Migration to Java 23 leads to "UnsupportedOperationException: getSubject is supported only if a security manager is allowed"

[lasteris]

Today we have tried to run Java app with quarkus-cxf onboard on Java 23 (Quarkus 3.16.2).

We have hit the issue described in https://docs.oracle.com/en/java/javase/23/security/migrating-deprecated-removal-methods-subject-getsubject-and-subject-doas-subject-current-and-subje.html

Result demonstrated below:

 2024-11-13 13:03:12,409 WARN  [org.apa.cxf.pha.PhaseInterceptorChain] (executor-thread-1) Interceptor for {http://receiver.service.nr.eu.rt.ru/}ReceiverService#{http://receiver.service.nr.eu.rt.ru/}sendDocument has thrown exception, unwinding now: java.lang.UnsupportedOperationException: getSubject is supported only if a security manager is allowed
         at java.base/javax.security.auth.Subject.getSubject(Subject.java:347)
         at org.apache.cxf.ext.logging.event.DefaultLogEventMapper.getJAASPrincipals(DefaultLogEventMapper.java:144)
         at org.apache.cxf.ext.logging.event.DefaultLogEventMapper.getJAASPrincipal(DefaultLogEventMapper.java:130)
         at org.apache.cxf.ext.logging.event.DefaultLogEventMapper.getPrincipal(DefaultLogEventMapper.java:112)
         at org.apache.cxf.ext.logging.event.DefaultLogEventMapper.map(DefaultLogEventMapper.java:104)
         at org.apache.cxf.ext.logging.LoggingOutInterceptor$LoggingCallback.onClose(LoggingOutInterceptor.java:201)
         at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:219)
         at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
         at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:717)
         at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
         at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
         at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
         at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
         at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
         at jdk.proxy2/jdk.proxy2.$Proxy88.sendDocument(Unknown Source)
         at su.medsoft.rir.fr.soap.clients.FrReceiverClient.sendDocument(FrReceiverClient.java:13)
         at su.medsoft.rir.fr.soap.clients.FrReceiverClient_ClientProxy.sendDocument(Unknown Source)
         at su.medsoft.rir.fr.soap.service.FrSoapAdapter.sendDocumentAndGetCallBackResponse(FrSoapAdapter.java:44)
         at su.medsoft.rir.fr.soap.service.FrSoapAdapter.dispatchRequest(FrSoapAdapter.java:33)
         at su.medsoft.rir.fr.soap.service.FrSoapAdapter_ClientProxy.dispatchRequest(Unknown Source)
         at su.medsoft.rir.fr.soap.resource.FrSoapAdapterResource.sendDocumentInternal(FrSoapAdapterResource.java:40)
         at su.medsoft.rir.fr.soap.resource.FrSoapAdapterResource_Subclass.sendDocumentInternal$$superforward(Unknown Source)
         at su.medsoft.rir.fr.soap.resource.FrSoapAdapterResource_Subclass$$function$$2.apply(Unknown Source)
         at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:73)
         at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:62)
         at io.quarkus.hibernate.validator.runtime.interceptor.AbstractMethodValidationInterceptor.validateMethodInvocation(AbstractMethodValidationInterceptor.java:71)
         at io.quarkus.hibernate.validator.runtime.jaxrs.ResteasyReactiveEndPointValidationInterceptor.validateMethodInvocation(ResteasyReactiveEndPointValidationInterceptor.java:21)
         at io.quarkus.hibernate.validator.runtime.jaxrs.ResteasyReactiveEndPointValidationInterceptor_Bean.intercept(Unknown Source)
         at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
         at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:30)
         at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:27)
         at su.medsoft.rir.fr.soap.resource.FrSoapAdapterResource_Subclass.sendDocumentInternal(Unknown Source)
         at su.medsoft.rir.fr.soap.resource.FrSoapAdapterResource$quarkusrestinvoker$sendDocumentInternal_cc58fcf7df1f1c443af4ff0d77ffec6b24b98e70.invoke(Unknown Source)
         at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
         at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
         at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
         at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:627)
         at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675)
         at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654)
         at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627)
         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594)
         at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
         at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
         at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
         at java.base/java.lang.Thread.run(Thread.java:1575)
 2024-11-13 13:03:12,426 ERROR [su.med.rir.fr.soa.res.pro.FrSoapAdapterServiceExceptionMapper] (executor-thread-1) su.medsoft.rir.fr.soap.exception.FrSoapAdapterServiceException: jakarta.xml.ws.soap.SOAPFaultException: getSubject is supported only if a security manager is allowed

[ppalaga]

There is this (still unreleased) fix in CXF main branch and also in 4.0.x-fixes: https://github.com/apache/cxf/pull/1972/files