[
https://issues.apache.org/jira/browse/KAFKA-20459?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lianet Magrans resolved KAFKA-20459.
------------------------------------
Resolution: Not A Problem
> JDK 25 # UnsupportedOperationException: getSubject is not supported
> -------------------------------------------------------------------
>
> Key: KAFKA-20459
> URL: https://issues.apache.org/jira/browse/KAFKA-20459
> Project: Kafka
> Issue Type: Bug
> Components: kraft, security
> Affects Versions: 4.2.0, 4.1.1
> Environment: K8s environment with docker image jdk 25.
> Using Camel-kafka latest verion(excluded kafka-client) using kafka-client
> with strict 4.2.0.
> Reporter: Hareesh Billa
> Priority: Trivial
> Attachments: image-2026-04-16-15-43-54-212.png,
> image-2026-04-16-15-45-31-128.png
>
>
> Environment details already provided in environment section.
> The same config working with kafka 3.9.1.
> Using SASL_SAL protocal and SCRAM-SHA-512 mechanism.
> Kafka broker/server keystore and truststore at client are validated using
> keytool.
> *OPTION:* -Djava.security.manager=allow not accepted in our environment.
>
> For more details, please refer the copilot link below.
> Prompt [Tried this facing the same error | Try in Copilot
> Chat|https://m365.cloud.microsoft/chat/entity1-d870f6cd-4aa5-4d42-9626-ab690c041429/eyJpZCI6IlZYTmxjbFl4ZkdoMGRIQnpPaTh2YzNWaWMzUnlZWFJsTFdsdWRDNXZabVpwWTJVdVkyOXRMM3hQU1VRNk5USXhZbUUyTVRjdFpqVm1NeTAwWldGbExUZ3lZMlV0TXpCaU9ETXlNR0V5T0RKbWZEWXhaVFZoWVRkaExURmpaV1l0TkRWbFppMDRZMlJrTFRVd01qazFaRE5rWXpJd1pId3lNREkyTFRBMExURTJWREEzT2pBd09qVTFMamcxTXpFek1qUmEiLCJzY2VuYXJpbyI6InNoYXJlTGlua1ZpYVJpY2hDb3B5IiwicHJvcGVydGllcyI6eyJwcm9tcHRTb3VyY2UiOiJ1c2VyIiwiY2xpY2tUaW1lc3RhbXAiOiIyMDI2LTA0LTE2VDA3OjAwOjU1Ljk5MFoifSwiY2hhdFR5cGUiOiJ3ZWIiLCJ2ZXJzaW9uIjoxLjF9]
> Tried this facing the same error
>
> Response
> Thanks — since {*}all known JVM/JAAS workarounds failed{*}, we can now {*}pin
> this down precisely{*}.
> This is no longer a configuration issue.
> You’ve hit a {*}hard incompatibility between Kafka 4.2.0 and JDK 25 that
> cannot be worked around reliably at runtime{*}.
> Below is the {*}final, evidence‑based conclusion and the only fixes that
> actually work{*}.
> ----
> h2. ✅ What we now know for sure
> From your stack trace:
> {{org.apache.kafka.common.internals.LegacyStrategy.getSubject
> → javax.security.auth.Subject.getSubject (JDK 25)
> → UnsupportedOperationException}}
> And from your tests:
> * ✅ {{-Djavax.security.auth.useSubjectCredsOnly=false}} → *did NOT help*
> * ✅ Disabled JAAS configs → *did NOT help*
> * ✅ SCRAM (no Kerberos) → *still crashes*
> * ✅ Kafka client pinned to *4.2.0*
> * ✅ Running on *JDK 25*
> * ✅ Camel Kafka *4.18.1*
> This combination *always fails* today.
> ----
> h2. ❗ The real root cause (no guessing now)
> h3. 🔥 Kafka *4.2.0* still unconditionally calls:
> {{Subject.getSubject(AccessControlContext)}}
> via:
> {{CompositeStrategy → LegacyStrategy → reflection}}
> This happens {*}even for SCRAM{*}, {*}even with all flags disabled{*},
> because:
> * Kafka 4.2.0 still ships _legacy subject resolution code_
> * JDK 25 *unconditionally throws* from {{Subject.getSubject()}}
> * There is *no longer a “SecurityManager allow” mode* in JDK 25
> This behavior is documented by OpenJDK itself:
> {quote}{{Subject.getSubject()}} is degraded to *always throw* once the
> Security Manager is removed
> [[bugs.openjdk.org]|https://bugs.openjdk.org/browse/JDK-8328643]
> {quote}
> ----
> h2. ✅ Why none of the flags worked
> ||Attempt||Why it failed||
> |{{useSubjectCredsOnly=false}}|Kafka calls {{getSubject()}} anyway|
> |Clearing JAAS config|Kafka still loads {{LegacyStrategy}}|
> |SCRAM|Kafka invokes subject code *before* mechanism logic|
> |Camel config|Camel is just a pass‑through|
> 📌 *There is no remaining runtime switch in Kafka 4.2.0 to disable this code
> path.*
> ----
> h2. ✅ This is a known ecosystem problem
> Exactly the same failure pattern is seen in:
> * Hadoop
> * Parquet
> * Kafka
> * Spark
> All failing on *JDK 25* because of {{Subject.getSubject()}} removal
> [[github.com]|https://github.com/wvlet/airframe/issues/4045],
> [issues.apache.org]
> ----
> h1. ✅ ✅ ✅ The ONLY solutions that actually work
> h3. 🟢 Option 1 — *Downgrade Java (RECOMMENDED TODAY)*
> ✅ Use *JDK 21 or JDK 23*
> These still allow {{Subject.getSubject()}} when needed.
> {{✅ Kafka 4.2.0 + JDK 21 → WORKS
> ✅ Kafka 4.2.0 + JDK 23 → WORKS
> ❌ Kafka 4.2.0 + JDK 25 → FAILS (always)}}
> Apache Kafka’s official compatibility matrix still lists {*}Java 23{*}, not
> 25, for guaranteed runtime safety.
> [[kafka.apache.org]|https://kafka.apache.org/41/getting-started/compatibility/]
> ----
> h3. 🟢 Option 2 — *Wait for Kafka 4.2.1 / 4.3.0*
> The Kafka community is actively removing {{LegacyStrategy}} and migrating to
> {{Subject.current()}} (the OpenJDK replacement API).
> Until that release:
> * Kafka *cannot run safely on Java 25*
> * No combination of flags fixes this
> ----
> h3. 🔴 Option 3 — Enable SecurityManager (NOT recommended)
> Technically possible:
> {{-Djava.security.manager=allow}}
> But:
> * ❌ Deprecated
> * ❌ Removed soon
> * ❌ Breaks containers & modern JVM semantics
> OpenJDK explicitly warns against using this as a real fix.
> [[bugs.openjdk.org]|https://bugs.openjdk.org/browse/JDK-8328643]
> ----
> h2. ✅ Final recommendation (production‑safe)
> h3. ✔ For Kubernetes + Camel + Kafka today:
> {{✅ Use JDK 21 (LTS)
> ✅ Kafka client 4.2.0
> ✅ Camel Kafka 4.18.1
> ✅ SCRAM-SHA-512}}
> This exact stack is {*}stable and supported today{*}.
> ----
> h2. 🧠 Key takeaway
> {quote}{*}Kafka is not yet JDK‑25‑clean{*}, even in 4.2.0
> *Configuration cannot fix a removed Java API*
> {quote}
> Until Kafka removes all {{Subject.getSubject()}} usage:
> * Java *25* is *not usable*
> * Java *21/23* is the correct choice
> ----
> h2. ✅ TL;DR
> ❌ This is *not your fault*
> ❌ No config fix exists
> ✅ Downgrade Java *or* wait for Kafka patch
> ----
> If you want, I can:
> * ✅ Recommend *exact Docker base images* for JDK 21
> * ✅ Track the Kafka JIRA that will fix this
> * ✅ Tell you the _first_ Kafka version that will safely support JDK 25
> Just tell me which one 👍
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
