controlFlag Attribute Values

(Not applicable to Online Data Proxy) The Sybase implementation uses the same controlFlag values and definitions as those defined in the JAAS specification.

If you stack multiple providers, you must set the controlFlag attribute for each enabled provider.

Control Flag Value Description
(Default) required The LoginModule is required. Authentication proceeds down the LoginModule list.
requisite The LoginModule is required. Subsequent behavior depends on the authentication result:
  • If authentication succeeds, authentication continues down the LoginModule list.
  • If authentication fails, control returns immediately to the application (authentication does not proceed down the LoginModule list).
sufficient The LoginModule is not required. Subsequent behavior depends on the authentication result:
  • If authentication succeeds, control returns immediately to the application (authentication does not proceed down the LoginModule list).
  • If authentication fails, authentication continues down the LoginModule list.
optional The LoginModule is not required. Irrespective of success or failure, authentication proceeds down the LoginModule list.

Example

Providers are listed in this order and with these controlFlag:

  1. CertificateAuthenticationLoginModule (sufficient)
  2. LDAP (optional)
  3. NativeOS (sufficient)

A client doing certificate authentication (for example, X.509 SSO to SAP) can authenticate immediately. Subsequent modules are not called, because they are not required. If there are regular username/password credentials, they go to LDAP, which may authenticate them, and set them up with roles from the LDAP groups they belong to. Then NativeOS is invoked, and if that also succeeds, Unwired Platform picks up roles based on the Windows groups they are in.

Parent topic: Stacking Providers and Combining Authentication Results