Help !

I can't work out how to specify the security domain for my web app. I'm just trying to run up a basic example that restricts access to a sub dir so I can get a feel for jboss configuration. I've got a DataSource set up and configured the login module in login-config.xml. This seems to be okay as it appears in the JNDIView. However, when I specify it in jboss-web.xml that appears to be ignored. I get the following in the jboss std out -

10:25:28,080 WARN [JBossUserRealm#default] authentication failure: matt
10:25:28,080 WARN [Jetty] WARNING: AUTH FAILURE: user matt

So it looks like JBoss is trying some other realm ? Below are my web descriptors for reference. Any got any ideas ? It's blowing my head off ....

This is my web.xml -

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>GUI constraint</web-resource-name>
Security constraint
<url-pattern>/private/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
Constraint gui
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
SSL not required
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>

<security-role>
The role required to access restricted content
<role-name>user</role-name>
</security-role>
</web-app>

And jboss-web.xml -

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- Use the JaasSecurityMgr loginWebapp security domain for authentication
and authorization of secured web content.
-->
<security-domain>java:/jaas/loginWebapp</security-domain>
</jboss-web>