Probably Angela could explain better but it seems that it is due to https://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html#pre-authentication-without-repository-involvement.
Konrad > On 29. Jul 2024, at 10:26, Robert Munteanu <[email protected]> wrote: > > Hi Konrad, > > On Wed, 2024-07-24 at 14:26 +0200, Konrad Windszus wrote: >> Hi, >> >> Carsten mentioned this topic in the Felix Dev mailing list but Sling >> is affected as well: >> https://lists.apache.org/thread/37ll81kn39fd60jw9p3jz4dwy0z4w4hh >> >> Particularly the module >> https://github.com/apache/sling-org-apache-sling-jcr-oak-server suffe >> rs from deprecations, as it uses javax.security.auth.Subject which >> has been modified and partially deprecated in Java 17/21 >> (https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/s >> ecurity/auth/Subject.html). >> The replacement >> https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/security/auth/Subject.html#callAs(javax.security.auth.Subject,java.util.concurrent.Callable) >> is only available since Java 18 though… >> >> Any suggestion how and when to tackle this? > > I skimmed the code and it's not entirely clear to me why we need to use > Subject.doAsPrivileged. Is this because the Oak code we are calling > needs to understand who the caller is and expects that information in a > Subject? > > Thanks, > Robert
