For AS7 I'm thinking about rewriting all our login modules to separate authentication (caller principal mapping) from authorization (role mapping) during the JAAS process.
Currently the majority of our login modules does both things: validates password to assign the user principal to the subject and adds the roles to the subject.
In my opinion this is getting messy as new functionality needs to be added to login modules to allow different combinations of them so customers can use only one for authentication and another for role mapping. This is bad as we keep adding new options to the LMs in order to accomodate such features.
If we separate the functionalities I believe the code will be easier to manage, to extend (subclass for custom needs), to configure and it will also allow for many other combinations to suit every need.
What do you think?