Index: deploy/jbossas/modeshape-jbossas-service/src/kit/modeshape-config.xml
===================================================================
--- deploy/jbossas/modeshape-jbossas-service/src/kit/modeshape-config.xml        (revision 2583)
+++ deploy/jbossas/modeshape-jbossas-service/src/kit/modeshape-config.xml     (working copy)
@@ -33,11 +33,11 @@
             <mode:source>store</mode:source>
             <!-- Define the options for the JCR repository, using camelcase version of JcrRepository.Option names-->
             <mode:options jcr:primaryType="options">
-	              <!-- Should node types appear as nodes under '/jcr:system/jcr:nodeTypes'? -->
-                <projectNodeTypes jcr:primaryType="option" value="true"/>
-	              <!-- The name of the JAAS application policy, used when clients get a session with credentials.
+                <!-- Should node types appear as nodes under '/jcr:system/jcr:nodeTypes'? -->
+                <mode:option jcr:name="projectNodeTypes" mode:value="true"/>
+	            <!-- The name of the JAAS application policy, used when clients get a session with credentials.
 	                   (This policy is defined in the 'jboss-modeshape-beans.xml' file). -->
-                <jaasLoginConfigName jcr:primaryType="option" value="modeshape"/>
+                <mode:option jcr:name="jaasLoginConfigName" mode:value="modeshape"/>
             </mode:options>
             <!-- Define any custom node types. Importing CND files via JcrConfiguration is equivalent to specifying here.-->
             <jcr:nodeTypes>
Index: modeshape-jcr/src/main/java/org/modeshape/jcr/JcrI18n.java
===================================================================
--- modeshape-jcr/src/main/java/org/modeshape/jcr/JcrI18n.java        (revision 2583)
+++ modeshape-jcr/src/main/java/org/modeshape/jcr/JcrI18n.java     (working copy)
@@ -42,6 +42,7 @@ public final class JcrI18n {
     public static I18n cannotConvertValue;
     public static I18n credentialsMustProvideJaasMethod;
     public static I18n mustBeInPrivilegedAction;
+    public static I18n loginConfigNotFound;
     public static I18n credentialsMustReturnLoginContext;
     public static I18n defaultWorkspaceName;
     public static I18n pathNotFound;
Index: modeshape-jcr/src/main/java/org/modeshape/jcr/JcrRepository.java
===================================================================
--- modeshape-jcr/src/main/java/org/modeshape/jcr/JcrRepository.java        (revision 2583)
+++ modeshape-jcr/src/main/java/org/modeshape/jcr/JcrRepository.java     (working copy)
@@ -818,6 +818,10 @@ public class JcrRepository implements Repository {
         updateWorkspaceNames();
     }
 
+    protected String repositoryName() {
+        return getDescriptor(org.modeshape.jcr.api.Repository.REPOSITORY_NAME);
+    }
+
     protected void updateWorkspaceNames() {
         if (!Boolean.valueOf(this.options.get(Option.EXPOSE_WORKSPACE_NAMES_IN_DESCRIPTOR)).booleanValue()) return;
 
@@ -1224,8 +1228,15 @@ public class JcrRepository implements Repository {
             try {
                 if (credentials instanceof SimpleCredentials) {
                     SimpleCredentials simple = (SimpleCredentials)credentials;
-                    execContext = executionContext.with(new JaasSecurityContext(options.get(Option.JAAS_LOGIN_CONFIG_NAME),
-                                                                                simple.getUserID(), simple.getPassword()));
+                    String policyName = options.get(Option.JAAS_LOGIN_CONFIG_NAME);
+                    try {
+                        execContext = executionContext.with(new JaasSecurityContext(policyName, simple.getUserID(),
+                                                                                    simple.getPassword()));
+                    } catch (javax.security.auth.login.LoginException error) {
+                        throw new javax.jcr.LoginException(JcrI18n.loginConfigNotFound.text(policyName,
+                                                                                            Option.JAAS_LOGIN_CONFIG_NAME,
+                                                                                            repositoryName()), error);
+                    }
                     for (String attributeName : simple.getAttributeNames()) {
                         Object attributeValue = simple.getAttribute(attributeName);
                         sessionAttributes.put(attributeName, attributeValue);
@@ -1254,9 +1265,11 @@ public class JcrRepository implements Repository {
                     }
                 }
             } catch (RuntimeException error) {
-                throw error;
+                throw error; // pass along
+            } catch (javax.jcr.LoginException error) {
+                throw error; // pass along
             } catch (Exception error) {
-                throw new javax.jcr.LoginException(error);
+                throw new javax.jcr.LoginException(error); // wrap
             }
         }
         return sessionForContext(execContext, workspaceName, sessionAttributes);
Index: modeshape-jcr/src/main/resources/org/modeshape/jcr/JcrI18n.properties
===================================================================
--- modeshape-jcr/src/main/resources/org/modeshape/jcr/JcrI18n.properties        (revision 2583)
+++ modeshape-jcr/src/main/resources/org/modeshape/jcr/JcrI18n.properties     (working copy)
@@ -32,6 +32,7 @@ repositoryReferencesNonExistantSource = The '{0}' repository references the '{1}
 cannotConvertValue = Cannot convert {0} value to {1}
 credentialsMustProvideJaasMethod = The Credentials class "{0}" must implement "public LoginContext getLoginContext();", be an instance of "javax.jcr.SimpleCredentials", or be an instance of "org.modeshape.jcr.SecurityContextCredentials"
 mustBeInPrivilegedAction=login() can only be called successfully from within a java.security.PrivilegedAction or when the ANONYMOUS_USER_ROLES repository option is set
+loginConfigNotFound = The JAAS policy named '{0}' (nor the policy named 'other') could not be found; check the value of the '{1}' repository option in the configuration for the '{2}' repository
 credentialsMustReturnLoginContext = The "getLoginContext()" method in Credentials class "{0}" must not return a null
 defaultWorkspaceName=
 pathNotFound = No item exists at path {0} in workspace "{1}"