Not sure if this is the cause, but under < security-constraint >, the role name is upgradebundle, while in < security-role >, it is user. I think these two should be the same. Are the password store in the database in plain text? The DatabaseServerLoginModule does support logging at the TRACE level, but it probably doesn't tell you want you want to know. It will, for instance, state what SQL statement it is using for getting the password, but then doesn't say what it got, only if it matched. Similarly, it doesn't tell you what roles it found. What I did was added more logging to that class to debug my access (actually, I did this with the LDAP login module, but the same thing would work for database). Finally, you should have started a new topic rather than appending to a 3 year old topic. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025969#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...