Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-114

Usage of the Connection Pool Apache DBCP breaks because of deleted username/password

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 1.1.7
    • 1.1.8
    • None
    • None

    Description

      How to reproduce:

      1. Use a revision 516 (http://bazaar.launchpad.net/~maria-captains/mariadb-java-client/trunk/files/516) of MariaDB JDBC. The error does not exist in 1.1.7.
      2. Make sure your Mysql/MariaDB server does not allow anonymous logins (I don’t even know if it is possible to allow this?)
      3. Run the Junit test cases in the attached ConnectionPoolDeletedUserNamePasswordTest.java

      Actual:
      The test case testConnectionWithApacheDBCP() will fail on the dataSource.getConnection() call (row 32).

      The test case testConnectionWithSimululatedApacheDBCP() will fail when creating the second Connection (row 62).

      Both test cases will fail with the Exception:

      java.sql.SQLException: Could not connect: Access denied for user ''@'localhost' (using password: NO)
      	at org.mariadb.jdbc.internal.SQLExceptionMapper.get(SQLExceptionMapper.java:149)
      	at org.mariadb.jdbc.internal.SQLExceptionMapper.throwException(SQLExceptionMapper.java:106)
      	at org.mariadb.jdbc.Driver.connect(Driver.java:114)

      (and some more rows of exception)

      Expected:
      The Connection in the test cases should be created without problems (both test cases should pass).

      Analysis:
      It is the code found in the constructor of MySQLConnection.java (http://bazaar.launchpad.net/~maria-captains/mariadb-java-client/trunk/view/516/src/main/java/org/mariadb/jdbc/MySQLConnection.java):

              clientInfoProperties.remove("user");
              clientInfoProperties.remove("password");

      that was added as a fix for https://mariadb.atlassian.net/browse/CONJ-89 that is the problem. I think the removing of user and password was added as a type of security so that a call to connection.getClientInfo("password") would not disclose the password?!

      The code removes the user and password from the Properties data structure in MySQLConnection. The problem is that Apache DBCP has a reference to this object. Thus, MySQLConnection is changing in the data structure that is “owned” by DriverConnectionFactory.

      One might argue that it is debatable if the caller of the calling method should own a parameter. But since I don’t feel like changing in the Apache DBCP source code I would argue that one possible solution is for MariaDB to copy the data structure before altering it.

      Attachments

        Issue Links

          Activity

            People

              massimo.siani Massimo Siani (Inactive)
              lennartschedin Lennart Schedin
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.