Lift minimum JDK version to 21 and remove SecurityManager

[holgerfriedrich]

This is a first step to prepare the 4.5 branch for running with Java 25.
Starting Karaf in Java 25 does not yet work, as a few functions related to the SecurityManager have been deprecated long time ago and cannot be activated any longer via command line switches.
As a new API has been added in Java 18, I for new lift the minimum required version to Java 21 (LTS).

Maybe this is not the way to go - as there has been some discussions if we could introduce an abstraction layer to allow Java 17 as well.

• Lift minimum JDK version to 21
• Remove occurrences of SecurityManager, as getSecurityManager returns
  null since JDK 18
• Disable JavaSecurityTest, Rework JavaSecurityTest #2082
• Enable verbose deprecation warnings
• Replace getSubject and doAs calls
  ** getSubject can no longer be activated via JRE command line as
  SecurityManager has been removed in JDK 25.
  A replacement is available since Java 21.
  ** doAs was deprecated and is replaced by callAll.

For Java 25, another set of modifications is still needed and will be submitted as another PR.
Locally, I got Karaf compiling, passing the tests, and starting with Java 25. 🥳

[jbonofre]

That's require change on the karaf-maven-plugin and dependencies. I will create another PR (as planned) to tackle that.

[jbonofre]

I would rather remove the test (to avoid confusion) or refactor it instead of ignoring it.

[holgerfriedrich]

Ok, if I just remove the SecurityManager assertion, the test completes.
I am not sure if I get completely what this test was intended for (it checks that all bundles come up after applying a specific config - but how this was related to SecurityManager, I still don't get).

I pushed the change to ignore that no SecurityManager is there.

[holgerfriedrich]

@jbonofre is there anying else open I should address?

[jbonofre]

@holgerfriedrich I think this PR is pretty good, it just needs dependent PRs. I will tackle that.

[jbonofre]

@holgerfriedrich do you mind to share your email address with me ? I just realize that you didn't subscribe on the dev mailing list, and you are not on The ASF slack Karaf channel. Thanks !

[arusevm]

Hi @holgerfriedrich @jbonofre,

I've got here some ugly patches that seem to make the Subject-related stuff work on java 25.

Basically, there's an issue with that in 25, Subject.callAs() and current() use a ScopedValue and its binding "gets lost" across "thread-boundaries", of which there are a bunch :) It gets ugly, because every time you do something like ExecutorService.submit() you have to also "pass" the current Subject. Gets even worse, because Gogo needs a similar treatment...

Anyway, wondering if it might help if I share what we've got here with you... or if you already have something like it? Or if I might help in some other way? :)

[jbonofre]

@arusevm I'm finalizing camel-karaf release. I will be back on Karaf just after, tackling this.

Sorry for the delay.

[jbonofre]

Thanks @holgerfriedrich for the update ! I will do a new pass because I have a bunch of changes on the way.

[holgerfriedrich]

@jbonofre may I ask you to have a look at this again?

I rebased it in the last days and got the CI green.

It is a major step towards Java 25 compatibility.
Compilation with JDK 25 already works; one test needs a class downgrade and a few itests fail.
I'd like to keep that in a separate PR on top of this one.

❯ ./bin/karaf
WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::staticFieldOffset has been called by org.apache.felix.framework.util.SecureAction (file:/C:/Users/holgerf/src/karaf/assemblies/apache-karaf/target/assembly/system/org/apache/felix/org.apache.felix.framework/7.0.5/org.apache.felix.framework-7.0.5.jar)
WARNING: Please consider reporting this to the maintainers of class org.apache.felix.framework.util.SecureAction
WARNING: sun.misc.Unsafe::staticFieldOffset will be removed in a future release
        __ __                  ____
       / //_/____ __________ _/ __/
      / ,<  / __ `/ ___/ __ `/ /_
     / /| |/ /_/ / /  / /_/ / __/
    /_/ |_|\__,_/_/   \__,_/_/

  Apache Karaf (4.5.0-SNAPSHOT)

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '<ctrl-d>' or type 'system:shutdown' or 'logout' to shutdown Karaf.

@root()> shell:info
shell:info
Karaf
  Karaf version               4.5.0-SNAPSHOT
  Karaf home                  C:\Users\holgerf\src\karaf\assemblies\apache-karaf\target\assembly
  Karaf base                  C:\Users\holgerf\src\karaf\assemblies\apache-karaf\target\assembly
  OSGi Framework              org.apache.felix.framework-7.0.5

JVM
  Java Virtual Machine        OpenJDK 64-Bit Server VM version 25+36-3489
  Version                     25

[jbonofre]

@holgerfriedrich I removed the specs bundles. Can you please rebase?

What's your take about JDK 17 / JDK 21?
Personaly, I think it's completely ok to bump directly to JDK 21 for Karaf 4.5.x (JDK 17 is supported at runtime by Karaf 4.4.x).