tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <>
Subject Re: Why am I Getting org.apache.catalina.realm.JDBCRealm getPassword SEVERE: Exception performing authentication?
Date Wed, 08 Feb 2012 19:13:27 GMT

This is edited for compactness. Comments mostly inline.

----- Original Message -----
> From: Jonathan Rosenberg <>
> To: Tomcat Users List <>
> Cc: 
> Sent: Wednesday, February 8, 2012 10:23 AM
> Subject: Re: Why am I Getting org.apache.catalina.realm.JDBCRealm getPassword SEVERE:
Exception performing authentication?
> On Wed, Feb 8, 2012 at 1:08 PM, Konstantin Kolinko
> <> wrote:
>>  2012/2/8 Jonathan Rosenberg <>:
>>>  Vital statistics:
>>>     Apache Tomcat/7.0.22        1.6.0_22-b04    Sun Microsystems Inc.
> Linux
>>>  1) Using org.apache.catalina.realm.UserDatabaseRealm for
>>>  authentication to Manager app.  No pooling.
>>>  2) Running a Grails app that is using CAS authentication on remote
>>>  server.  Using dbcp pooling.
>>>  3) App & Tomcat auth use different DBs  App's DB is remote, 
> Tomcat is
>>>  using local DB server.
>>>  4) App is in testing & lightly used during the day.  Works fine.
>>>  5) App sits idle over night.
>>>  If I access my app first thing in the morning, I get the following
>>>  Feb 8, 2012 9:09:58 AM org.apache.catalina.realm.JDBCRealm getPassword
>>  JDBCRealm does not use pooling. (The recommended alternative that uses
>>  pooling is DataSourceRealm).
>>  It does not match your configuration description above, so I am
>>  confused. Maybe you can inspect your configuration more closely and
>>  find where this realm comes from.
> Good point.  I have the following Realms in server.xml:
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.JDBCRealm" 
> debug="99"
> driverName="com.mysql.jdbc.Driver"
> connectionURL="jdbc:mysql://localhost/Tomcat?user=baba&password=booey"
> userTable="users" userNameCol="username" 
> userCredCol="password"
> userRoleTable="user_roles" roleNameCol="rolename"/>

This indicates that you're using a JDBCRealm. There are lots of problems with this which are
mentioned in the documentation.

It's synchronous - only one connection is providing this information. This may not be a problem
if your application is not heavily used. Then again, it may.

It's subject to whatever timeouts your database (MySQL) enforces for idle connections. This
is why the connection is closed overnight.

For MySQL, autoReconnect=true is problematic, and has been commented on in both this mailing
list and on the MySQL forums. In short, do not depend on autoReconnect.

Also, from what I just skimmed on the Tomcat site, debug is no longer a valid attribute (maybe
from Tomcat 5.0?).

>>>  To me this looks like a DB timeout issue to be solved by pooling.  But
>>>  here's where I'm confused:

And you are correct, this needs to be solved by pooling. You need to be using a DataSourceRealm
rather than a JDBCRealm for this.

The documentation is a little scattered the last time I checked, but I did write up a consolidated
version on the Wiki. Check the following link:

You'll need to change the validationQuery on the Resource definition from the example since
it's different for different databases.

>>>  1) I'm trying to authenticate via CAS.  Tomcat authentication 
> should
>>>  not be an issue.  Why is Tomcat trying to authenticate?

You have a JDBCRealm which makes a connection to a MySQL database. Are you using this for
authentication / authorization? If so, see above on how to move to a DataSourceRealm. If not,
why do you have this Realm in your configuration?

>>>  2) After this exception, my app gets repeated connection failures
>>>  complaining about closed DB connections.  But I am using dbcp pooling,
>>>  which I;ve done many times without problems.  I feel as is this is
>>>  related to the Tomcat auth failure.
>>>  3) I have to reload the app to make things start working.

Stale connections get terminated by the database. autoReconnect would solve this, but it really
doesn't. Busy sites slow down because there's only one connection providing the information.

. . . . just my two cents.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message