agent missing AuthConfigFactoryImpl reference, failing to include it in reflect-config.json

[aclement]

Describe GraalVM and your environment :

• GraalVM version or commit id if built from source: 20.0 or master today (28-Feb)
• CE or EE: CE
• Build Time or run time failure: runtime (due to agent missing something it should have passed to native-image)
• JDK version: 8

I added a new spring sample that includes security. I used the agent to collect configuration. It compiles ok but then fails at runtime with:

java.lang.SecurityException: AuthConfigFactory error: java.lang.ClassNotFoundException: org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl
	at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:85) ~[na:na]
	at org.apache.catalina.authenticator.AuthenticatorBase.findJaspicProvider(AuthenticatorBase.java:1382) ~[na:na]
	at org.apache.catalina.authenticator.AuthenticatorBase.getJaspicProvider(AuthenticatorBase.java:1375) ~[na:na]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:532) ~[na:na]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[na:na]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[na:na]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[na:na]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [com.example.securingweb.securingwebapplication:na]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) [com.example.securingweb.securingwebapplication:na]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [com.example.securingweb.securingwebapplication:na]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [com.example.securingweb.securingwebapplication:na]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639) [com.example.securingweb.securingwebapplication:na]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [com.example.securingweb.securingwebapplication:na]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [com.example.securingweb.securingwebapplication:na]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [com.example.securingweb.securingwebapplication:na]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [com.example.securingweb.securingwebapplication:na]
	at java.lang.Thread.run(Thread.java:748) [com.example.securingweb.securingwebapplication:na]
	at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:527) [com.example.securingweb.securingwebapplication:na]
	at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:193) [com.example.securingweb.securingwebapplication:na]
Caused by: java.lang.ClassNotFoundException: org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl
	at com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:60) ~[na:na]
	at java.lang.Class.forName(DynamicHub.java:1211) ~[com.example.securingweb.securingwebapplication:na]
	at javax.security.auth.message.config.AuthConfigFactory$1.run(AuthConfigFactory.java:75) ~[na:na]
	at javax.security.auth.message.config.AuthConfigFactory$1.run(AuthConfigFactory.java:67) ~[na:na]
	at java.security.AccessController.doPrivileged(AccessController.java:117) ~[na:na]
	at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:66) ~[na:na]

It looks to have missed the Class.forName call in javax.security.auth.message.config.AuthConfigFactory:

Class<?> clazz = Class.forName(className);

The file is here: https://github.com/apache/tomcat/blob/782a2ba96778ce671937dc8704559e0895a52025/java/jakarta/security/auth/message/config/AuthConfigFactory.java - please note that I know it was recently changed from javax to jakarta - but I am using a released version that still uses javax prefix. I think it might be the javax prefix that is causing issues here - do you use that as some kind of filter and not caught calls from javax prefixed types? or handle them in a special way?

If I manually add it to the reflect-config.json, everything works.

{"name":"org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl","allDeclaredMethods":true,"allDeclaredConstructors":true},

Repro steps I think...

git clone git@github.com:spring-projects-experimental/spring-graal-native.git
git checkout extensible-configuration
cd spring-graal-native
./build-feature.sh
mvn install
cd *samples/gs-securing-web
rm src/main/resources/META-INF/native-images/*.json (to delete existing config in the repo)
mvn package
./run_agent.sh
Then visit all the pages:
go to localhost:8080, click the link, enter rubbish, click submit, then enter 'user' 'password' and click submit, see message, click sign out, then shut down the app
(That should have exercised all the codepaths to collect what we need)
Then run 'mvn -Pgraal package' to build the native-image using that configuration

I also tried graal master with the new flag -agentlib:native-image-agent=experimental-class-loader-support,config-output-dir=... but it didn't help.

[eginez]

@peter-hofer I think this should be addressed with the fix you added recently for Class.forName right?

[aclement]

I think I have tried it with master ( b8d40c4 ) this morning and it still seemed to be missing it.

[eginez]

@aclement I verified this issue and as you suspected it is indeed the javax prefix in the package which is causing this problem(

graal/substratevm/src/com.oracle.svm.configure/src/com/oracle/svm/configure/trace/AccessAdvisor.java

Line 38 in fae832a

internalsFilter.addOrGetChildren("javax.**", RuleNode.Inclusion.Exclude);

)
I am looking into possible fixes for this issue, in the meantime a quick work around would be to switch to the library using the jakarta package name if possible

[eginez]

fixed by a920923