Looking at the javadocs for LoginModule.login(), it says it returns: "true if the authentication succeeded, or false if this LoginModule should be ignored."

Ok, this is quite ambiguous to me. "Authentication succeeded" could mean, "I was able to process the information correctly" or "I processed the information correctly, and the user is in fact authorized". I'm guessing the former, not the later, because it goes on to say, return false if this module is to be ignored.

It sounds like the login() method should ALWAYS return true from this. Then the commit() method can put no roles into the Subject, and in that case the user may be logged in but have no roles, so it can't do anything.

Or should the login() method return false? I have many methods of my beans that users can access without logging in. If my login method returns false will they still be able to access?

I'm confused by some of the docs on this.