) the shared state map is for password stacking i.e when you have multiple modules and you want the username/password to be passed through. I guess the useFirstPass mean use the username and password from the first login module.
I currently dont stack them so its not a problem for me.
This is the current javadoc for AbstractServerLoginModule so whatever your looking at is out of date.
/** Looks for javax.security.auth.login.name and javax.security.auth.login.password values in the sharedState map if the useFirstPass option was true and returns true if they exist. If they do not or are null this method returns false. Note that subclasses that override the login method must set the loginOk ivar to true if the login succeeds in order for the commit phase to populate the Subject. This implementation sets loginOk to true if the login() method returns true, otherwise, it sets loginOk to false. */