org.jboss.security.auth.spi.Util.loadProperties() always uses default properties files -------------------------------------------------------------------------------------- Key: SECURITY-856 URL: https://issues.jboss.org/browse/SECURITY-856 Project: PicketBox Issue Type: Bug Components: PicketBox Affects Versions: PicketBox_4_0_21.Beta3, PicketBox_4_0_19.SP5 Reporter: Chao Wang Assignee: Chao Wang https://bugzilla.redhat.com/show_bug.cgi?id=1073814 Descritpion: In case users.properties (and roles.properties) is defined and exists for org.jboss.security.auth.spi.UsersRolesLoginModule then defaultUsers.properties (and defaultRoles.properties) shouldn't be used for this Login Module (according to documentation they should be used only in case usersProperties or rolesProperties file can not be found) but instead of that content of both file is used. For reproducing this issue use users.properties with user admin=admin and defaultUsers.properties with admin1=admin1. Both users will be loaded for Login Module but in right behavior only admin user from users.properties should be loaded.