I have also thought for a while that this area needs an overhaul, I think the pattern imposed by the UsernamePasswordLoginModule really complicates writing login modules that can have the pure authentiction step handled by one module and the Principal association handled by the other modules.
Also when discussing these modules I think it is probably best not to discuss them as handling authorization, that is something that happens outside of the authentication process when the modules are called, the modules populate the Principals in the Subject that can be used for authorization but the actualy authorization is seperate.
When writing some of the modules within JBoss Negotiation I had to make some decisions regarding chaining or extending that may have some bearing on your work here: -
- Connection Sharing
- Pre-authentication queries
So for the connection sharing a number of modules establish a connection to something remote such as an LDAP server or a database, the current modules use the same connection for the pure authentication and the subsequent loading of roles - a subsequent switch to split modules could benefit also from a mechanism to share these connections whilst taking into account issues such as ensuring no leaks.
For the second issue with pre-authentication queries I found myself that in the case of having an LDAP login module chained after another module that had perfomed the authentication the LDAP module still needed to perform almost the same set of queries to identify the user before the roles searching could begin - in the end for the AdvancedLdapLoginModule in JBoss Negotiation when chained the only thing actually skipped was the password verification the remaining 99% of code was still called as if it was not chained.