[CONJ-114] Usage of the Connection Pool Apache DBCP breaks because of deleted username/password Created: 2014-09-26  Updated: 2015-11-18  Resolved: 2014-10-21

Status: Closed
Project: MariaDB Connector/J
Component/s: None
Affects Version/s: 1.1.7
Fix Version/s: 1.1.8

Type: Bug Priority: Critical
Reporter: Lennart Schedin Assignee: Massimo Siani (Inactive)
Resolution: Fixed Votes: 0
Labels: None

Attachments: Java Source File ConnectionPoolDeletedUserNamePasswordTest.java    
Issue Links:
Relates
relates to CONJ-219 User passed from HikariConfig becomes... Closed

 Description   

How to reproduce:

  1. Use a revision 516 (http://bazaar.launchpad.net/~maria-captains/mariadb-java-client/trunk/files/516) of MariaDB JDBC. The error does not exist in 1.1.7.
  2. Make sure your Mysql/MariaDB server does not allow anonymous logins (I don’t even know if it is possible to allow this?)
  3. Run the Junit test cases in the attached ConnectionPoolDeletedUserNamePasswordTest.java

Actual:
The test case testConnectionWithApacheDBCP() will fail on the dataSource.getConnection() call (row 32).

The test case testConnectionWithSimululatedApacheDBCP() will fail when creating the second Connection (row 62).

Both test cases will fail with the Exception: 

java.sql.SQLException: Could not connect: Access denied for user ''@'localhost' (using password: NO)
 
	at org.mariadb.jdbc.internal.SQLExceptionMapper.get(SQLExceptionMapper.java:149)
 
	at org.mariadb.jdbc.internal.SQLExceptionMapper.throwException(SQLExceptionMapper.java:106)
 
	at org.mariadb.jdbc.Driver.connect(Driver.java:114)

(and some more rows of exception)

Expected:
The Connection in the test cases should be created without problems (both test cases should pass).

Analysis:
It is the code found in the constructor of MySQLConnection.java (http://bazaar.launchpad.net/~maria-captains/mariadb-java-client/trunk/view/516/src/main/java/org/mariadb/jdbc/MySQLConnection.java):

        clientInfoProperties.remove("user");
 
        clientInfoProperties.remove("password");

that was added as a fix for https://mariadb.atlassian.net/browse/CONJ-89 that is the problem. I think the removing of user and password was added as a type of security so that a call to connection.getClientInfo("password") would not disclose the password?!

The code removes the user and password from the Properties data structure in MySQLConnection. The problem is that Apache DBCP has a reference to this object. Thus, MySQLConnection is changing in the data structure that is “owned” by DriverConnectionFactory.

One might argue that it is debatable if the caller of the calling method should own a parameter. But since I don’t feel like changing in the Apache DBCP source code I would argue that one possible solution is for MariaDB to copy the data structure before altering it.

 Comments   
Comment by Massimo Siani (Inactive) [ 2014-09-29 ]

Since MySQL JDBC works with the Apache lib, I think we have to revert those two lines from CONJ-89.
CONJ-114 pushed to a new branch.

Generated at Thu Feb 08 03:13:16 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.