TomEE ORA-01017 server tries to authenticate with OS user

Question

I have two databases on a remote machine and I want to use those in CMT on TomEE 7.0.2. I configured two XA datasources in my tomee.xml and I encountered a login issue. The application server is not able to create the datasources as it encounters an error. The username and password is correctly set in the xml. I created a test to check if the ojdbc7.jar does something nasty, but it is able to log in as it should.

The problem

I debugged TomEE to check the packages with wireshark as well. The problem seems to be inside TomEE. The request sent to the oracle machine contains the following:

(DESCRIPTION=(CONNECT_DATA=(SID=DBNAME)(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=osuser)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.10)(PORT=1521)))

As You can see this connection data tries to use the osuser instead of the user specified in the tomee.xml.

I tried different configurations as well based on http://tomee.apache.org/datasource-config.html.

Question

How can I configure TomEE to use the provided user and password for the database connection?

Application:

tomee.xml:

Default PasswordCipher is PlainText it is included to make it sure.

<?xml version="1.0" encoding="UTF-8"?>
<tomee>
    <Resource id="oracleDS" type="DataSource">
      XaDataSource oracleXADS
      DataSourceCreator dbcp-alternative
    </Resource>

    <Resource id="oracleXADS" type="XADataSource" class-name="oracle.jdbc.xa.client.OracleXADataSource">
      Url jdbc:oracle:thin:@192.168.1.10:1521:DBNAME
      Username user
      PasswordCipher PlainText
      Password pass
    </Resource>

    <Resource id="postgreDS" type="DataSource">
      XaDataSource postgreXADS
      DataSourceCreator dbcp-alternative
    </Resource>

    <Resource id="postgreXADS" type="XADataSource" class-name="org.postgresql.xa.PGXADataSource">
      Url jdbc:postgresql://192.168.1.10:5432/DBNAME
      Username user
      PasswordCipher PlainText
      Password pass
    </Resource>

</tomee>

Also tried this format:

<Resource id="oracleXADS" type="javax.sql.XADataSource" class-name="oracle.jdbc.xa.client.OracleXADataSource">   
  url = jdbc:oracle:thin:@192.168.1.10:1521:DBNAME
  userName = user
  passwordCipher = PlainText
  password = pass
</Resource>

persistence.xml:

<persistence-unit name="oraDS" transaction-type="JTA">
    <jta-data-source>oracleXADS</jta-data-source>
    <exclude-unlisted-classes>false</exclude-unlisted-classes>
</persistence-unit>
<persistence-unit name="pgDS" transaction-type="JTA">
    <jta-data-source>postgreXADS</jta-data-source>
    <exclude-unlisted-classes>false</exclude-unlisted-classes>
</persistence-unit>

Test file with the same ojdbc7.jar

relevant parts of TestDatasource.java

Class.forName("oracle.jdbc.driver.OracleDriver");
System.out.println("Oracle JDBC Driver Registered!");
Connection connection = DriverManager.getConnection("jdbc:oracle:thin:@192.168.1.10:1521:DBNAME", "user", "pass");
//connection is checked and it is OK

relevant TestXADatasource.java

OracleXADataSource oxds = new OracleXADataSource();
oxds.setURL("jdbc:oracle:thin:@192.168.1.10:1521:DBNAME");
oxds.setUser("user");
oxds.setPassword("pass");

XAConnection pc  = oxds.getXAConnection();
Connection conn1 = pc.getConnection();
//connection is checked and it is OK

Other not working solutions:

I checked the following but those are not the solutions for my problem:

• giving correct username& password, get ORA-01017: invalid username/password; logon denied

A) I do not have the factory property which caused the problem according to the accepted answer.

B) I use the latest Oracle driver, and the database is 12 as well, despite that I created the simple test provided below.

• Oracle.ManagedDataAccess and ORA-01017: invalid username/password; logon denied

A) I am using linux on both machines and I am on a different aplication server with Java.

• http://tomee.apache.org/admin/configuration/resources.html

Answer 1

There are a few points to make here:

OS user part

The driver sends this information not as part of the authentication process but as environment to start the login. This means that the login value is sent in different request. If you follow the TCP stream using CANARY as password and user you can check if it is contained in any form in the request. The mentioned configurations will NOT contain it.

The real problem

The real problem is that http://tomee.apache.org/datasource-config.html is wrong. The userName is not a valid declaration of the username. The valid declaration is as follows:

<Resource id="oracleDS" type="DataSource">
  XaDataSource oracleXADS
  DataSourceCreator dbcp-alternative
</Resource>

<Resource id="oracleXADS" type="javax.sql.DataSource" class-name="oracle.jdbc.xa.client.OracleXADataSource">
  url jdbc:oracle:thin:@192.168.1.10:1521:DBNAME
  user user
  passwordCipher PlainText
  password password
</Resource>

TL.DR.: The documentation is wrong. After the only change userName->user was made to the posted configuration the TCP stream contained the necessary username and the login was successful. (The Apache TomEE mailing list is notified on the problem.)

Answer 2

You can ignore the username in the connection string. It is not the one used for authentication.

I think you datasource configuration is not correct. According to the TomEE configuration documentation [1] it should look like this:

<Resource id="oracleDS" type="DataSource">
    JdbcDriver  oracle.jdbc.OracleDriver
    JdbcUrl jdbc:oracle:thin:@192.168.1.10:1521:DBNAME
    UserName    user
    Password    pass
</Resource>

<Resource id="oracleXADS" type="DataSource">
    JdbcDriver oracle.jdbc.xa.client.OracleXADataSource
    JdbcUrl jdbc:oracle:thin:@192.168.1.10:1521:DBNAME
    UserName    user
    Password    pass
</Resource>

[1] http://tomee.apache.org/common-datasource-configurations.html

Answer 3

To clarify what is happening and why the doc looked wrong:

• using class-name you configure the class you mention. Tomee is not aware of it but provides a setters helper command in tomee.sh
• using type DataSource you ask for a datasource pool and here userName is valid and the username the pool uses. Depending the xadatasource impl it is ignored or not in favor of the xa user config (which can have another name as well)

In other words oracleXADS is not a tomee datasource but a user resource supporting DataSource injections

The doc is about the tomee pooling only