According to the spec[1], abort() should return true or throw exception if login() succeeded, and should return false if login() failed. However, abort() of subclasses of org.jboss.security.auth.spi.AbstractServerLoginModule always returns true.

[1]: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html