Yes that is what I meant :-) Why should I *have to* extend that or one of its subclasses ? Why can't i just extend javax.security.auth.spi.LoginModule and stick to pure JAAS (that can be used in a different EJB container) rather than JBoss JAAS (that can't) ?

Well all documentation suggests this (the JAAS howto doc for starters), and many posts on this forum suggest this.

I had already implemented my own LoginModule extending javax.security.auth.spi.LoginModule. I put it in a JAR and put it in $JBOSS_HOME/server/default/lib/. I then reference it in $JBOSS_HOME/server/default/conf/login-config.xml for a web application, as follows
<application-policy name="MyDBRealm">

<login-module code="mydomain.JAAS.DBLoginModule" flag="required" -->
<module-option name="dsJndiName">java:/DefaultDS</module-option>
<module-option name="principalsQuery">
SELECT Password FROM User WHERE Username=?</module-option>
<module-option name="rolesQuery">
SELECT Role, 'Roles' FROM UserRole WHERE Username=?</module-option>
</login-module>

</application-policy>

When I try to log in I get

2003-08-08 06:07:06,828 DEBUG [org.jboss.security.plugins.JaasSecurityManager.MyDBRealm] Login failure
javax.security.auth.login.LoginException: No LoginModules configured for MyDBRealm

How do these LoginModule's get configured for use in JBoss ?

If I swapped the login-module above for JBoss's DatabaseServerLoginModule it works - however I don't want to do that :-(

I can only interpret the lack of a response here as acceptance that I have to extend the JBoss jaas AbstractServerLoginModule - the comments in the source file for that module implies it also. It would be nice to have that confirmed or otherwise - surely someone has an example of *not* extending the JBoss base LoginModule and its use in JBoss ?