IWA Kerberos Authenticator is not compatible with Java 17

[isuruhettiarachchi]

Description

IWA Kerberos authenticator is not compatible with the Java 17. When IWA Kerberos authenticator is used with Java 17, it is throwing the following error.

[2024-12-24 18:35:54,373] [8cfb4c24-13da-4cb3-8d55-3b6742248c25] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[bridgeservlet]} - Servlet.service() for servlet [bridgeservlet] in context with path [/] threw exception [Servlet execution threw an exception] with root cause java.lang.IllegalAccessError: class org.wso2.carbon.identity.application.authenticator.iwa.IWAAuthenticationUtil$1 (in unnamed module @0x66853033) cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @0x66853033

The same flow is working with Java 11.

Steps to Reproduce

1. Start WSO2 IS with Java 17
2. Configure IWA Kerberos
3. Try to login in with IWA Kerberos

[1] - https://is.docs.wso2.com/en/6.1.0/guides/identity-federation/iwa-kerberos/

Workaround

Add below to the wso2server.sh after the line $JAVA_OPTS \ as suggested in [2].

--add-exports "java.security.jgss/sun.security.jgss=ALL-UNNAMED" \

[2] - https://stackoverflow.com/questions/68225921/olp-cli-error-java-base-does-not-export-sun-security-util-to-unnamed-module-und

Version

wso2-is-6.1.0

Environment Details (with versions)

OpenJDK 64-Bit Server VM 17.0.12+7,Eclipse Adoptium