Thanks to your guidance, I've made some progress on this - I've configured JAAS to allow two login modules, both sufficient. The CRXLoginModule still works. To figure out why mine is not working properly, I created a stub custom login module that authenticates all simple credentials as valid.
I expected this to work, but it doesn't. Based on what I can see in my debugger, my trivial code is running as expected. But an exception is thrown after it has executed. This is an excerpt of the stack trace
java.lang.IllegalArgumentException: Invalid token ''
at org.apache.jackrabbit.api.security.authentication.token.TokenCredentials.<init>(TokenCred entials.java:42)
at com.day.crx.security.token.impl.TokenAuthenticationHandler.createCredentials(TokenAuthent icationHandler.java:558)
at com.day.crx.security.token.impl.TokenAuthenticationHandler.extractCredentials(TokenAuthen ticationHandler.java:361)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(Authenti cationHandlerHolder.java:75)...
So what went wrong? What is this token and is my login modlue responsible for creating it?
I can see an entry being created in crx's /home/users/ directory for the credentials I used with my login module, but it is empty. In comparison, the admin entry contains ".tokens", "preferences", and "profile". Do I need to create these via my login module? Is this the responsibility of the AuthenticationHandler - do I need to write a custom one?