By JAAS's design there is only one CallBackHandler in one LoginContext, so it's better to write a CallBackHandler that can handle both CallBack here.
I write a small test case to test RI's behavior. It also implements B.
I found another aspect of LoginModules to get confused about, see https://issues.apache.org/jira/browse/GERONIMO-4781..
What should a login module login method do if the callback handler doesn't recognize its callbacks and throws an UnsupportedCallbackException?
A. return false, on the grounds that not enough info was obtained to successfully authenticate, so the result of this login module should be ignored for determining if login was successful. Since we didn't get enough information to try to authenticate, we can't claim authentication failed.
B. throw a LoginException, because authentication failed.
Currently we implement B.
This is currently a possible issue because (see https://issues.apache.org/jira/browse/GERONIMO-4779) client cert auth in jetty uses name and password callbacks but in tomcat it uses a ClientCert callback. To construct a security realm that would work with either one you can use a CertificateChainLoginModule (for tomcat) and a PropertiesFileNoPasswordLoginModule (for jetty). With policy A you could use any flag but with policy B you could not use REQUIRED or REQUISITE.
I'm confused. Thoughts?