java - Replace sun.security.krb5.* usages (No workaround i.e --add-exports) - Stack Overflow

admin管理员组

文章数量:1386700

I am migrating an old Java codebase from JDK 8 to JDK 17, and I need a replacement for the sun.security.krb5.* packages, as they are now strongly encapsulated in newer JDK versions.

Previously, we used internal classes for Kerberos authentication:

import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.RealmException;

  sun.security.krb5.Credentials getCredentialsFromCache()
      throws RealmException, KrbException, IOException {

    PrincipalName principalName = new PrincipalName(this.principal,
        PrincipalName.KRB_NT_PRINCIPAL);
    sun.security.krb5.Credentials credentials = sun.security.krb5.Credentials
        .acquireTGTFromCache(principalName, ticketCache);
    return credentials;
  }

This code worked fine in JDK 8, but with JDK 17, sun.security.krb5.* is encapsulated, and I want to find an alternative without relying on --add-exports as a workaround.

I get the following error

[ERROR] Failed to execute goal .apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project some-project: Compilation failure: Compilation failure: [ERROR] /path/to/java/file/SomeCleass.java:[35,20] package sun.security.krb5 is not visible [ERROR] (package sun.security.krb5 is declared in module java.security.jgss, which does not export it to the unnamed module)

The existing code also dynamically loads Kerberos configuration classes based on the Java vendor:

  private Class<?> getKrbConfigClass() throws ClassNotFoundException {
    Class<?> classRef;
    if (System.getProperty("java.vendor").contains("IBM")) {
      classRef = Class.forName(IBM_CONFIG);
    } else {
      classRef = Class.forName(SUN_CONFIG);
    }
    return classRef;
  }

Since sun.security.krb5.Config is no longer accessible, what is the best way to achieve the same functionality in JDK 17?

• What are the official replacements for sun.security.krb5.* classes in JDK 17?
• Is there a recommended way to fetch Kerberos credentials from cache without using internal APIs?
• How should we properly handle Kerberos configuration loading in a Java vendor-independent way?

I am migrating an old Java codebase from JDK 8 to JDK 17, and I need a replacement for the sun.security.krb5.* packages, as they are now strongly encapsulated in newer JDK versions.

Previously, we used internal classes for Kerberos authentication:

import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.RealmException;

  sun.security.krb5.Credentials getCredentialsFromCache()
      throws RealmException, KrbException, IOException {

    PrincipalName principalName = new PrincipalName(this.principal,
        PrincipalName.KRB_NT_PRINCIPAL);
    sun.security.krb5.Credentials credentials = sun.security.krb5.Credentials
        .acquireTGTFromCache(principalName, ticketCache);
    return credentials;
  }

This code worked fine in JDK 8, but with JDK 17, sun.security.krb5.* is encapsulated, and I want to find an alternative without relying on --add-exports as a workaround.

I get the following error

[ERROR] Failed to execute goal .apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project some-project: Compilation failure: Compilation failure: [ERROR] /path/to/java/file/SomeCleass.java:[35,20] package sun.security.krb5 is not visible [ERROR] (package sun.security.krb5 is declared in module java.security.jgss, which does not export it to the unnamed module)

The existing code also dynamically loads Kerberos configuration classes based on the Java vendor:

  private Class<?> getKrbConfigClass() throws ClassNotFoundException {
    Class<?> classRef;
    if (System.getProperty("java.vendor").contains("IBM")) {
      classRef = Class.forName(IBM_CONFIG);
    } else {
      classRef = Class.forName(SUN_CONFIG);
    }
    return classRef;
  }

Since sun.security.krb5.Config is no longer accessible, what is the best way to achieve the same functionality in JDK 17?

• What are the official replacements for sun.security.krb5.* classes in JDK 17?
• Is there a recommended way to fetch Kerberos credentials from cache without using internal APIs?
• How should we properly handle Kerberos configuration loading in a Java vendor-independent way?

• java
• java-17

Share Improve this question Follow edited Mar 17 at 13:28 Abhishek Dasgupta asked Mar 17 at 12:49 Abhishek DasguptaAbhishek Dasgupta 63611 gold badge1010 silver badges2121 bronze badges 3

• I tried the same. In JDK 17, this package is still accessible. – Anish B. Commented Mar 17 at 13:07
• Can you edit your question? And add the error log please to understand. – Anish B. Commented Mar 17 at 13:08
• @AnishB. I've added the error – Abhishek Dasgupta Commented Mar 17 at 13:29

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 2

Read this Github Issue: https://github/apache/uniffle/issues/625

You need to replace sun.security.krb5.* by using Apache Kerby (Official Migration for Java 8 above users who are using JDK 11 and 17 mostly).

From README.md:

Apache Kerby, as an Apache Directory sub project, is a Java Kerberos binding. It provides a rich, intuitive and interoperable implementation, library, KDC and various facilities that integrates PKI, OTP and token (OAuth2) as desired in modern environments such as cloud, Hadoop and mobile.

Example project available (covers all the topics) from Github created by Josef Cacek that I found. Big credits to him for creating it. Please refer and update your code accordingly.

Read the docs and examples thoroughly for getting your questions resolved.

本文标签： javaReplace sunsecuritykrb5* usages (No workaround ie addexports)Stack Overflow