When connecting a Java application to a MySQL 8 database, developers may encounter the “Public Key Retrieval is not allowed” exception during what should be a simple JDBC connection. Although the message can seem unexpected at first, it is actually a security measure enforced by modern versions of MySQL and the MySQL Connector/J driver to prevent unsafe credential exchange. In this article, we briefly examine why this error occurs and the practical options available to resolve it safely.
1. Understanding the Error
The “Public Key Retrieval is not allowed” exception occurs during authentication between a Java application and a MySQL 8 server. Specifically, it happens when:
- The MySQL server uses caching_sha2_password (the default authentication plugin in MySQL 8), and
- The JDBC driver cannot securely retrieve the MySQL server’s RSA public key needed to encrypt the password during login.
Because allowing arbitrary public key retrieval over an untrusted connection could expose credentials to man-in-the-middle attacks, the MySQL Connector/J driver blocks this behaviour by default.
2. Why This Error Happens
This exception typically appears under the following conditions:
- MySQL 8 is used with default settings: MySQL 8 defaults to the
caching_sha2_passwordauthentication plugin. - The JDBC connection is not using SSL/TLS: Without SSL, the driver refuses to fetch the server’s RSA public key automatically.
- The connection URL does not explicitly allow public key retrieval: By default,
allowPublicKeyRetrievalis set tofalse.
This combination causes the JDBC driver to fail during authentication, resulting in the exception. To see the issue in action, consider the following setup:
MySQL Configuration
- MySQL 8.x
- Default authentication plugin (
caching_sha2_password) - SSL not explicitly enabled
JDBC Connection Example
String url = "jdbc:mysql://localhost:3306/demo_db?useSSL=false"; Connection connection = DriverManager.getConnection(url, "user", "password");
With a recent version of MySQL Connector/J (starting from versions 8.0.4 and above), this connection attempt will fail with:
com.mysql.cj.exceptions.InvalidConnectionAttributeException: Public Key Retrieval is not allowed
This confirms that the driver cannot authenticate securely under the given conditions.
3. Fixes for the Error
There are several ways to resolve this issue. Each has different security implications, so it’s important to choose the right one for your environment.
3.1 Enable Public Key Retrieval (Quick Fix)
We can explicitly allow the JDBC driver to retrieve the server’s public key by adding a parameter to the connection URL:
allowPublicKeyRetrieval=true
Example
String url = "jdbc:mysql://localhost:3306/demo_db?useSSL=false&allowPublicKeyRetrieval=true"; Connection connection = DriverManager.getConnection(url, "user", "password");
This approach is simple and quick to apply, making it ideal for local development or testing. However, it is less secure over untrusted networks and is not recommended for production environments unless used in combination with SSL.
3.2 Use SSL/TLS (Recommended for Production)
Enabling SSL ensures that the public key exchange and password transmission occur over an encrypted channel.
Enabling SSL provides strong security and is recommended for production environments, but it requires proper SSL configuration on both the client and server.
String url = "jdbc:mysql://localhost:3306/demo_db?useSSL=true&requireSSL=true"; Connection connection = DriverManager.getConnection(url, "user", "password");
With SSL enabled, the driver can authenticate securely without needing to allow public key retrieval explicitly.
3.3 Switch to the Legacy Authentication Plugin
We can configure the MySQL user to use mysql_native_password instead of caching_sha2_password:
ALTER USER 'demo_user'@'%' IDENTIFIED WITH mysql_native_password BY 'demo_password';
Switching to this method avoids the error entirely, but it relies on a weaker authentication mechanism, is deprecated in modern MySQL versions, and is not future-proof, so it should generally be used only for maintaining legacy systems.
4. Key Considerations
Selecting the appropriate fix depends on your environment and security requirements. Development setups may allow quick workarounds, while production systems should prioritize secure authentication.
| Scenario | Recommended Fix |
|---|---|
| Local development | allowPublicKeyRetrieval=true |
| Production system | Enable SSL/TLS |
| High-security environments | SSL + explicit key management |
| Legacy compatibility only | mysql_native_password (last resort) |
5. Conclusion
In this article, we explored how to address the Java MySQL error, “Public Key Retrieval is not allowed”, that often occurs when connecting applications to MySQL 8. Understanding why this error happens and applying the right solution, whether for development or production, ensures secure and reliable database connections while preventing authentication issues.
This article explored the “Public Key Retrieval Is Not Allowed” error in Java–MySQL integrations.
