3

I have many tests which access our Oracle DB without a problem, however when I run these tests along with other tests in our codebase which use a keystore, the tests that interact with the DB are no longer able to connect. Here is the exception they get:

Caused by: java.sql.SQLException: ORA-01017: invalid username/password; logon denied at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:439) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:388) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:381) at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:564) at oracle.jdbc.driver.T4CTTIoauthenticate.processError(T4CTTIoauthenticate.java:431) at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:436) at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:186) at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:366) at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:752) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:359) at oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:531) at oracle.jdbc.driver.T4CConnection.(T4CConnection.java:221) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:503) at org.apache.commons.dbcp.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:37) at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:290) at org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory(BasicDataSource.java:877) at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:851) ... 68 more

Obviously the username and password are still correct. I'm having a really hard time figuring out what in our code is causing the connection to fail, and I don't really know how to debug what's happening when the Oracle driver tries to connect. I'm using the Oracle thin driver with Oracle 11g. We use Spring, Hibernate, and the Apache Commons DBCP. It seems like the driver is maybe trying to establish an SSL connection to the DB? I'm not sure though. I seem to remember a very similar issue with SQL Server when we were still using that, at the time I just ignored it. Right now we run the tests that interact with the keystore in a separate batch and JVM.

Any help would be greatly appreciated.

UPDATED

I did a bunch more debugging and finally traced this down to our use of the wss4j library (version 1.5.9) via Spring-WS. Eventually the WSSConfig class gets to a set of code that does this:

int ret = 0;
for (int i = 0; i < provs.length; i++) {
    if ("SUN".equals(provs[i].getName())
        || "IBMJCE".equals(provs[i].getName())) {
        ret =
            java.security.Security.insertProviderAt(
                (java.security.Provider) c.newInstance(), i + 2
            );
        break;
    }
}

Immediately after this code my connections to Oracle stop working. It looks like when the insertProviderAt method is called using a bouncy castle provider my Oracle connection starts failing. Any ideas?

Minimal Test Case

The first connection attempt succeeds, but the second attempt fails.

Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@server/servicename", "username", "password");
conn.prepareStatement("select * from dual").getResultSet();
conn.close();
org.apache.ws.security.WSSConfig.getDefaultWSConfig();
conn = DriverManager.getConnection("jdbc:oracle:thin:server/servicename", "username", "password");
conn.prepareStatement("select * from dual").getResultSet();
conn.close();

WSSConfig Initialize Method

private synchronized void
    staticInit() {
        if (!staticallyInitialized) {
            org.apache.xml.security.Init.init();
            if (addJceProviders) {
                /*
                 * The last provider added has precedence, that is if JuiCE can be added
                 * then WSS4J uses this provider.
                 */
                addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
                addJceProvider("JuiCE", "org.apache.security.juice.provider.JuiCEProviderOpenSSL");
            }
            Transform.init();
            try {
                Transform.register(
                    STRTransform.implementedTransformURI,
                    "org.apache.ws.security.transform.STRTransform"
                );
            } catch (Exception ex) {
                if (log.isDebugEnabled()) {
                    log.debug(ex.getMessage(), ex);
                }
            }
            staticallyInitialized = true;
        }
    }
Jacob
  • 14,463
  • 65
  • 207
  • 320
jjathman
  • 12,536
  • 8
  • 29
  • 33
  • When you say *"Obviously the username and password are still correct"*, do you mean that you managed to connect to the DB directly (for example with sqlplus) using the username/password ? – A.B.Cade Jul 10 '12 at 20:07
  • I mean as long as I don't run the tests that use a keystore, the tests run just fine and connect without issue. Unless the keystore manipulates the credentials somehow but I don't see how that would happen? – jjathman Jul 10 '12 at 20:11
  • I would like to hear the answer too. – Amir Pashazadeh Jul 11 '12 at 14:04
  • I would check which are defaults get by getDefaultWSConfig(). Perhaps your credentials are being encrypted or obfuscated in any way – Alfabravo Jul 11 '12 at 14:14
  • I added the initialization method from WSSConfig, I don't totally understand what's going on here, but it seems to break as soon as the bouncy castle JCE provider is added. Eventually this code is called `java.security.Security.insertProviderAt((java.security.Provider)c.newInstance(), i + 2);` – jjathman Jul 11 '12 at 14:32
  • Is there any info in your alert log? – Martin Schapendonk Nov 20 '12 at 14:33
  • @MartinSchapendonk What alert log are you referring to? – jjathman Nov 21 '12 at 17:10
  • @jjathman the alert log of the database. You can find it in the location specified by the parameter "background_dump_dest" of the database (type 'show parameter background_dump_dest' in sqlplus). – Martin Schapendonk Nov 22 '12 at 13:52
  • possible duplicate of [Oracle JDBC : invalid username/password (ora-01017)](http://stackoverflow.com/questions/8435234/oracle-jdbc-invalid-username-password-ora-01017) – brandizzi Apr 24 '14 at 22:14
  • Your connection strings dont match in the question. I assume you typoed it when you were de-identifying them. "jdbc:oracle:thin:server/servicename" should have @ before server/servicename. – codenheim Oct 24 '14 at 05:14
  • Have you got to the bottom of it? I have the same issue with Wildfly 10.1 and bouncy castle set in java.security.conf – Andrei Matei Feb 21 '17 at 10:12

3 Answers3

1

The add sign in the second connection string is missing

steve
  • 5,870
  • 1
  • 21
  • 22
0

logon denied error can be shown if in oracle the parameter SEC_CASE_SENSITIVE_LOGON is set true. You can check it via SHOW PARAMETER SEC_CASE_SENSITIVE_LOGON and alter it through ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE;

Now the error should get resolved.

bsiamionau
  • 8,099
  • 4
  • 46
  • 73
chandani
  • 1
0

1. Modify the file

%JAVA_HOME%/jre/lib/security/java.security
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

Example:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=sun.security.mscapi.SunMSCAPI
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

or 2.

WSSConfig.setAddJceProviders(false);
Rashad
  • 11,057
  • 4
  • 45
  • 73
wuwen
  • 51
  • 2