Executing Stored Procedures without Permission

This section provides a test on executing stored procedures without enough permission.

To test what will happen if a Java application is trying to execute a stored procedure without enough permission, first I logged in to MySQL server with as "root", and created the following stored procedure:

herong> local\mysql\bin\mysql -u root

mysql> USE HerongDB;
Database changed

mysql> DELIMITER '/';

mysql> -- Creating the stored procedure
mysql> CREATE PROCEDURE Info(OUT User VARCHAR(80),
    ->   OUT Catalog VARCHAR(80))
    -> BEGIN
    ->   SET User = USER();
    ->   SET Catalog = DATABASE();
    -> END/
Query OK, 0 rows affected (0.00 sec)

mysql> -- Testing the stored procedure
mysql> CALL Info(@User, @Database)/
Query OK, 0 rows affected (0.00 sec)

mysql> SELECT @User, @Database/
+----------------+-----------+
| @User          | @Database |
+----------------+-----------+
| root@localhost | herongdb  |
+----------------+-----------+
1 row in set (0.00 sec)

Then I wrote the following program to run this stored procedure as user "Herong":

/* MySqlCallPermissionError.java
 * Copyright (c) HerongYang.com. All Rights Reserved.
 */
import java.sql.*;
public class MySqlCallPermissionError {
  public static void main(String [] args) {
    Connection con = null;
    try {
      com.mysql.cj.jdbc.MysqlDataSource ds
        = new com.mysql.cj.jdbc.MysqlDataSource();
      ds.setServerName("localhost");
      ds.setPortNumber(3306);
      ds.setDatabaseName("HerongDB");
      ds.setUser("Herong");
      ds.setPassword("TopSecret");
      con = ds.getConnection();

// Create CallableStatement
      CallableStatement cs = con.prepareCall("CALL Info(?,?)");

// Registering output parameters
      cs.registerOutParameter(1,java.sql.Types.VARCHAR);
      cs.registerOutParameter(2,java.sql.Types.VARCHAR);

// Execute the call statement
      cs.executeUpdate();

// Retrieve output parameters
      System.out.println("User: "+cs.getString(1));
      System.out.println("Database: "+cs.getString(2));

// Close resource
      cs.close();

      con.close();
    } catch (Exception e) {
      System.err.println("Exception: "+e.getMessage());
      e.printStackTrace();
    }
  }
}

To my surprise, the above program executed correctly with JDBC driver 8.0 and MySQL Server 8.0:

herong> java -cp .:mysql-connector-java.jar \
   MySqlCallPermissionError.java

User: Herong@localhost
Database: herongdb

I guess MySQL Server 8.0 has changed its default setting. On MySQL Server 5.5, since "Herong" does not have permission to run stored procedures created by "root" by default, I got the following error message:

herong> java -cp .:mysql-connector-java-5.1.36-bin.jar
   MySqlCallPermissionError

Exception: User does not have access to metadata required to
determine stored procedure parameter types. If rights can not be
granted, configure connection with "noAccessToProcedureBodies=true"
to have driver generate parameters that represent INOUT strings
irregardless of actual parameter types.
...
  at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:998)
  at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:937)
  ...
  at MySqlCallPermissionError.main(MySqlCallPermissionError.java:19)

Table of Contents

 About This Book

 JDBC (Java Database Connectivity) Introduction

 JDK (Java SE) Installation

 Installing and Running Java DB - Derby

 Derby (Java DB) JDBC Driver

 Derby (Java DB) JDBC DataSource Objects

 Java DB (Derby) - DML Statements

 Java DB (Derby) - ResultSet Objects of Queries

 Java DB (Derby) - PreparedStatement

 MySQL Installation on Windows

 MySQL JDBC Driver (MySQL Connector/J)

 MySQL - PreparedStatement

 MySQL - Reference Implementation of JdbcRowSet

MySQL - JBDC CallableStatement

 Overview of CallableStatement Objects

 "CREATE PROCEDURE" - Creating a Simple Procedure

 Creating Procedures with IN and OUT Parameters

 Creating Procedures with INOUT Parameters

 Creating Procedures with Multiple Queries

 Creating CallableStatement Objects with prepareCall()

 Capturing ResultSet with executeQuery()

 Creating CallableStatement Objects with Parameters

 Common Errors with CallableStatement Parameters

 Creating CallableStatement Objects with INOUT Parameters

 Retrieving Multiple ResultSet Objects

Executing Stored Procedures without Permission

 getProcedures() - Listing Stored Procedures

 MySQL CLOB (Character Large Object) - TEXT

 MySQL BLOB (Binary Large Object) - BLOB

 Oracle Express Edition Installation on Windows

 Oracle JDBC Drivers

 Oracle - Reference Implementation of JdbcRowSet

 Oracle - PreparedStatement

 Oracle - JBDC CallableStatement

 Oracle CLOB (Character Large Object) - TEXT

 Oracle BLOB (Binary Large Object) - BLOB

 Microsoft SQL Server Express Edition

 Microsoft JDBC Driver for SQL Server

 Microsoft JDBC Driver - Query Statements and Result Sets

 Microsoft JDBC Driver - DatabaseMetaData Object

 Microsoft JDBC Driver - DDL Statements

 Microsoft JDBC Driver - DML Statements

 SQL Server - PreparedStatement

 SQL Server CLOB (Character Large Object) - TEXT

 SQL Server BLOB (Binary Large Object) - BLOB

 JDBC-ODBC Bridge Driver - sun.jdbc.odbc.JdbcOdbcDriver

 JDBC-ODBC Bridge Driver - Flat Text Files

 JDBC-ODBC Bridge Driver - MS Access

 JDBC-ODBC Bridge Driver - MS SQL Server

 Summary of JDBC Drivers and Database Servers

 Using Connection Pool with JDBC

 Archived Tutorials

 References

 Full Version in PDF/EPUB