Multiple authentication providers can be configured to weblogic server. Their precedence/order and participation in authentication can be defined using control flags. Weblogic provides 4 types of flag and there meaning may look ambiguous if you go by their name. Here is the definition of control flag for the sake of record.
REQUIRED: This option is the
default setting for any Authentication Provider. A required Authentication
Provider is always invoked,
irrespective of the control flag settings on other providers. The overall
authentication cannot succeed if any REQUIRED provider fails. Thus, REQUIRED
providers are always invoked, and overall authentication fails if any one of
them fails.
REQUISITE: This option also requires the Authentication Provider to succeed during the login sequence. However, all of the REQUISITE providers need not be invoked for the overall authentication to succeed. If a REQUISITE provider succeeds, the authentication proceeds as normal to other providers in the sequence. However, if it fails, the overall authentication cannot succeed, and control is immediately passed back to the application once all REQUIRED providers in the login sequence have been invoked.
SUFFICIENT: This option does not require the Authentication Provider to succeed during the login sequence. If a SUFFICIENT provider does succeed, the overall authentication proceeds to ensure that only the remaining REQUIRED providers in the login sequence are executed. However, if it fails, the overall authentication proceeds as normal to the other providers in the login sequence.
OPTIONAL: This option does not require the Authentication Provider to succeed during the login sequence. Regardless of whether an OPTIONAL provider succeeds, the authentication proceeds to other providers that have been configured as part of the login sequence.
