I'm trying to set up a very basic JDBC realm authentication in Glassfish 3.1. The application consists of an EJB with one business method, and a remote client application (not a webapp). I think I'm missing something fundamental here.
I've followed the Java EE 6 tutorial, and completed all the steps. I don't get any errors, but it never accepts the username and password as correct. My best guess is that there may be a problem with the structure of the table used for authentication, since I'm trying to use a single table to store users AND groups. (It's mentioned in another post by someone more knowledgeable than me that this is possible, and the official tutorial also uses a single table. All of my users will be in one group ('users'), so I would prefer not to create a second table. I want to keep the app as simple as possible.)
I have a database ('auth') with one table ('ACCOUNTS'), this has 3 fields: 'NAME' which is the primary key, 'PASSWORD' and 'GROUPS'. I don't have any constraints on the table.
I added a user:
INSERT INTO ACCOUNTS (NAME, PASSWORD, GROUPS) VALUES ('Bob', 'bob', 'users');
My glassfish-application.xml has the role mapping and the realm specified:
<glassfish-application>
<security-role-mapping>
<role-name>users</role-name>
<group-name>users</group-name>
</security-role-mapping>
<realm>jdbcRealm</realm>
</glassfish-application>
The realm settings: (Glassfish screenshot)
Realm Name: jdbcRealm
JAAS Context: jdbcRealm
User Table: auth.ACCOUNTS
User Name Column: name
Password Column: password
Group Table: auth.ACCOUNTS
Group Name Column: groups
The bean:
@Stateless
@DeclareRoles("users")
public class ProtectedBean implements ProtectedBeanRemote {
private static final Logger logger = Logger.getLogger(ProtectedBean.class.getName());
@Override
@RolesAllowed("users")
public void doProtectedStuff() {
logger.log(Level.INFO, "Protected method accessed.");
}
}
The JDBC connection pool and resource are also created.
When I call the bean from the remote client, the login prompt appears. I type the name and password, and then I get a SecurityException:
javax.security.auth.login.LoginException: Security Exception
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:870)
...
Caused by: java.lang.SecurityException
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:871)
After this, the login window appears again, like when the name/password is wrong. When I use the file realm, it works perfectly, but not with the jdbc realm.
Should the table be different? (Should I use multiple tables?) Or am I doing something else wrong? Thanks in advance!