Hi my problem is that no matter what username password combo I enter in my login box (BASIC authentication) I am always granted access to the restricted resources.

my jboss-web.xml is as follows

<jboss-web>
<security-domain>java:/jaas/webcreator</security-domain>
</jboss-web>

my web.xml is as follows

...
<security-constraint>
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
bla bla bla
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>power</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>

<security-role>
<role-name>power</role-name>
</security-role>
...

login-conf.xml is as follows

...


<application-policy name = "webcreator">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/mysqlDS</module-option>
<module-option name = "principalsQuery">select password from users where username=?</module-option>
<module-option name = "rolesQuery">select role 'Role', "Roles" as RoleGroup from access where username=?</module-option>
</login-module>

</application-policy>

...

by changing the above details for securing jmx-console works fine and only the appropriate users have access, so I don't think there is a problem with the DatabasServerLoginModule in login-config.xml.

Can anybody help with why it always lets me in, in my webapp.

Is there anything else that is required other that jboss-web.xml, web.xml and login-config.xml

thanks
Mat