arunk-kumar opened a new pull request, #1277:
URL: https://github.com/apache/knox/pull/1277
[KNOX-3338] - A short description of the change
## Problem
On JDK 23+, Apache Knox throws `UnsupportedOperationException` at runtime
because `Subject.getSubject(AccessController.getContext())` and
`Subject.doAs()` were deprecated for removal in JDK 17 (JEP 411) and
are now non-functional on JDK 23+.
Stack trace:
at javax.security.auth.Subject.getSubject(Subject.java:277)
at
org.apache.knox.gateway.security.SubjectUtils.getCurrentSubject(SubjectUtils.java:41)
at
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(...)
## Solution
Migrate to the JDK 18+ replacement APIs (`Subject.current()` and
`Subject.callAs()`) using cached reflection — resolved once at class-load
time via a static initializer — with a graceful fallback to the legacy APIs
on JDK 17. This keeps the code compilable on JDK 17 while being
correct on JDK 23+.
## What changes were proposed in this pull request?
### SubjectUtils.java
- Replaced `Subject.getSubject(AccessController.getContext())` with
a cached reflection lookup for `Subject.current()` (JDK 18+)
- Static initializer resolves the method once at boot — zero per-request
reflection overhead
- Falls back to `Subject.getSubject()` on JDK 17
- Catches `NoSuchMethodException | SecurityException` in static block
to prevent `ExceptionInInitializerError`
### ShiroSubjectIdentityAdapter.java
- Added `SUBJECT_CALL_AS` static field — cached reflection lookup for
`Subject.callAs(Subject, Callable)` (JDK 18+)
- Added `doSubjectAction()` private helper method that routes to
`Subject.callAs()` on JDK 18+ or falls back to `Subject.doAs()` on JDK 17
- Replaced both `Subject.doAs()` call sites (anonymous path and
authenticated path) with `doSubjectAction()`
- Replaced `PrivilegedExceptionAction` anonymous class with `Callable` lambda
### gateway-provider-security-shiro/pom.xml
- Added `de.thetaphi:forbiddenapis` compile dependency required for
`@SuppressForbidden` annotation on `doSubjectAction()`
## How was this patch tested?
- Full build compiles cleanly on JDK 17
- `gateway-provider-security-shiro`: 26 tests run, 0 failures, 0 errors
- No new test failures introduced by this change
### Pre-existing failures on master (unrelated to this PR)
The following 30 test failures exist on master **before** this change
and are confirmed by running `git stash` and reproducing the same failures
on the unmodified codebase:
- `DefaultDispatchTest` (4 errors)
- `BCInterceptingOutputStreamTest` (8 errors)
- `SSEDispatchTest` (5 errors)
- `KnoxImpersonationProviderTest` (13 errors)
Root cause: Mockito/ByteBuddy incompatibility (`Could not create type`)
in the local build environment. These failures are not caused by any
code change in this PR.
## JIRA
https://issues.apache.org/jira/browse/KNOX-3338
## UI changes
NA
Please review [Knox Contributing
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
before opening a pull request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
