I couldn't help noticing the inconsistency in #authenticate(Connection, String, String) for JDBCRealm and DataSourceRealm. - Getting dbCredentials JDBCRealm: if (rs.next()) { dbCredentials = rs.getString(1); } DataSourceRealm: while (rs.next()) { dbCredentials = rs.getString(1); } - Getting roles JDBCRealm: while (rs.next()) { String role = rs.getString(1); if (null!=role) { roleList.add(role.trim()); } } DataSourceRealm: while (rs.next()) { list.add(rs.getString(1).trim()); } I think the JDBCRealm approach is better in both cases.
OK, fixed. Thanks for pointing this out.