Bug #88172 AbandonedConnectionCleanupThread does not handle SecurityException
Submitted: 21 Oct 2017 8:17 Modified: 9 Sep 19:17
Reporter: Stephen Booth Email Updates:
Status: Won't fix Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version:5.1.42 OS:Any
Assigned to: CPU Architecture:Any
Tags: SecurityException, securityManager

[21 Oct 2017 8:17] Stephen Booth 
Description:
The AbandonedConnectionCleanupThread calls Thread.setContextClassLoader in a static block
which may throw a SecurityException if a SecurityManager is in place.

This can prevent the driver class from instantiating in tomcat with the
-security flag enabled.

Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "setContextClassLoader")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.Thread.setContextClassLoader(Thread.java:1474)
        at com.mysql.jdbc.AbandonedConnectionCleanupThread$1.newThread(AbandonedConnectionCleanupThread.java:50)
        at java.util.concurrent.ThreadPoolExecutor$Worker.<init>(ThreadPoolExecutor.java:619)
        at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:932)
        at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1367)

How to repeat:
Run
  Class.forName("com.mysql.jdbc.Driver")  from a tomcat application when
tomcat is run with the -security flag.

Same in test class with a security.policy file that dis-allows setContextClassLoader

Suggested fix:
Trap the exception 
Running with the thread classloader is better than not loading at all.
[23 Oct 2017 13:32] Chiranjeevi Battula 
Hello Stephen,

Thank you for the bug report.
Verified based on internal discussion with dev's.

Thanks,
Chiranjeevi.
[9 Sep 19:15] Filipe Silva 
Posted by developer:
 
Thread.setContextClassLoader isn't the only operation that can trigger an AccessControlException; even reading system properties can. Avoiding the exception in AbandonedConnectionCleanupThread alone isn’t sufficient for the driver to work.

A better option would be to include the necessary grants in the conf/catalina.policy file. As of Connector/J 9.4.0, the following permissions allow minimal usage of the driver, but others may be needed
depending on the features in use:
- permission java.util.PropertyPermission "com.mysql.cj.disableAbandonedConnectionCleanup", "read";
- permission java.util.PropertyPermission "javax.net.*", "read";
- permission java.lang.RuntimePermission "setContextClassLoader";
- permission java.net.SocketPermission "*:*", "connect,resolve";
Permissions can also be granted on a per-jar basis, so I recommend defining a dedicated section for the Connector/J JAR file.

That said, keep in mind that SecurityManager has been deprecated in Java 17 and is expected to be removed in a future Java release. Because of this, it’s possible that this issue may never be addressed.