JAAS module in the ActiveMQ Artemis broker is not calling abort() function when authentication fails when using the sufficient flag. It's calling commit() even though it throws FailedLoginException. But if I change the security property to requisite or required in the login.config file abort() is called when it throws FailedLoginException. Does anybody know the reason?
The relevant JavaDoc says this about the sufficient flag:
[A sufficient] LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.
...
The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.
In other words, sufficient modules are not required to succeed therefore when they fail it appears that abort() is not called by design.
For what it's worth, it's the JVM itself which invokes abort(), commit(), etc. based on the outcome of login(). The fact that the login module is being used in ActiveMQ Artemis isn't really relevant.