did you ever resolve this? I am trying to implement something similar.
No not as yet, I still need to do it at some point though, so if you find anything let me know - and vice versa.
In your login-config.xml you can create a policy with modules flagged sufficient. i do that to authenticate user on several LDAP:
<authentication> <login-module code=".. LoginModule" flag="sufficient"> ... </login-module> <login-module code=".. LoginModule2" flag="sufficient"> ... </login-module> </authentication> </application-policy>
But if a user doesn't give any login information - he'll still be 'authenticated' because both are only marked as sufficient.
"If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed."
But that's not what's happening - both are failing but the user is still able to login (authentication passes but then they cannot access the resources).