WARNING: A restricted method in java.lang.System has been called
WARNING: java.lang.System::load has been called by org.apache.tomcat.jni.Library in an unnamed module (file:/Users/aw036093/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.34/f610f84be607fbc82e393cc220f0ad45f92afc91/tomcat-embed-core-10.1.34.jar)
WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled
The above is triggered within org.apache.catalina.core.AprLifecycleListener.isAprAvailable(). It occurs whether or not APR is available. We should do something about this as part of adding support for Java 24. We could:
- Make adding the APR lifecycle listener opt-in
- Make adding the APR lifecycle listener opt-in on Java 24
- Try to detect
--enable-native-accessand only add the listener when it's set
1 would be a breaking change for those who're already using APR. 2 wouldn't break any existing deployments as a Java 24 upgrade would be required to see a change in behavior. 3 might not be possible and, even if we can detect the flag, knowing that the module name's correct might not be possible. 2's perhaps the least bad option. If we did that for 3.4.x we could then perhaps make it opt-in for everyone in 3.5.
I'd like to see what the rest of the team thinks.
Comment From: transentia
This is a work-in-progress new application. I can't share it, sorry.
I have had a quick play.
The message seems to happen when I enable HTTPS and have a bundle for tomcat.
ssl:
enabled: true
bundle: TOMCAT
debug: true
12:22:35.722 INFO - tools.ToolsApplication : Started ToolsApplication in 2.613 seconds (process running for 3.058)
12:22:35.723 DEBUG - o.s.b.a.ApplicationAvailabilityBean : Application availability state LivenessState changed to CORRECT
12:22:35.724 DEBUG - o.s.b.a.ApplicationAvailabilityBean : Application availability state ReadinessState changed to ACCEPTING_TRAFFIC
WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::invokeCleaner has been called by org.apache.tomcat.util.buf.ByteBufferUtils (file:/E:/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.34/f610f84be607fbc82e393cc220f0ad45f92afc91/tomcat-embed-core-10.1.34.jar)
WARNING: Please consider reporting this to the maintainers of class org.apache.tomcat.util.buf.ByteBufferUtils
WARNING: sun.misc.Unsafe::invokeCleaner will be removed in a future release
12:22:59.440 INFO - o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
12:22:59.440 INFO - o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
12:22:59.441 DEBUG - o.s.web.servlet.DispatcherServlet : Detected StandardServletMultipartResolver
12:22:59.441 DEBUG - o.s.web.servlet.DispatcherServlet : Detected AcceptHeaderLocaleResolver
12:22:59.441 DEBUG - o.s.web.servlet.DispatcherServlet : Detected FixedThemeResolver
12:22:59.443 DEBUG - o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator@32cfdd1b
12:22:59.444 DEBUG - o.s.web.servlet.DispatcherServlet : Detected org.springframework.web.servlet.support.SessionFlashMapManager@739b82e8
12:22:59.445 DEBUG - o.s.web.servlet.DispatcherServlet : enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data
12:22:59.445 INFO - o.s.web.servlet.DispatcherServlet : Completed initialization in 5 ms
I don't see the message with this:
ssl:
enabled: false
bundle: TOMCAT
debug: true
FYI, wth ssl enabled, early in the debug output:
12:29:06.231 INFO - o.a.t.util.net.NioEndpoint.certificate : Connector [https-jsse-nio-8080], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [C:\Users\Bob Brown\.keystore] using alias [tomcat] with trust store [null]
Comment From: wilkinsona
Thanks, @transentia, but that's a completely different warning. Let's keep that problem to #44042.
Comment From: transentia
OMG! I must have had a brain zap. I MEANT to post the last response against #44042. STUPID of me. So sorry!
Comment From: wilkinsona
As part of addressing this, we should remove --enable-native-access=ALL-UNNAMED from LoaderIntegrationTests for both loaders when using Java 24.
Comment From: markt-asf
Another option is to drop APR when running on Java 24 (actually Java 22) onwards and use the org.apache.tomcat:tomcat-coyote-ffm module. That is set up with the org.apache.catalina.core.OpenSSLLifecycleListener.
Comment From: philwebb
We're going to look at option 2 from Andy's list, but we need to think of a good property name. Tagging as pending-design-work until we do that.
Comment From: mhalbritter
I have some changes in this branch which adds a server.tomcat.apr property. Its default value is AUTO_DETECT, which means:
on Java < 24: Calls AprLifecycleListener.isAprAvailable
on Java >= 24: Same as NOT_AVAILABLE
You can also use AVAILABLE (enable APR) or NOT_AVAILABLE (disable APR).
WDYT?
Comment From: wilkinsona
I think AUTO_DETECT might be confusing. Would someone using Java 24 who's enabled native access expect that to be detected and for APR to be enabled?
Comment From: mhalbritter
That's clarified in the JavaDoc of that property - it only works on Java < 24, on Java >= 24 it's equal to NOT_AVAILABLE.
Comment From: wilkinsona
That may help when writing the configuration in an IDE that makes use of the metadata. When reading it, I still think it might be confusing unfortunately.
I'm not sure that this is that much better, but what about spring.tomcat.use-apr with values never and when-available? We could also support always and fail in the absence of APR.
The ideal would be that we default to never across the board and I think we could do that for 3.5. For 3.4, the default would be when-available for Java <= 23 and never with Java > 23. I find it slightly better for the Java-version-specific behavior to be in the property's default than in the meaning of one of the values. It allows us to get rid of the difference more easily in 3.5.
Comment From: mhalbritter
With 3.4.4, server.tomcat.use-apr defaults to NEVER when running on Java >= 24 and to WHEN_AVAILABLE on Java < 24.
With 3.5.x, server.tomcat.use-apr defaults to NEVER regardless of the Java version used.
I've added something to the upgrade notes.
Comment From: candrews
Has this Java 24 compatibility issue in Tomcat Native / APR been reported to the Tomcat project?
I search their issue tracker at https://bz.apache.org/bugzilla/ and haven't been able to find it.
Comment From: philwebb
@candrews I don't think the Tomcat team could do anything about it since it's really a Java issue. They did face a similar issue in https://bz.apache.org/bugzilla/show_bug.cgi?id=69559, but for that they could provide a fix that never makes the call. APR is fundamentally a native library so you're going to get these warnings on Java 24 unless you pass a JVM option.