Dear all,

When I move my MyStore project from JBoss 3.2.3 to JBoss 4.0.0, my security policy didn't work. When I use the same login name and password login into JBoss 3.2.3 and Jboss 4.0.0, JBoss 3.2.3 allowed to access my servlet but Jboss 4.0.0 didn't allow.

Here is part of application policy in login-config.xml.

 <application-policy name = "Mystore">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 <module-option name = "dsJndiName">java:/DefaultDS</module-option>
 <module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
 <module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
 </login-module>
 </authentication>
 </application-policy>

Here is my security-constraint on web.xml in my project

 <security-constraint>
 <web-resource-collection>
 <web-resource-name>access</web-resource-name>
 <description>An example security config that only allows users with the
 role JBossAdmin to access the access web application
 </description>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>JBossAdmin</role-name>
 </auth-constraint>
 </security-constraint>

 <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Access</realm-name>
 </login-config>

 <security-role>
 <role-name>JBossAdmin</role-name>
 </security-role>

I already create two tables in HSQL under JBoss3.2.3 and JBoss 4.0.0. I check that the ROLE is JBOSSADMIN under my PRINCIPALID on both database. And I am sure the query on my database is worked. Because I try to type the invalid password. It show the error either on screen and server.log file.

What is wrong in my security setting?

Thanks a lot.

Patrick Lee