Any client that holds JaasLoginService reference can use login service API to log into Geronimo. Client enforces realm authentication semantics by combining login module authentication results. Client tells login service that authentication succeeded. And client has an ability to synchronize it's own Principals into secuiry-session within JaasLoginService.

All these points can be exploited.

Synchronizing client Principals into security session defeats authentication.

Having client to compute login module combination opens up a possibility of violating realm semantics. Client can ignore login module configuration flags.

Having client to tell the login service that the authentication succeeded, also opens an avenue for attack, where in fact it did not, and forcing login service to commit.

Suggestions

JaasLoginSerivce.synchPrincipals() method must be removed.

Login Service API should be refactored and reduced to something like login(String realm-name). All the work that is currently done by the JaasLoginCoordinator must be refactored into the Login Service.