Hareesh Billa created KAFKA-20459:
-------------------------------------
Summary: JDK 25 # UnsupportedOperationException: getSubject is not
supported
Key: KAFKA-20459
URL: https://issues.apache.org/jira/browse/KAFKA-20459
Project: Kafka
Issue Type: Bug
Components: kraft, security
Affects Versions: 4.1.1, 4.2.0
Environment: K8s environment with docker image jdk 25.
Using Camel-kafka latest verion(excluded kafka-client) using kafka-client with
strict 4.2.0.
Reporter: Hareesh Billa
Environment details already provided in environment section.
The same config working with kafka 3.9.1.
Using SASL_SAL protocal and SCRAM-SHA-512 mechanism.
Kafka broker/server keystore and truststore at client are validated using
keytool.
*OPTION:* -Djava.security.manager=allow not accepted in our environment.
For more details, please refer the copilot link below.
Prompt [Tried this facing the same error | Try in Copilot
Chat|https://m365.cloud.microsoft/chat/entity1-d870f6cd-4aa5-4d42-9626-ab690c041429/eyJpZCI6IlZYTmxjbFl4ZkdoMGRIQnpPaTh2YzNWaWMzUnlZWFJsTFdsdWRDNXZabVpwWTJVdVkyOXRMM3hQU1VRNk5USXhZbUUyTVRjdFpqVm1NeTAwWldGbExUZ3lZMlV0TXpCaU9ETXlNR0V5T0RKbWZEWXhaVFZoWVRkaExURmpaV1l0TkRWbFppMDRZMlJrTFRVd01qazFaRE5rWXpJd1pId3lNREkyTFRBMExURTJWREEzT2pBd09qVTFMamcxTXpFek1qUmEiLCJzY2VuYXJpbyI6InNoYXJlTGlua1ZpYVJpY2hDb3B5IiwicHJvcGVydGllcyI6eyJwcm9tcHRTb3VyY2UiOiJ1c2VyIiwiY2xpY2tUaW1lc3RhbXAiOiIyMDI2LTA0LTE2VDA3OjAwOjU1Ljk5MFoifSwiY2hhdFR5cGUiOiJ3ZWIiLCJ2ZXJzaW9uIjoxLjF9]
Tried this facing the same error
Response
Thanks — since {*}all known JVM/JAAS workarounds failed{*}, we can now {*}pin
this down precisely{*}.
This is no longer a configuration issue.
You’ve hit a {*}hard incompatibility between Kafka 4.2.0 and JDK 25 that cannot
be worked around reliably at runtime{*}.
Below is the {*}final, evidence‑based conclusion and the only fixes that
actually work{*}.
----
h2. ✅ What we now know for sure
>From your stack trace:
{{org.apache.kafka.common.internals.LegacyStrategy.getSubject
→ javax.security.auth.Subject.getSubject (JDK 25)
→ UnsupportedOperationException}}
And from your tests:
* ✅ {{-Djavax.security.auth.useSubjectCredsOnly=false}} → *did NOT help*
* ✅ Disabled JAAS configs → *did NOT help*
* ✅ SCRAM (no Kerberos) → *still crashes*
* ✅ Kafka client pinned to *4.2.0*
* ✅ Running on *JDK 25*
* ✅ Camel Kafka *4.18.1*
This combination *always fails* today.
----
h2. ❗ The real root cause (no guessing now)
h3. 🔥 Kafka *4.2.0* still unconditionally calls:
{{Subject.getSubject(AccessControlContext)}}
via:
{{CompositeStrategy → LegacyStrategy → reflection}}
This happens {*}even for SCRAM{*}, {*}even with all flags disabled{*}, because:
* Kafka 4.2.0 still ships _legacy subject resolution code_
* JDK 25 *unconditionally throws* from {{Subject.getSubject()}}
* There is *no longer a “SecurityManager allow” mode* in JDK 25
This behavior is documented by OpenJDK itself:
{quote}{{Subject.getSubject()}} is degraded to *always throw* once the Security
Manager is removed
[[bugs.openjdk.org]|https://bugs.openjdk.org/browse/JDK-8328643]
{quote}
----
h2. ✅ Why none of the flags worked
||Attempt||Why it failed||
|{{useSubjectCredsOnly=false}}|Kafka calls {{getSubject()}} anyway|
|Clearing JAAS config|Kafka still loads {{LegacyStrategy}}|
|SCRAM|Kafka invokes subject code *before* mechanism logic|
|Camel config|Camel is just a pass‑through|
📌 *There is no remaining runtime switch in Kafka 4.2.0 to disable this code
path.*
----
h2. ✅ This is a known ecosystem problem
Exactly the same failure pattern is seen in:
* Hadoop
* Parquet
* Kafka
* Spark
All failing on *JDK 25* because of {{Subject.getSubject()}} removal
[[github.com]|https://github.com/wvlet/airframe/issues/4045],
[issues.apache.org]
----
h1. ✅ ✅ ✅ The ONLY solutions that actually work
h3. 🟢 Option 1 — *Downgrade Java (RECOMMENDED TODAY)*
✅ Use *JDK 21 or JDK 23*
These still allow {{Subject.getSubject()}} when needed.
{{✅ Kafka 4.2.0 + JDK 21 → WORKS
✅ Kafka 4.2.0 + JDK 23 → WORKS
❌ Kafka 4.2.0 + JDK 25 → FAILS (always)}}
Apache Kafka’s official compatibility matrix still lists {*}Java 23{*}, not 25,
for guaranteed runtime safety.
[[kafka.apache.org]|https://kafka.apache.org/41/getting-started/compatibility/]
----
h3. 🟢 Option 2 — *Wait for Kafka 4.2.1 / 4.3.0*
The Kafka community is actively removing {{LegacyStrategy}} and migrating to
{{Subject.current()}} (the OpenJDK replacement API).
Until that release:
* Kafka *cannot run safely on Java 25*
* No combination of flags fixes this
----
h3. 🔴 Option 3 — Enable SecurityManager (NOT recommended)
Technically possible:
{{-Djava.security.manager=allow}}
But:
* ❌ Deprecated
* ❌ Removed soon
* ❌ Breaks containers & modern JVM semantics
OpenJDK explicitly warns against using this as a real fix.
[[bugs.openjdk.org]|https://bugs.openjdk.org/browse/JDK-8328643]
----
h2. ✅ Final recommendation (production‑safe)
h3. ✔ For Kubernetes + Camel + Kafka today:
{{✅ Use JDK 21 (LTS)
✅ Kafka client 4.2.0
✅ Camel Kafka 4.18.1
✅ SCRAM-SHA-512}}
This exact stack is {*}stable and supported today{*}.
----
h2. 🧠 Key takeaway
{quote}{*}Kafka is not yet JDK‑25‑clean{*}, even in 4.2.0
*Configuration cannot fix a removed Java API*
{quote}
Until Kafka removes all {{Subject.getSubject()}} usage:
* Java *25* is *not usable*
* Java *21/23* is the correct choice
----
h2. ✅ TL;DR
❌ This is *not your fault*
❌ No config fix exists
✅ Downgrade Java *or* wait for Kafka patch
----
If you want, I can:
* ✅ Recommend *exact Docker base images* for JDK 21
* ✅ Track the Kafka JIRA that will fix this
* ✅ Tell you the _first_ Kafka version that will safely support JDK 25
Just tell me which one 👍
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
