[GR-62386] [native-image] Kerberos: Generated image is not respecting sun.security.jgss.native JVM argument

[aanavaneeth]

As per https://docs.oracle.com/en/java/javase/11/security/accessing-native-gss-api.html#GUID-88A42A9C-AC8B-426E-A8A7-B30518C2162A, when sun.security.jgss.native flag is set to true, GSSManager.getInstance() should ideally give a GSSManager implementation using native gss implementation. However, that is not happening.

Below is a sample code.

    GSSManager gssManager = GSSManager.getInstance();
    try {
     //using reflection to expose a private method
    // using findLoadedClass method on classLoader to check if its native provider or not.
      ClassLoader gssClassLoader = gssManager.getClass().getClassLoader();
      Method m = ClassLoader.class.getDeclaredMethod("findLoadedClass", String.class);
      m.setAccessible(true);
     // prints null if not loaded, with graalvm native image, its always null.
      System.out.println(m.invoke(gssClassLoader, "sun.security.jgss.wrapper.SunNativeProvider")); 
      System.out.println("native true? {}" + System.getProperty("sun.security.jgss.native")); // this returns true as I have set the property
    }catch(Exception e) {
      LOG.info("error in reflection {}", e.toString());
    }

The same code works when running on JVM (including oracle graalvm without native image).

I have tried different flags like the below. But nothing worked:

graalvmNative {
		binaries {
			main {
				buildArgs.add('--add-opens java.base/java.lang=ALL-UNNAMED') //for reflection
				buildArgs.add('--enable-native-access')
				buildArgs.add('-J-Dsun.security.jgss.native=true')
				buildArgs.add('-Dsun.security.jgss.native=true')
				buildArgs.add('-H:AdditionalSecurityProviders=sun.security.jgss.SunProvider') //based on https://github.com/oracle/graal/issues/5950#issuecomment-1746835465
			}
		}
	}

Environment:
Podman container using Linux RHEL 8
Graalvm for JDK 22

[aanavaneeth]

Hi @fernando-valdez ! Any update on this?

[yogeshkumar-1234]

Hi @fernando-valdez ,
I am facing similar issue .
Kindly help

[yogeshkumargeek]

Hi @oubidar-Abderrahim ,
Can you please provide me an update here ?
This is a blocker for us also

[gingk1212]

I found this issue interesting, so I looked into it during my free time. Regarding the sample code in this issue, the result of the findLoadedClass method remains null. However, for the sample code in #4700, I discovered an option that prevents the error, and I would like to share it:

$ javac Sample.java
$ java \
    -agentlib:native-image-agent=config-output-dir=META-INF/native-image \
    -Dsun.security.jgss.native=true \
    Sample
$ native-image \
    --no-fallback \
    --initialize-at-run-time=sun.security.jgss.wrapper.Krb5Util,sun.security.jgss.wrapper.SunNativeProvider \
    Sample
$ ./sample -Dsun.security.jgss.native=true

With these commands, the error does not occur, and the program finishes successfully. Since the GSSManagerImpl class that uses the sun.security.jgss.native property is initialized at runtime, I believe the option must be specified at runtime rather than at build time.

I don’t fully understand all the details, but I hope this information is helpful.

Environment:

$ java -version
java version "23.0.1" 2024-10-15
Java(TM) SE Runtime Environment Oracle GraalVM 23.0.1+11.1 (build 23.0.1+11-jvmci-b01)
Java HotSpot(TM) 64-Bit Server VM Oracle GraalVM 23.0.1+11.1 (build 23.0.1+11-jvmci-b01, mixed mode, sharing)