KNOX-3338: Fix UnsupportedOperationException on JDK 23+ via reflective Subject lookups#1277
Open
arunk-kumar wants to merge 2 commits into
Open
KNOX-3338: Fix UnsupportedOperationException on JDK 23+ via reflective Subject lookups#1277arunk-kumar wants to merge 2 commits into
arunk-kumar wants to merge 2 commits into
Conversation
…e Subject.current lookup
- SubjectUtils: cache Subject.current() via static initializer, fall back to Subject.getSubject() on JDK 17 - ShiroSubjectIdentityAdapter: add SUBJECT_CALL_AS static cache and doSubjectAction() helper; replace both Subject.doAs() call sites; PrivilegedExceptionAction replaced with Callable lambda - Add forbiddenapis compile dependency to gateway-provider-security-shiro - Both files compile on JDK 17 and run correctly on JDK 23+ - Catches NoSuchMethodException|SecurityException in static blocks
Test Results28 tests 28 ✅ 2s ⏱️ Results for commit 11cc435. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[KNOX-3338] - A short description of the change
Problem
On JDK 23+, Apache Knox throws
UnsupportedOperationExceptionat runtimebecause
Subject.getSubject(AccessController.getContext())andSubject.doAs()were deprecated for removal in JDK 17 (JEP 411) andare now non-functional on JDK 23+.
Stack trace:
at javax.security.auth.Subject.getSubject(Subject.java:277)
at org.apache.knox.gateway.security.SubjectUtils.getCurrentSubject(SubjectUtils.java:41)
at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(...)
Solution
Migrate to the JDK 18+ replacement APIs (
Subject.current()andSubject.callAs()) using cached reflection — resolved once at class-loadtime via a static initializer — with a graceful fallback to the legacy APIs
on JDK 17. This keeps the code compilable on JDK 17 while being
correct on JDK 23+.
What changes were proposed in this pull request?
SubjectUtils.java
Subject.getSubject(AccessController.getContext())witha cached reflection lookup for
Subject.current()(JDK 18+)reflection overhead
Subject.getSubject()on JDK 17NoSuchMethodException | SecurityExceptionin static blockto prevent
ExceptionInInitializerErrorShiroSubjectIdentityAdapter.java
SUBJECT_CALL_ASstatic field — cached reflection lookup forSubject.callAs(Subject, Callable)(JDK 18+)doSubjectAction()private helper method that routes toSubject.callAs()on JDK 18+ or falls back toSubject.doAs()on JDK 17Subject.doAs()call sites (anonymous path andauthenticated path) with
doSubjectAction()PrivilegedExceptionActionanonymous class withCallablelambdagateway-provider-security-shiro/pom.xml
de.thetaphi:forbiddenapiscompile dependency required for@SuppressForbiddenannotation ondoSubjectAction()How was this patch tested?
gateway-provider-security-shiro: 26 tests run, 0 failures, 0 errorsPre-existing failures on master (unrelated to this PR)
The following 30 test failures exist on master before this change
and are confirmed by running
git stashand reproducing the same failureson the unmodified codebase:
DefaultDispatchTest(4 errors)BCInterceptingOutputStreamTest(8 errors)SSEDispatchTest(5 errors)KnoxImpersonationProviderTest(13 errors)Root cause: Mockito/ByteBuddy incompatibility (
Could not create type)in the local build environment. These failures are not caused by any
code change in this PR.
JIRA
https://issues.apache.org/jira/browse/KNOX-3338
UI changes
NA
Please review Knox Contributing Process before opening a pull request.