Bug #102188 | AccessControlException with AuthenticationLdapSaslClientPlugin | ||
---|---|---|---|
Submitted: | 7 Jan 2021 21:40 | Modified: | 5 Mar 2021 21:15 |
Reporter: | Ashutosh Chaturvedi | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | Connector / J | Severity: | S2 (Serious) |
Version: | 8.0.22 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[7 Jan 2021 21:40]
Ashutosh Chaturvedi
[18 Feb 2021 18:51]
Filipe Silva
Thanks Ashutosh for your interest in Connector/J. That's right, with a security manager in place you need a few permissions to make it work. This one in particular can be configured by adding the the following permission to your policy file: > permission java.security.SecurityPermission "insertProvider.MySQLScramShaSasl"; (Note that the provider was renamed to "MySQLScramShaSasl" in Connector/J 8.0.23) I guess you have no interest in the LDAP authentication, so it wouldn't make sense to add this specific permission right? I'm setting this report as verified I'll see what can we do. The permission will always be needed if you want to use LDAP authentication but I agree it should prevent other authentication plugins to work. Thank you,
[5 Mar 2021 21:15]
Daniel So
Posted by developer: Added the following entry to the Connector/J 8.0.24 changelog: "When a SecurityManager was in place, connections to a MySQL Server could not be established unless the client had been properly configured to use SASL-based LDAP authentication. It was because the AuthenticationLdapSaslClientPlugin in Connector/J requires a special permission to load the provider MySQLScramShaSasl when a SecurityManager is in place; but since the provider was loaded by a static initializer during initialization for the plugin, the lack of the permission was causing an error and then failures for all connections, even if the plugin was never used or enabled. This fix changes how the provider is loaded: the loading now happens only at the plugin instance's initialization and the initialization was deferred to the time when the plugin is actually needed, so connections that do not use SASL-based LDAP authentication are unaffected by security settings regarding the plugin."