Bug #88172 AbandonedConnectionCleanupThread does not handle SecurityException
Submitted: 21 Oct 2017 8:17 Modified: 23 Oct 2017 13:32
Reporter: Stephen Booth Email Updates:
Status: Verified Impact on me:
Category:Connector / J Severity:S3 (Non-critical)
Version:5.1.42 OS:Any
Assigned to: CPU Architecture:Any
Tags: SecurityException, securityManager

[21 Oct 2017 8:17] Stephen Booth
The AbandonedConnectionCleanupThread calls Thread.setContextClassLoader in a static block
which may throw a SecurityException if a SecurityManager is in place.

This can prevent the driver class from instantiating in tomcat with the
-security flag enabled.

Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setContextClassLoader")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.Thread.setContextClassLoader(Thread.java:1474)
        at com.mysql.jdbc.AbandonedConnectionCleanupThread$1.newThread(AbandonedConnectionCleanupThread.java:50)
        at java.util.concurrent.ThreadPoolExecutor$Worker.<init>(ThreadPoolExecutor.java:619)
        at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:932)
        at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1367)

How to repeat:
  Class.forName("com.mysql.jdbc.Driver")  from a tomcat application when
tomcat is run with the -security flag.

Same in test class with a security.policy file that dis-allows setContextClassLoader

Suggested fix:
Trap the exception 
Running with the thread classloader is better than not loading at all.
[23 Oct 2017 13:32] Chiranjeevi Battula
Hello Stephen,

Thank you for the bug report.
Verified based on internal discussion with dev's.