Question
In http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html
It says
https://stackoverflow.com/questions/15860579
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian1) Required - The LoginModule is required to succeed.
If it succeeds or fails, authentication still continues
to proceed down the LoginModule list.
It also says
The overall authentication succeeds only if all Required and Requisite LoginModules succeed.
If a Sufficient LoginModule is configured and succeeds, then only the Required and
Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded
for the overall authentication to succeed.
It seems that if an Required loginModule failed, the result would be fail. My question is, why if Required loginModule failed, authentication still continues to proceed down the LoginModule list?
Solution
You absolutely correct: if a required loginModule failed, the result would be fail. There is no way to make is successful even all other login modules will success. The use case when you want to use Required if you want other modules will execute. For example, you have an optional module that audit the login access.
JAAS give you flexibility to define login modules according to your needs. If you do not need to stop and return the fail immediately use Requisite.
