Ok, I figured out the significance of login.conf. The jaas context must be one of the magic names listed there. (Hello, Glassfish, why can't you then list them in a dropdown in the realm configuration?) So, now I have
<auth-realm classname="com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm" name="corejsfRealm">
<property name="jaas-context" value="jdbcRealm" />
<property name="datasource-jndi" value="jdbc/mydb" />
<property name="user-table" value="Credentials" />
<property name="user-name-column" value="username" />
<property name="password-column" value="passwd" />
<property name="group-table" value="Groups" />
<property name="group-name-column" value="groupname" />
<property name="digest-algorithm" value="none" />
</auth-realm>
(I changed the password column to passwd because some people somewhere say that with some databases, you can't use password as a column name, it being one of the hundreds of SQL reserved words. Fair enough.)
I also added
<jvm-options>-Djava.security.debug=logincontext</jvm-options>
and set
javax.enterprise.system.core.security.level=FINEST
in logging.properties.
I know that JAAS now looks at my table, because at first I forgot to rename the table column, and I got an error message that there was no PASSWD column. Now I changed it back, and I get
SEVERE: [LoginContext]: original security exception with detail msg replaced by new exception with empty detail msg
SEVERE: [LoginContext]: original security exception: com.sun.enterprise.security.auth.login.common.LoginException: Failed jdbc login for troosevelt.
SEVERE: [LoginContext]: login REQUIRED failure
SEVERE: [LoginContext]: abort ignored
INFO: SEC5046: Audit: Authentication refused for [troosevelt].
WARNING: Web login failed: Login failed: javax.security.auth.login.LoginException: Security Exception
WARNING: Can not find resource bundle for this logger. class name that failed: com.sun.web.security.RealmAdapter
WTF? I googled for "original security exception with detail msg replaced by new exception with empty detail msg". I want to see that original message. There are dozens and dozens of people with the same problem, and with various random suggestions, such as setting the charset to UTF-8. (No, it doesn't work.)
Now, this is obviously a feature that is full of pitfalls, with several dials that must be set just right for it to work. It is a major usability flaw that there are no clear messages. I want to know what the damn thing tried. Did the password match? (If not, then I'd know to tinker with digest-algorithm=none.) What roles did it find? Did it use them as-is or try to map them? I should not have to spend a day fussing with all those dials in the blind, not knowing whether I am even getting closer.
In the meantime, if someone has another random suggestion to try, I'd much appreciate it.
Cay
[Message sent by forum member 'cayhorstmann' (cayhorstmann)]
http://forums.java.net/jive/thread.jspa?messageID=354554