The security-domain entry is there so that you can provide a a means to log into the database other than by providing a user-name and password in the *-ds.xml file. If you use the security-domain entry, the user-name and password entries are ignored (at least, as far as I know - I have not used both at once and I am not going to look in the source to come up with a definitive answer). Also, I think you need to only have "MyTestSec", and not "java:/jaas/MyTestSec" (based on the one I have done, once again I have not looked at the source). Finally, please post the MyTestSec application-policy from login-config.xml. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4225159#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...