Christian Habermehl created KAFKA-18866:
-------------------------------------------
Summary: JDK23: UnsupportedOperationException: getSubject is
supported only if a security manager is allowed
Key: KAFKA-18866
URL: https://issues.apache.org/jira/browse/KAFKA-18866
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 3.8.1
Environment: e.g.
OpenJDK 64-Bit Server VM Corretto-23.0.2.7.1 (build 23.0.2+7-FR, mixed mode,
sharing)
all OS should be affected
Reporter: Christian Habermehl
Kafka Client is unable to connect to the broker with JDK23, because
SecurityManager is deprecated:
{code}
Caused by: javax.security.sasl.SaslException: User name or extensions could not
be obtained
at
org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:112)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslToken$1(SaslClientAuthenticator.java:535)
at
java.base/jdk.internal.vm.ScopedValueContainer.callWithoutScope(ScopedValueContainer.java:162)
at
java.base/jdk.internal.vm.ScopedValueContainer.call(ScopedValueContainer.java:147)
at java.base/java.lang.ScopedValue$Carrier.call(ScopedValue.java:420)
at java.base/java.lang.ScopedValue.callWhere(ScopedValue.java:568)
at java.base/javax.security.auth.Subject.callAs(Subject.java:439)
at java.base/javax.security.auth.Subject.doAs(Subject.java:614)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:535)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:434)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendInitialToken(SaslClientAuthenticator.java:333)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:274)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
at org.apache.kafka.common.network.Selector.poll(Selector.java:485)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:595)
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:281)
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:231)
at
org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:289)
at
org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:263)
at
org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnreadySync(ConsumerCoordinator.java:450)
at
org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:482)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.updateAssignmentMetadataIfNeeded(LegacyKafkaConsumer.java:652)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:611)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:591)
at
org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:874)
...
Caused by: java.lang.UnsupportedOperationException: getSubject is supported
only if a security manager is allowed
at java.base/javax.security.auth.Subject.getSubject(Subject.java:347)
at
org.apache.kafka.common.security.authenticator.SaslClientCallbackHandler.handle(SaslClientCallbackHandler.java:58)
at
org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:104)
... 28 common frames omitted
{code}
The workaround for JDK26 is to use the JVM flag
{{-Djava.security.manager=allow}}. As far as I know this won't work for JDK24
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
