Index: modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
===================================================================
--- modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java	(revision 586858)
+++ modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java	(working copy)
@@ -221,17 +221,23 @@
                     ResultSet result = statement.executeQuery();
 
                     try {
+                        boolean found = false;
                         while (result.next()) {
                             String userName = result.getString(1);
                             String userPassword = result.getString(2);
 
                             if (cbUsername.equals(userName)) {
+                                found = true;
                                 if (!checkPassword(userPassword, cbPassword)) {
                                     throw new FailedLoginException();
                                 }
                                 break;
                             }
                         }
+                        if(!found) {
+                            // User does not exist
+                            throw new FailedLoginException();
+                        }
                     } finally {
                         result.close();
                     }
Index: modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginSQLTest.java
===================================================================
--- modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginSQLTest.java	(revision 586858)
+++ modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginSQLTest.java	(working copy)
@@ -161,6 +161,16 @@
         }
     }
 
+    public void testBadUserLogin() throws Exception {
+        LoginContext context = new LoginContext("sql-realm", new UsernamePasswordCallback("bad", "starcraft"));
+    
+        try {
+            context.login();
+            fail("Should not allow this login with bad username");
+        } catch (LoginException e) {
+        }
+    }
+
     public void testNullPasswordLogin() throws Exception {
         LoginContext context = new LoginContext("sql-realm", new UsernamePasswordCallback("alan", null));
 
@@ -170,4 +180,14 @@
         } catch (LoginException e) {
         }
     }
+
+    public void testBadPasswordLogin() throws Exception {
+        LoginContext context = new LoginContext("sql-realm", new UsernamePasswordCallback("alan", "bad"));
+
+        try {
+            context.login();
+            fail("Should not allow this login with bad password");
+        } catch (LoginException e) {
+        }
+    }
 }