Errors in the providers are typically reported by throwing exceptions.
Localized error messages are made available from the java.lang.Throwable.getMessage() method that all exception classes implement. However, the framework defines a few exception types and interfaces that are intended to be used for reporting errors. The exception com.sybase.security.SecException can be thrown from most methods.
The framework aggregates results from multiple providers where each can throw their own errors for a given operation. Also, the providers can be stacked where only a subset of providers are required to fulfill a request (authentication or audit) controlled by the control flag. For example, if the first authentication provider fails with an exception, and the second one succeeds, the exception thrown by the first provider is not propagated to the client if the control flag dictates that the error is irrelevant in the authentication process. Control flag is a JAAS concept. For more detailed information, refer to the javax.security.auth.login.Configuration javadoc at http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html.
The framework allows all warnings to be tracked and retrieved so they can be propagated to SAP Mobile Platform clients. Warnings are represented by the com.sybase.security.SecWarning interface. Providers can introduce new warnings using special provider-side APIs. There are several predefined warning sub-interfaces for standard security messages such as password is expiring in the future at this time/date.
See the javadoc for more details. SAP Mobile Platform inspects the warnings after an authentication attempt and although not all warnings are returned to the client, SAP Mobile Platform does look for a few pre-defined warnings that are propagated to clients.