Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The jaas sql-login-service is provided as an OSGi bundle, which may be activated by




The SQL login service authenticates against users in a SQL database, using configurable SQL queries.

There are no plans to support authentication domains, because typical standalone login systems do not care for domains.


The SQL login service may be configured using the OSGi configuration PID org.clazzes.login.sql using these configuration values:







Not implemented yet. Optional. Required for deactivateUser feature.

SQL template for a prepared statement to deactivate a user.

UPDATE users SET encryptedPassword='{disabled}' WHERE userId=?


Optional. Defaults to an empty string.

If set to an empty string, the domain parameter of request queries does not get checked but is filled in in returned principals.

If set to a non-empty string, requests for other domains are refused.

Support for databases maintaining multiple authentication domains might be added in the future, but I do not believe multi-domain setups even exist outside the LDAP/ADS world.


Optional. Required for getGroups feature.

SQL template for a prepared statement to query the group IDs and group names of the groups of which the user specified by a userId is a member.

SELECT g.groupId, g.groupName FROM groups AS g, users AS u, memberships AS mgroupName
WHERE u.userId=?
AND m.userId =
AND = m.groupId
ORDER BY g.groupId 


Optional. Defaults to crypt

Values supported so far: crypt, ssha1, plain.

Password fields may contain:

  • the password encrypted using the default password algorithm, or
  • a LDAP style algorithm prefix and the password encrypted with the algorithm specified in the prefix. Example: {PLAIN}badPassword


Optional. Required for changePassword feature.

SQL template for a prepared statement to set a new password for the user.

UPDATE users SET encryptedPassword=? WHERE userId=?


SQL template for a prepared statement to query userId, encrypted password, pretty name and e-mail address of a user specified by a userId.
If the pretty name is not part of the database, reuse the userId field.
If the e-mail address is not part of the database, use a constant like '' or null.

SELECT userId, encryptedPassword, userName, mailAdr FROM users WHERE userId=?


Optional. Required for getGroupMembers feature.

SQL template for a prepared statement to query the user IDs, user names and e-mail-addresses of the members of the group specified by a groupId.


With version 1.2 we introducted a new feature (support for multiple authentication domains covered by distinct databases) and switched to JDBC-Provider as DataSource pool.

Therefor the configuration depends on the version of sql-login-service used: