I'm trying to secure a part of my web-app;

Works fine, goes auto to logon.jsp

But it accept everything.

Have a MySQL db with
Dbname = "secure"
user_name(PK) - user_pass ==>users
user_name(PK) - role_name(PK) ==> user_roles

in Web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>admin</realm-name>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>admin</role-name>
</security-role>

in login-config.xml

<application-policy name = "admin">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/DefaultDS007</module-option>
<module-option name = "principalsQuery">select user_pass from users where user_name=?</module-option>
<module-option name = "rolesQuery">select role_name, 'Roles' from user_role where user_name=?</module-option>
</login-module>

</application-policy>

in mysql-service.xml ==> in deploy/


DefaultDS007


<config-property name="ConnectionURL" type="java.lang.String">jdbc:mysql://127.0.0.1:3306/secure</config-property>
<config-property name="DriverClass" type="java.lang.String">mysql-connector-java-3.1.0-alpha-bin.jar</config-property>
<config-property name="UserName" type="java.lang.String"></config-property>
<config-property name="Password" type="java.lang.String"></config-property>


<depends optional-attribute-name="OldRarDeployment">jboss.jca:service=RARDeployment,name=JBoss LocalTransaction JDBC Wrapper


any suggestion

thx in advance.