A GenericSecurityRealm depends on a bunch of LoginModuleGBeans to express the login modules that must be logged into to log into the realm. Currently these are listed by gbean name + other info in a properties file format. This does nothing to assure that the login modules are in fact started before the GSR is started, although the LMs are used in the GSR constructor.
Sometimes the GSR will start, but the same configuration sometimes will not start due to system variations in gbean start order.
One solution is to make a LoginModule holder gbean that forms a linked list of gbeans, similar to the JettyFilterMapping. This can be implemented easily with no core changes, but it results in a profusion of gbeans that do almost nothing.
Another possible solution is to introduce a core gbean feature that lets you have something like an ordered list of explicit references, all of which must be started for the gbean to start. This would be of more general use but would require some thought to figure out the best functionality.