tessl/maven-org-mariadb-jdbc--mariadb-java-client
JDBC 4.2 compatible driver providing comprehensive database connectivity for MariaDB and MySQL servers
—
Pending
security.mddocs/
Authentication and Security
Pluggable authentication system supporting multiple authentication methods, credential providers, and SSL/TLS security configurations.
Capabilities
SSL/TLS Configuration
Comprehensive SSL/TLS security modes for encrypted connections.
/**
* SSL connection modes
*/
public enum SslMode {
/** No SSL encryption */
DISABLE,
/** SSL encryption without certificate validation */
TRUST,
/** Validate certificate authority only */
VERIFY_CA,
/** Full certificate and hostname validation */
VERIFY_FULL;
}Usage Examples:
// Disable SSL (not recommended for production)
String disableUrl = "jdbc:mariadb://localhost:3306/mydb?sslMode=DISABLE";
// Enable SSL with trust mode (encryption only, no validation)
String trustUrl = "jdbc:mariadb://localhost:3306/mydb?sslMode=TRUST";
// Verify certificate authority
String verifyCaUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"sslMode=VERIFY_CA&" +
"serverSslCert=/path/to/ca-cert.pem";
// Full certificate and hostname verification (recommended)
String verifyFullUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
"trustStore=/path/to/truststore.jks&" +
"trustStorePassword=secret&" +
"trustStoreType=JKS";
// Client certificate authentication
String clientCertUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
"keyStore=/path/to/client-keystore.jks&" +
"keyStorePassword=clientsecret&" +
"trustStore=/path/to/truststore.jks&" +
"trustStorePassword=secret";
// PEM format certificates
String pemUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
"serverSslCert=/path/to/ca-cert.pem&" +
"clientSslCert=/path/to/client-cert.pem&" +
"clientSslKey=/path/to/client-key.pem";
// Custom cipher suites and protocols
String customSslUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
"enabledSslCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256&" +
"enabledSslProtocolSuites=TLSv1.2,TLSv1.3";Authentication Plugins
Pluggable authentication system supporting various authentication methods.
/**
* Base authentication plugin interface
*/
public interface AuthenticationPlugin {
/**
* Get authentication type name
* @return Authentication type identifier
*/
String type();
/**
* Whether this plugin requires SSL connection
* @return true if SSL is mandatory
*/
boolean mustUseSsl();
/**
* Process authentication packet
* @param out Output stream to server
* @param in Input stream from server
* @param context Authentication context
* @return Authentication result
* @throws SQLException if authentication fails
*/
ReadAuthPacket authenticate(
Writer out,
Reader in,
Context context
) throws SQLException;
}
/**
* Authentication plugin factory interface
*/
public interface AuthenticationPluginFactory {
/**
* Get plugin type name
* @return Plugin type identifier
*/
String type();
/**
* Create authentication plugin instance
* @return New plugin instance
*/
AuthenticationPlugin create();
}Built-in Authentication Plugins:
// MySQL native password authentication
public class NativePasswordPlugin implements AuthenticationPlugin {
public String type() { return "mysql_native_password"; }
public boolean mustUseSsl() { return false; }
// Implementation for MySQL native password hashing
}
// Caching SHA2 password authentication
public class CachingSha2PasswordPlugin implements AuthenticationPlugin {
public String type() { return "caching_sha2_password"; }
public boolean mustUseSsl() { return true; }
// Implementation for MySQL 8.0+ caching SHA2 authentication
}
// Ed25519 password authentication (MariaDB-specific)
public class Ed25519PasswordPlugin implements AuthenticationPlugin {
public String type() { return "client_ed25519"; }
public boolean mustUseSsl() { return false; }
// Implementation for Ed25519 cryptographic authentication
}
// Clear text password authentication
public class ClearPasswordPlugin implements AuthenticationPlugin {
public String type() { return "mysql_clear_password"; }
public boolean mustUseSsl() { return true; }
// Implementation for clear text password (requires SSL)
}
// PAM authentication
public class SendPamAuthPacket implements AuthenticationPlugin {
public String type() { return "dialog"; }
public boolean mustUseSsl() { return false; }
// Implementation for PAM authentication dialog
}
// GSSAPI/Kerberos authentication
public class SendGssApiAuthPacket implements AuthenticationPlugin {
public String type() { return "auth_gssapi_client"; }
public boolean mustUseSsl() { return false; }
// Implementation for GSSAPI/Kerberos authentication
}Usage Examples:
// Restrict to specific authentication methods
String restrictedUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"restrictedAuth=mysql_native_password,caching_sha2_password";
// Force specific authentication plugin
String ed25519Url = "jdbc:mariadb://localhost:3306/mydb?" +
"restrictedAuth=client_ed25519";
// GSSAPI/Kerberos authentication
String kerbUrl = "jdbc:mariadb://kerberos-enabled-server:3306/mydb?" +
"restrictedAuth=auth_gssapi_client&" +
"servicePrincipalName=mariadb/server.domain.com@REALM.COM";
// PAM authentication
String pamUrl = "jdbc:mariadb://pam-server:3306/mydb?" +
"restrictedAuth=dialog";Credential Providers
Pluggable credential management system for secure credential storage and retrieval.
/**
* Credential provider plugin interface
* Extends Supplier<Credential> to support functional interface pattern
*/
public interface CredentialPlugin extends Supplier<Credential> {
/**
* Get credential plugin type
* @return Plugin type identifier
*/
String type();
/**
* Indicates if SSL is required for this credential plugin
* @return true if SSL must be enabled
*/
default boolean mustUseSsl();
/**
* Default authentication plugin type to use
* @return Plugin type, or null for default
*/
default String defaultAuthenticationPluginType();
/**
* Initialize plugin with connection parameters
* @param conf Connection configuration
* @param userName Requested username
* @param hostAddress Target host information
* @return Initialized plugin instance
* @throws SQLException if initialization fails
*/
default CredentialPlugin initialize(Configuration conf, String userName, HostAddress hostAddress) throws SQLException;
}
/**
* Basic credential holder
*/
public class Credential {
/**
* Create credential with username and password
* @param user Username
* @param password Password (may be null)
*/
public Credential(String user, String password);
public String getUser();
public String getPassword();
}Built-in Credential Providers:
// Environment variable credentials
public class EnvCredentialPlugin implements CredentialPlugin {
public String type() { return "ENV"; }
public Credential get(Configuration conf, String userName) throws SQLException {
// Reads credentials from environment variables:
// MARIADB_USER or DB_USER
// MARIADB_PASSWORD or DB_PASSWORD
String user = System.getenv("MARIADB_USER");
if (user == null) user = System.getenv("DB_USER");
String password = System.getenv("MARIADB_PASSWORD");
if (password == null) password = System.getenv("DB_PASSWORD");
return new Credential(user, password);
}
}
// AWS IAM credentials
public class AwsIamCredentialPlugin implements CredentialPlugin {
public String type() { return "AWS_IAM"; }
public Credential get(Configuration conf, String userName) throws SQLException {
// Uses AWS SDK to generate IAM authentication token
// Requires AWS credentials configured (IAM role, ~/.aws/credentials, etc.)
// Returns temporary token as password
}
}
// Properties file credentials
public class PropertiesCredentialPlugin implements CredentialPlugin {
public String type() { return "PROPERTY"; }
public Credential get(Configuration conf, String userName) throws SQLException {
// Reads credentials from properties file
// File path specified by 'propertiesFile' connection property
Properties props = new Properties();
props.load(new FileInputStream(conf.propertiesFile()));
return new Credential(
props.getProperty("user"),
props.getProperty("password")
);
}
}Usage Examples:
// Environment variable credentials
String envUrl = "jdbc:mariadb://localhost:3306/mydb?credentialType=ENV";
// Reads MARIADB_USER and MARIADB_PASSWORD environment variables
// AWS IAM authentication for RDS
String awsUrl = "jdbc:mariadb://mydb.cluster-xxx.us-east-1.rds.amazonaws.com:3306/mydb?" +
"credentialType=AWS_IAM&" +
"sslMode=VERIFY_FULL";
// Uses AWS credentials to generate authentication token
// Properties file credentials
String propUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"credentialType=PROPERTY&" +
"propertiesFile=/etc/myapp/db.properties";
// Example properties file (/etc/myapp/db.properties):
// user=dbuser
// password=dbpass
// Set environment variables programmatically (for testing)
System.setProperty("MARIADB_USER", "testuser");
System.setProperty("MARIADB_PASSWORD", "testpass");
Connection envConn = DriverManager.getConnection(envUrl);TLS Socket Plugins
Customizable TLS socket implementation for advanced SSL/TLS configurations.
/**
* TLS socket plugin interface
*/
public interface TlsSocketPlugin {
/**
* Get plugin name
* @return Plugin identifier
*/
String name();
/**
* Create TLS socket
* @param conf Connection configuration
* @param socket Underlying socket
* @return Configured SSLSocket
* @throws SQLException if TLS setup fails
*/
SSLSocket createSocket(Configuration conf, Socket socket) throws SQLException;
}
/**
* Default TLS socket implementation
*/
public class DefaultTlsSocketPlugin implements TlsSocketPlugin {
public String name() { return "DEFAULT"; }
public SSLSocket createSocket(Configuration conf, Socket socket) throws SQLException {
// Default SSL socket creation using standard Java SSL libraries
// Configures trust stores, key stores, cipher suites, etc.
}
}Usage Examples:
// Custom TLS configuration is typically handled automatically
// The driver uses DefaultTlsSocketPlugin by default
// Advanced SSL configuration through connection parameters
String advancedSslUrl = "jdbc:mariadb://localhost:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
// Trust store configuration
"trustStore=/path/to/truststore.jks&" +
"trustStorePassword=trustsecret&" +
"trustStoreType=JKS&" +
// Key store configuration (for client certificates)
"keyStore=/path/to/keystore.jks&" +
"keyStorePassword=keystoresecret&" +
"keyStoreType=JKS&" +
// Cipher suite restrictions
"enabledSslCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&" +
// Protocol restrictions
"enabledSslProtocolSuites=TLSv1.2,TLSv1.3";Security Best Practices
Production SSL Configuration
// Recommended production SSL configuration
String productionSslUrl = "jdbc:mariadb://db.company.com:3306/production?" +
// Require full certificate validation
"sslMode=VERIFY_FULL&" +
// Trust store with CA certificates
"trustStore=/etc/ssl/certs/mysql-ca-bundle.jks&" +
"trustStorePassword=secure_password&" +
"trustStoreType=JKS&" +
// Client certificate for mutual authentication
"keyStore=/etc/ssl/private/client-cert.jks&" +
"keyStorePassword=client_password&" +
"keyStoreType=JKS&" +
// Restrict to strong cipher suites
"enabledSslCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&" +
// Require TLS 1.2 or higher
"enabledSslProtocolSuites=TLSv1.2,TLSv1.3&" +
// Credential management
"credentialType=ENV"; // Use environment variablesAWS RDS SSL Configuration
// AWS RDS with SSL and IAM authentication
String rdsUrl = "jdbc:mariadb://mydb.cluster-xxx.us-east-1.rds.amazonaws.com:3306/mydb?" +
// SSL configuration for RDS
"sslMode=VERIFY_FULL&" +
"serverSslCert=rds-ca-2019-root.pem&" + // Download from AWS
// IAM database authentication
"credentialType=AWS_IAM&" +
// Connection optimization for RDS
"connectTimeout=5000&" +
"socketTimeout=30000";
// Example IAM policy for database access:
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Effect": "Allow",
// "Action": "rds-db:connect",
// "Resource": "arn:aws:rds-db:us-east-1:account-id:dbuser:mydb/iam-user"
// }
// ]
// }Certificate Management
// Using Java KeyStore for certificates
// Create trust store with CA certificate
// keytool -import -alias mysql-ca -file ca-cert.pem -keystore truststore.jks -storepass secret
// Create client keystore with certificate and private key
// openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client.p12
// keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore keystore.jks
// Connection with KeyStore
String keystoreUrl = "jdbc:mariadb://secure-db:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
"trustStore=/path/to/truststore.jks&" +
"trustStorePassword=truststorepass&" +
"keyStore=/path/to/keystore.jks&" +
"keyStorePassword=keystorepass";
// Alternative: Using PEM files directly
String pemUrl = "jdbc:mariadb://secure-db:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
"serverSslCert=/path/to/ca-cert.pem&" +
"clientSslCert=/path/to/client-cert.pem&" +
"clientSslKey=/path/to/client-key.pem";Connection Security Hardening
// Security-hardened connection configuration
String hardenedUrl = "jdbc:mariadb://db.company.com:3306/mydb?" +
// SSL/TLS security
"sslMode=VERIFY_FULL&" +
"trustStore=/etc/ssl/certs/ca-bundle.jks&" +
"enabledSslProtocolSuites=TLSv1.3&" + // Only TLS 1.3
// Authentication security
"restrictedAuth=caching_sha2_password&" + // Secure auth only
"credentialType=ENV&" + // Environment variables
// Connection security
"connectTimeout=5000&" + // Quick timeout to prevent hanging
"socketTimeout=30000&" + // Reasonable socket timeout
// Disable potentially insecure features
"allowMultiQueries=false&" + // Prevent SQL injection via multi-queries
"allowLocalInfile=false&" + // Prevent local file access
// Session security
"sessionVariables=sql_mode='STRICT_TRANS_TABLES,NO_ZERO_DATE,NO_ZERO_IN_DATE,ERROR_FOR_DIVISION_BY_ZERO'";Credential Rotation
// Environment-based credential rotation
public class CredentialRotationExample {
private static final long ROTATION_INTERVAL = 3600000; // 1 hour
private long lastRotation = 0;
private DataSource dataSource;
public Connection getConnection() throws SQLException {
// Check if credentials need rotation
if (System.currentTimeMillis() - lastRotation > ROTATION_INTERVAL) {
rotateCredentials();
}
return dataSource.getConnection();
}
private void rotateCredentials() {
// Update environment variables or credential source
// Create new DataSource with updated credentials
MariaDbDataSource newDataSource = new MariaDbDataSource();
newDataSource.setUrl("jdbc:mariadb://db:3306/mydb?credentialType=ENV&sslMode=VERIFY_FULL");
// Atomic replacement
DataSource oldDataSource = this.dataSource;
this.dataSource = newDataSource;
this.lastRotation = System.currentTimeMillis();
// Clean up old data source if it was pooled
if (oldDataSource instanceof Closeable) {
try {
((Closeable) oldDataSource).close();
} catch (Exception e) {
// Log error but don't fail rotation
}
}
}
}Monitoring and Auditing
Connection Security Monitoring
// Enable security-related logging and monitoring
String monitoredUrl = "jdbc:mariadb://db:3306/mydb?" +
"sslMode=VERIFY_FULL&" +
// Connection attributes for auditing
"connectionAttributes=" +
"program_name:MySecureApp," +
"version:1.0," +
"environment:production&" +
// Enable query logging (be careful in production)
"dumpQueriesOnException=true&" +
// Pool monitoring for connection tracking
"pool=true&" +
"registerJmxPool=true&" +
"poolName=SecurePool";
// JMX monitoring can track:
// - Connection counts by user
// - Failed authentication attempts
// - SSL handshake failures
// - Connection source IPs (if logged by database)Install with Tessl CLI
npx tessl i tessl/maven-org-mariadb-jdbc--mariadb-java-client