I am not sure if this has ever come up elsewhere but in a couple of places I have seen a potential need for a more advanced selection of a security domain than our current one-to-one mapping of security domain to secured resource.

When there is a single login module that performs both the authentication check and loads the roles then the flag can quite often be used to allow modules to fail and pass through to the next module in the list until one succeeds, however once you start to have pairs of modules chained together this fall through starts to become difficult.

One place that I saw this was within JBoss Negotiation where the SPNEGOLoginModule is chained with another module to load the roles - when it came to adding support for username/password fallback the chaining of the modules became too complex and I have ended up with one module calling out to another domain if it should fall back to username/password authentication.

Within AS7 there is also potentially a similar issue - in the domain controller we may in general want the exposed API to be accessed using a username and password when administrators are connecting - however the same connection is also used by the remote hosts that are connecting to the domain controller, in this case we may prefer that they identify themselves based on their certificate.

For both of these it could be easier if there were some location to possibly plug in some kind of security domain selector so the correct security domain can be selected based on the context of the call.