users@glassfish.java.net

Re: Problem in using jdbc realm, i get "No LoginModules configured for jdbcrealm"

From: <glassfish_at_javadesktop.org>
Date: Tue, 07 Jul 2009 21:20:33 PDT

More in this wretched saga. I turned on tracing in Derby. (To do this, add the magic name/value pairs traceFile=trace.out and traceLevel=-1 to the connection pool properties. You'll get a file /path/to/glassfishv3-preview/glassfish/domains/domain1/config/trace.out that contains enough detail about the driver calls that you can figure out what has happened. In my case, what happened is that the JDBC realm prepares a statement

SELECT passwd FROM Credentials WHERE username = ?

calls setString (1, bar), executes the query, calls next on the result set, calls getString(1), and gets the string

5ebe2294ecd0e0f08eab7690d2a6ee69

That is the MD5 encoding of "secret". (echo -n secret | md5sum) I went to MD5 encoding, just in case there was something to the rumors that "none" is not supported.

That's it. No further queries. Why no query for the role? I guess it must have "concluded" that the passwords don't match. But they do. Or do they?

I dimly recalled some grief with trailing spaces in Derby. Sure enough, when I changed CHAR(40) to CHAR(32) for the password, I was able to log in, but authentication still failed. A couple of hours later, it dawned upon me...it was the same reason. I have to use VARCHAR, not CHAR.

Now if some programmer out there had taken it upon him- or herself to issue a log message that "registereduser" doesn't match "registereduser ", I could have spent that couple of hours with my adorable twin daughters instead. Arggh!

So, if anyone gets to this message, the lesson is:

1) The jaas-context must be jdbcRealm
2) You must use VARCHAR, not CHAR for your column types
3) The rumor that hashing type "none" doesn't work is bogus. It works fine. (The rumor that you need to set the charset to UTF-8 is equally bogus. In those two hours, I read the source of the JDBCRealm class...)
4) If you ever implement stuff like this, and feel "oh my, I must fail completely silently so that hackers can't glean any information from the logs", have pity on your fellow programmer and instead emit a message "Login failed. For full information, set the logger com.foo.security to FINEST". And then make that logger spell out every step of the process!
[Message sent by forum member 'cayhorstmann' (cayhorstmann)]

http://forums.java.net/jive/thread.jspa?messageID=354576
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.