The GuestLoginModule currently always allows login so it is a handy default. In the case where two login modules are configured, it is nice to have the guest login module only succeed if there are no password credentials such that the second module gets a chance to authenticate. This ensures that only anonymous users (or users that do not supply a password, map to guest, where as any user that supplies a password will have to pass authorization or fail.
Without this option, and using GuestLoginModule sufficient, a failed authentication attempt will map you to the guest user.
This enhancement will implement the credentialsInvalidate attribute.
With the following config, if you don't specify a password you are guest. If you do specify a valid username/password pair you will authenticate, else you are rejected.