JBoss.org Community Documentation Password Stacking

Multiple login modules can be chained together in a stack, with each login module providing both the authentication and authorization components. This works for many use cases, but sometimes authentication and authorization are split across multiple user management stores. A previous example showed how to combine LDAP and a relational database, allowing a user to be authenticated by either system. However, consider the case where users are managed in a central LDAP server but application-specific roles are stored in the application's relational database. The password-stacking module option captures this relationship.

  • password-stacking : When password-stacking option is set to useFirstPass, this module first looks for a shared username and password under the property names javax.security.auth.login.name and javax.security.auth.login.password respectively in the login module shared state map. If found these are used as the principal name and password. If not found the principal name and password are set by this login module and stored under the property names javax.security.auth.login.name and javax.security.auth.login.password respectively.

To use password stacking, each login module should set password-stacking to useFirstPass. If a previous module configured for password stacking has authenticated the user, all the other stacking modules will consider the user authenticated and only attempt to provide a set of roles for the authorization step.

The following listing shows how password stacking could be used:

<application-policy name="todo">
        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" 
            <!-- LDAP configuration -->
            <module-option name="password-stacking">useFirstPass</module-option>
        <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" 
            <!-- database configuration -->                
            <module-option name="password-stacking">useFirstPass</module-option>

When using password stacking, it is usually appropriate to set all modules to be required to make sure that all modules are considered and have chance to contribute roles to the authorization process.