Standalone Login Module implementation would also contain configuration logic. For example, an SFS-based Login Module containing path and name of the file where user names and passwords are stored.

However, when specifically written for a J2EE application server, the Login Module would use the application server's security management system.

The standalone Login Module implementation is responsible for propagating security, while application servers propagate security in the J2EE model.

Note A. JAAS framework does not provide APIs for managing users and roles. The application server vendor typically provides a proprietary User Manager API. Since J2EE requires that users and roles be defined on the server, programmatic management of users and roles in applications requires the use of these non-standard APIs.

Note B. Since the application server vendor is responsible for propagating security across the J2EE application, execution of a single sign-on system is the responsibility of the J2EE application server.