[ 
https://issues.apache.org/jira/browse/KNOX-3338?focusedWorklogId=1026525&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1026525
 ]

ASF GitHub Bot logged work on KNOX-3338:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/Jun/26 06:26
            Start Date: 24/Jun/26 06:26
    Worklog Time Spent: 10m 
      Work Description: arunk-kumar opened a new pull request, #1277:
URL: https://github.com/apache/knox/pull/1277

   [KNOX-3338] - A short description of the change
   
   ## Problem
   On JDK 23+, Apache Knox throws `UnsupportedOperationException` at runtime 
   because `Subject.getSubject(AccessController.getContext())` and 
   `Subject.doAs()` were deprecated for removal in JDK 17 (JEP 411) and 
   are now non-functional on JDK 23+.
   
   Stack trace:
     at javax.security.auth.Subject.getSubject(Subject.java:277)
     at 
org.apache.knox.gateway.security.SubjectUtils.getCurrentSubject(SubjectUtils.java:41)
     at 
org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(...)
   
   ## Solution
   Migrate to the JDK 18+ replacement APIs (`Subject.current()` and 
   `Subject.callAs()`) using cached reflection — resolved once at class-load 
   time via a static initializer — with a graceful fallback to the legacy APIs 
   on JDK 17. This keeps the code compilable on JDK 17 while being 
   correct on JDK 23+.
   
   ## What changes were proposed in this pull request?
   
   ### SubjectUtils.java
   - Replaced `Subject.getSubject(AccessController.getContext())` with 
     a cached reflection lookup for `Subject.current()` (JDK 18+)
   - Static initializer resolves the method once at boot — zero per-request 
     reflection overhead
   - Falls back to `Subject.getSubject()` on JDK 17
   - Catches `NoSuchMethodException | SecurityException` in static block 
     to prevent `ExceptionInInitializerError`
   
   ### ShiroSubjectIdentityAdapter.java
   - Added `SUBJECT_CALL_AS` static field — cached reflection lookup for 
     `Subject.callAs(Subject, Callable)` (JDK 18+)
   - Added `doSubjectAction()` private helper method that routes to 
     `Subject.callAs()` on JDK 18+ or falls back to `Subject.doAs()` on JDK 17
   - Replaced both `Subject.doAs()` call sites (anonymous path and 
     authenticated path) with `doSubjectAction()`
   - Replaced `PrivilegedExceptionAction` anonymous class with `Callable` lambda
   
   ### gateway-provider-security-shiro/pom.xml
   - Added `de.thetaphi:forbiddenapis` compile dependency required for 
     `@SuppressForbidden` annotation on `doSubjectAction()`
   
   ## How was this patch tested?
   
   - Full build compiles cleanly on JDK 17
   - `gateway-provider-security-shiro`: 26 tests run, 0 failures, 0 errors
   - No new test failures introduced by this change
   
   ### Pre-existing failures on master (unrelated to this PR)
   The following 30 test failures exist on master **before** this change 
   and are confirmed by running `git stash` and reproducing the same failures 
   on the unmodified codebase:
   - `DefaultDispatchTest` (4 errors)
   - `BCInterceptingOutputStreamTest` (8 errors)  
   - `SSEDispatchTest` (5 errors)
   - `KnoxImpersonationProviderTest` (13 errors)
   
   Root cause: Mockito/ByteBuddy incompatibility (`Could not create type`) 
   in the local build environment. These failures are not caused by any 
   code change in this PR.
   
   ## JIRA
   https://issues.apache.org/jira/browse/KNOX-3338
   
   ## UI changes
   NA
   
   Please review [Knox Contributing 
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
 before opening a pull request.




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1026525)
    Remaining Estimate: 0h
            Time Spent: 10m

> Java 23+ : java.lang.UnsupportedOperationException: getSubject is not 
> supported
> -------------------------------------------------------------------------------
>
>                 Key: KNOX-3338
>                 URL: https://issues.apache.org/jira/browse/KNOX-3338
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: KnoxCLI, KnoxShell, Server
>            Reporter: Philip Zampino
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> `javax.security.auth.Subject.getSubject` and `Subject.doAs` were deprecated 
> for removal in JDK 17. The replacement APIs are `Subject.current` and 
> `callAs`. See [JEP 411]([https://openjdk.org/jeps/411]) for background.
> The `Subject.getSubject` API has been "degraded" in JDK 23 to throw 
> `UnsupportedOperationException` if not running with the option to allow a 
> SecurityManager. In a future JDK release, the `Subject.getSubject` API will 
> be degraded further to throw`UnsupportedOperationException` unconditionally.
> {noformat}
> Caused by: java.lang.UnsupportedOperationException: getSubject is not 
> supported
>         at javax.security.auth.Subject.getSubject(Subject.java:277) ~[?:?]
>         at 
> org.apache.knox.gateway.security.SubjectUtils.getCurrentSubject(SubjectUtils.java:41)
>  ~[gateway-spi-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:226)
>  
> ~[gateway-provider-identity-assertion-common-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:391) 
> ~[gateway-server-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:305) 
> ~[gateway-server-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain$1.run(ShiroSubjectIdentityAdapter.java:136)
>  ~[gateway-provider-security-shiro-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain$1.run(ShiroSubjectIdentityAdapter.java:133)
>  ~[gateway-provider-security-shiro-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> jdk.internal.vm.ScopedValueContainer.callWithoutScope(ScopedValueContainer.java:162)
>  ~[?:?]
>         at 
> jdk.internal.vm.ScopedValueContainer.call(ScopedValueContainer.java:147) 
> ~[?:?]
>         at java.lang.ScopedValue$Carrier.call(ScopedValue.java:419) ~[?:?]
>         at javax.security.auth.Subject.callAs(Subject.java:331) ~[?:?]
>         at javax.security.auth.Subject.doAs(Subject.java:440) ~[?:?]
>         at 
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:214)
>  ~[gateway-provider-security-shiro-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:119)
>  ~[gateway-provider-security-shiro-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>  ~[shiro-core-1.13.0.jar:1.13.0]
>         at 
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>  ~[shiro-core-1.13.0.jar:1.13.0]
>         at 
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
>  ~[shiro-core-1.13.0.jar:1.13.0]
>         at 
> org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:116)
>  ~[gateway-provider-security-shiro-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:391) 
> ~[gateway-server-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:305) 
> ~[gateway-server-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
>         at 
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>  ~[shiro-web-1.13.0.jar:1.13.0]
>         at 
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) 
> ~[shiro-web-1.13.0.jar:1.13.0]
>         at 
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>  ~[shiro-web-1.13.0.jar:1.13.0]
>         ... 74 more{noformat}
> Knox must migrate to the newer version of the Subject class.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to