The JSTL specification discusses "Explicit collaboration via application logic" for JSTL SQL tags, whereby controller code stores a data source whose name and scope are communicated to the page author. The page author can then access that data source with the <sql:query> action. This all works just fine, but there's no way to specify a database username and password for this scenario. I mistakenly thought that setting the initialization parameters javax.servlet.jsp.jstl.sql.user and javax.servlet.jsp.jstl.sql.password in the deployment descriptor would cause <sql:query> to call the data source's getConnection(String user, String password), but that is not the case; instead, getConnection() is called. As a result, there is no way (that I can see) to obtain a connection with a username and password under the "Explicit collaboration via application logic" scenario.
Not an RI bug.