Hi, One of our committers, Jarek Gawor, has identified a security issue with SQLLoginModule. See the related JIRA https://issues.apache.org/jira/browse/GERONIMO-3543 . Authentication succeeds with SQLLoginModule if logging in with an username that does not exist in the database. The issue affects the use of only Database (SQL) Realms in released versions 2.0.1 and 2.0.2. The issue has already been fixed in the codebase and we will be available in the next release expected soon.
++Vamsi