Hello, folks. I'm having some troubling setting up authentication for a web app in JBoss 3.0.0 (3.0.0beta2(200204161011), checked out from CVS an hour ago).

I have an app (deployed under context /af) that needs to be secured. Here's the web.xml and jboss-web.xml portion relative to security:
[pre]
<!-- web.xml -->
<security-constraint>
<web-resource-collection>
<web-resource-name>AF</web-resource-name>
A aplicação inteira
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AFApp</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Teledata</realm-name>
</login-config>


<!-- jboss-web.xml -->
<security-domain>java:/jaas/TeledataRealm</security-domain>
[/pre]

I also modified login-config.xml. Here's the realm configuration for this app:
[pre]
<application-policy name="TeledataRealm">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule">
<module-option name="dsJndiName">java:/TeledataDS</module-option>
<module-option name="principalsQuery">
SELECT senha FROM agentes WHERE login = ?
</module-option>
<module-option name="rolesQuery">
SELECT role_name, role_group FROM roles WHERE role_agen_login = ?
</module-option>
</login-module>

</application-policy>
[/pre]

When accessing my app, the browser's login windown DOES popup. However, it accepts any user/password combination, including nonexistant users.

Anyone can shed some light into my problem?