controlFlag Attribute Values

The Sybase implementation uses the same controlFlag values and definitions as those defined in the JAAS specification.

If you stack multiple providers, you must set the controlFlag attribute for each enabled provider.

Control flag value	Description
(Default) required	The LoginModule is required to succeed. Authentication proceeds down the LoginModule list.
requisite	The LoginModule is required to succeed. Subsequent behavior depends on the authentication result: If authentication succeeds, authentication continues down the LoginModule list. If authentication fails, control returns immediately to the application (authentication does not proceed down the LoginModule list).
sufficient	The LoginModule is not required to succeed. Subsequent behavior depends on the authentication result: If authentication succeeds, control returns immediately to the application (authentication does not proceed down the LoginModule list). If authentication fails, authentication continues down the LoginModule list.
optional	The LoginModule is not required to succeed. Irrespective of success or failure, authentication proceeds down the LoginModule list.

Example

Say you list providers in the following order and set the corresponding controlFlag attributes as follows:

RADIUS token (required)
User name and password with native OS (sufficient)
User name and password via LDAP (optional)

This setup creates two tiers of authentication: the first tier is token-based, the second is login credential-based. A user must provide a valid RADIUS token to pass the first tier requirement. Next the user must enter a valid user name and password before passing both authentication challenges. There are two options: initially, the operating system attempts to validate the user name and password If that fails, LDAP attempts to validate the user.

In all cases, at least one LoginModule must succeed for authentication to be successful.