I'm trying to set up a chain of login modules to support
authenticating users accessing a web application.

I can get the UsersRolesLoginModule to work fine,
but I'm now trying to chain this with the
DatabaseServerLoginModule, with little success.

If I attempt to login with user credentials for a
user stored in the properties files for
UsersRolesLoginModule, I get an exception from the
DatabaseServerLoginModule.

Vice versa, if I attempt to login with user credentials
for a user stored in the database for
DatabaseServerLoginModule , I get an exception from the
UsersRolesLoginModule.

The relevant section from login-conf.xml is :

<application-policy name = "WebSecurityRealm">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "sufficient">

<module-option name = "dsJndiName">java:/OracleDS</module-option>
<module-option name = "principalsQuery">select Password from Principals where PrincipalId=?</module-option>
<module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalId=?</module-option>

<module-option name = "unauthenticatedIdentity">nobody</module-option>

</login-module>

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "sufficient" >

<module-option name = "usersProperties">users.properties</module-option>
<module-option name = "rolesProperties">roles.properties</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>

</login-module>

</application-policy>

From the documentation, I'm under the impression that
setting "flag=sufficient" for each login module means
that if a login module succeeds, then authentication is
successful, otherwise the next login module in the chain
is called. Is this correct ?

Can someone point out what is wrong in the configuration
above ?

I'm using JBoss3.0.0, XDoclet 1.1.2 and Oracle 9i on Windows XP.

Thanks,
Gavin.