Bug #102188 AccessControlException with AuthenticationLdapSaslClientPlugin
Submitted: 7 Jan 21:40 Modified: 5 Mar 21:15
Reporter: Ashutosh Chaturvedi Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Severity:S2 (Serious)
Version:8.0.22 OS:Any
Assigned to: CPU Architecture:Any

[7 Jan 21:40] Ashutosh Chaturvedi
Description:
Starting from 8.0.22 Connector/J supports client authentication with MySQL        Enterprise Server using simple or SASL (SCRAM-SHA-1) LDAP authentication.
To enable this, a new instance of AuthenticationLdapSaslClientPlugin is added in NativeAuthenticationProvider#loadAuthenticationPlugins method.

The AuthenticationLdapSaslClientPlugin class has a static block that tries to add an instance of the ScramSha1SaslProvider.

In our application, we have a security manager in place which restricts this and thus it fails with the below exception:

Caused by: java.security.AccessControlException: access denied ("java.security.SecurityPermission" "insertProvider")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
at java.security.Security.checkInsertProvider(Security.java:869)
at java.security.Security.insertProviderAt(Security.java:361)
at java.security.Security.addProvider(Security.java:405)
at com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin.<clinit>(AuthenticationLdapSaslClientPlugin.java:59)
... 29 more

Suppressed: java.security.AccessControlException: access denied ("java.security.SecurityPermission" "insertProvider.MySQLScramSha1Sasl")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
at java.security.Security.checkInsertProvider(Security.java:872)

How to repeat:
In an application with the security manager, try to connect with the database using MySQL Connector/J 8.0.22
[18 Feb 18:51] Filipe Silva
Thanks Ashutosh for your interest in Connector/J.

That's right, with a security manager in place you need a few permissions to make it work. This one in particular can be configured by adding the the following permission to your policy file:

> permission java.security.SecurityPermission "insertProvider.MySQLScramShaSasl";

(Note that the provider was renamed to "MySQLScramShaSasl" in Connector/J 8.0.23)

I guess you have no interest in the LDAP authentication, so it wouldn't make sense to add this specific permission right?

I'm setting this report as verified I'll see what can we do. The permission will always be needed if you want to use LDAP authentication but I agree it should prevent other authentication plugins to work.

Thank you,
[5 Mar 21:15] Daniel So
Posted by developer:
 
Added the following entry to the Connector/J 8.0.24 changelog: 

"When a SecurityManager was in place, connections to a MySQL Server could not be established unless the client had been properly configured to use SASL-based LDAP authentication. It was because the AuthenticationLdapSaslClientPlugin in Connector/J requires a special permission to load the provider MySQLScramShaSasl when a SecurityManager is in place; but since the provider was loaded by a static initializer during initialization for the plugin, the lack of the permission was causing an error and then failures for all connections, even if the plugin was never used or enabled. This fix changes how the provider is loaded: the loading now happens only at the plugin instance's initialization and the initialization was deferred to the time when the plugin is actually needed, so connections that do not use SASL-based LDAP authentication are unaffected by security settings regarding the plugin."